--- name: reference_alis_medtelligent description: ALIS (Medtelligent assisted-living EHR) API + staff-import facts for Cascades Tucson — auth quirk, read-only staff, web-UI import path. Use the `alis` skill. metadata: type: reference --- ALIS = Medtelligent's assisted-living EHR (Cascades of Tucson client). All API traffic goes to the shared host **`api.alisonline.com`** (the tenant URL `cascadestucson.alisonline.com` is just the login subdomain), scoped by the user's company + a `communityId`. **Cascades = communityId 622** (the only community this credential sees). Use the **`alis` skill** — don't hand-roll the API. **Auth (verified live 2026-06-29):** `POST /user/tokens` with `{username, password}` → JWT (`accessToken` ~1h) + `refreshToken`; send `Authorization: Bearer `. The **username MUST be tenant-qualified**: `howard.enos@cascadestucson` works; bare `howard.enos` returns HTTP 400. Login creds in vault: `clients/cascades-tucson/alis-api-howard-user` (Howard's password was exposed in chat 2026-06-29 — flagged to rotate). Other ALIS vault entries: `alis-api-microsoft-basic` (BasicAuth used by Microsoft), `alis-sso-app-registration`. Global API security is OR(Bearer|BasicAuth|VendorKey) — a user JWT alone authorizes reads. **Staff are READ-ONLY via the API** — only GET endpoints exist (`/v1/integration/staff?communityId=622` etc.); no create/update/delete. **To create/change staff (and their logins) you upload a 13-column .xls in the ALIS web UI: Staff → Import.** That import sets Login Enabled + Password, so it's also how staff logins are provisioned. The `alis` skill builds that workbook from a CSV/JSON and infers each new hire's Security Roles from how existing staff of the same Job Role are set up (job-role → security-role map learned from live data; 23 real security roles, Job Role is free text). The API *does* allow writes for residents/prospects/billing (not staff). **Import format (confirmed from a real ALIS export, ALIS_Staff_Update_Import.xls):** two layouts. CREATE (new staff) has a Password column + NO ALIS ID — rows without an ALIS ID are created. UPDATE (existing staff) leads with **ALIS ID** (the staffId, the match key) + no Password. So present-ALIS-ID = update, absent = create. **Dates are MM/DD/YYYY.** Security Roles are comma-separated multi-values; the `alis` skill infers the full typical combo per job role from current staff. Still test ONE row first before a bulk run. Related: [[reference_resource_map]], [[feedback-vault-every-credential]].