Ipseity™ Identity and Application Role Manager

Ipseity: (ip-SAY-i-ty)   Definition: selfhood; individual identity, individuality

The Need

LotsOfUsersModern enterprise-level, shared applications can have thousands to millions of users spanning hundreds to thousands of locations. Each application can have many roles and a single user can assume one or more of these roles.

For example, a Virtual Learning Environment (VLE) could be hosted at a regional service center that manages the application for 3,000 schools. Attending these schools are 1.8 million learners, 200,000 teachers and there are about 2 million parents that need access to the system.

Typically, the application will have a provisioning interface administered either centrally or from each of the schools.

Being a developer and several applications, we at Visual Software had this same issue - how do we keep track of potentially millions of users in several roles using many applications with data that comes from thousands of locations? We began to answer this question by looking at the resources with which we had to work...

Leveraging the SIF Infrastructure

SIF already does a good job in distributing information about the potential users of these applications (this is why many of these applications  implemented SIF agent interfaces - it allows them to collect information automatically about their users (learners, teachers and contacts).

Ipseity OverviewNext, we combined this information with our Identity Management foundation (and optional Active Directory SIF agent).

(This uses the collected information to assign and manage identities as well as the Active Directory accounts that used to gain access to the network.)

Then, we created an easy to use interface where users can manage applications, the roles they support and assign users to these roles.

Lastly, we created an Identity/Role web service interface that could easily be accessed by applications that wanted to do things such as checking to see what role the currently logged in user has for a particular application for a given scope (school).

(This picture is a high-level diagram - the MIS (Management Information System) is the UK name for a Student Information System, the application that stores and manages student information. Many of the SIF architecture details have been omitted)

SIF or No SIF?

We realize that some environments will be completely SIF-enabled, some won't, but most will be in some stage in between. For this reason, we made this entire environment so that Ipseity's input can be:

The Identity Management Component

Ipseity manages identities for applications and directories and supports the SIF guidelines for publishing identity information to otherIpseity is SIF-Certified applications. Identity names can be assigned using several different algorithms including any of the information collected for the user (names, birth dates, local identifiers, etc.).

Combined with Envoy, our Identity Management solution can use Managed Virtual Zones to ensure that only a single identity is assigned to:

...even if the information is received from different Student Information Systems (or MIS systems in the UK) with unmatched SIF RefId values.

The Directory Management Component

Creating Accounts and Directories

The SIF agent is built using Visual Software’s configurable SIF agent, ZIAgent™. This SIF agent subscribes to the following objects:

United States United Kingdom Australia
  • LEAInfo
  • SchoolInfo
  • StudentPersonal
  • StudentSchoolEnrollment
  • StaffPersonal
  • StaffAssignment
  • EmployeePersonal
  • EmployeeAssignment
  • StudentContact
  • StudentContactPersonal
  • StudentContactRelationship
  • StudentSectionSnerollment
  • LAInfo
  • SchoolInfo
  • LearnerPersonal
  • LearnerSchoolEnrolment
  • WorkforcePersonal
  • ContactPersonal
  • LearnerContact
  • LearnerGroupEnrolment
  • LEAInfo
  • SchoolInfo
  • StudentPersonal
  • StudentSchoolEnrollment
  • StaffPersonal
  • StaffAssignment
  • StudentContactPersonal
  • StudentContactRelationship

…and any other objects where the user would need to attach business rules. For example, in the UK, a business rule could be attached to the TeachingGroup SIF object that would add all teachers in this group to an Active Directory group.

This SIF agent publishes one object: the Identity SIF object.

Depending on which business rules are activated, the SIF agent can perform a number of functions:

  1. It collects information from LAInfo, SchoolInfo, LearnerPersonal and LearnerSchoolEnrolment and uses this information to:
    • create a new ID (or IDs) – it also checks to make sure that this ID has not already been used, and if it already has, it goes through a sequence to try again
    • use this new ID to create an Active Directory account for the learner
    • use the same ID to create a home directory for the learner (this may be located on a central SAN or on a server at the school)
    • add the new user to appropriate AD groups depending on the school enrollment and other characteristics found in the information already collected
    • set up the new user’s home directory by copying default files (if so configured) and setting up default permissions
  2. It collects WorkforcePersonal information and does similar actions for teachers
  3. It collects ContactPersonal and LearnerContact information and does similar actions for contacts
  4. When it receives LearnerGroupEnrolment messages, it adds learners to active directory groups that may have been established for the associated Active Directory course groups

What about Learner Moves?

A learner moving from one school to another is a very common occurrence within a school system and ends up being a significant amount of tedious effort for an IT department when totaled up over the course of a school year.

The SIF agent, when it sees what looks like a learner school-to-school move does what an IT would likely do:

  1. Move the learner account from the old OU (belonging to the old school) to the new OU (the one belonging to the new school)
  2. Remove the learner from any old AD groups and add account to new AD groups according to rules that that apply to new school
  3. Move contents of home directory from old school server to new school’s server and change permissions on all the files to reflect those that would be reasonable for the new school

The Application Role Management Component

This part of the application allows its users to manage other users' roles for installed applications across an enterprise. It uses information collected through the SIF interface, identities created through the Identity Management part of this application and any other information provided through its Web Services interface to determine the user base from which to assign roles.

Ipseity Home PageThis is an example of the Ipseity user interface home screen (click on the screen image to see a full size image).

This screen allows administrators to:

For the already managed applications, it also allows the administrator to view statistics showing how many users are provisioned in each school and for which role.

Under the "collected info" tab, there are pages that display the information that has been collected through Ipseity's input sources (the SIF interface and/or the Web Services interface).

The "audits" interface allows the user to see all of the activity that has been generated by the system either through this user interface or through the Web services interface.

The "about the web service" tab (optionally) gives the user interactive access to the Web Service calls, so that single users may be added, users may be assigned to a "scope" (a school or a SIF zone (whichever is smaller)), etc.. There are presently 16 Web Service calls to the interface that allow an application access to a variety of different functions and to query its data in a number of different ways.

Provisioning an Application

To be able to provision a new application, the user is presented a simple-to-use wizard interface. Before it gets to the first page, it recognizes who is logged in (see the "Welcome" notice at the top-right of the screen) and will scope the list of schools presented in the list so that only those available to this account will appear.

The following "screen deck" shows you the steps a user would need to go through to provision roles for an application for several schools at a time:

For more information, please give us a call on one of the phone numbers below or send us an information request at: Contact Us