Modern
enterprise-level, shared applications can have thousands to millions of users spanning hundreds
to thousands of locations. Each application can have many roles and a single user can assume one
or more of these roles.
For example, a Virtual Learning Environment (VLE) could be hosted at a regional service center that manages the application for 3,000 schools. Attending these schools are 1.8 million learners, 200,000 teachers and there are about 2 million parents that need access to the system.
Typically, the application will have a provisioning interface administered either centrally or from each of the schools.
Being a developer and several applications, we at Visual Software had this same issue - how do we keep track of potentially millions of users in several roles using many applications with data that comes from thousands of locations? We began to answer this question by looking at the resources with which we had to work...
SIF already does a good job in distributing information about the potential users of these applications (this is why many of these applications implemented SIF agent interfaces - it allows them to collect information automatically about their users (learners, teachers and contacts).
Next,
we combined this information with our Identity Management foundation (and optional
Active Directory SIF agent).
(This uses the collected information to assign and manage identities as well as the Active Directory accounts that used to gain access to the network.)
Then, we created an easy to use interface where users can manage applications, the roles they support and assign users to these roles.
Lastly, we created an Identity/Role web service interface that could easily be accessed by applications that wanted to do things such as checking to see what role the currently logged in user has for a particular application for a given scope (school).
(This picture is a high-level diagram - the MIS (Management Information System) is the UK name for a Student Information System, the application that stores and manages student information. Many of the SIF architecture details have been omitted)
We realize that some environments will be completely SIF-enabled, some won't, but most will be in some stage in between. For this reason, we made this entire environment so that Ipseity's input can be:
Ipseity manages identities for applications and directories and supports the SIF guidelines for
publishing identity information to other
applications. Identity names can be assigned using several
different algorithms including any of the information collected for the user (names, birth dates,
local identifiers, etc.).
Combined with Envoy, our Identity Management solution can use Managed Virtual Zones to ensure that only a single identity is assigned to:
...even if the information is received from different Student Information Systems (or MIS systems in the UK) with unmatched SIF RefId values.
The SIF agent is built using Visual Software’s configurable SIF agent, ZIAgent™. This SIF agent subscribes to the following objects:
| United States | United Kingdom | Australia |
|
|
|
…and any other objects where the user would need to attach business rules. For example, in the UK, a business rule could be attached to the TeachingGroup SIF object that would add all teachers in this group to an Active Directory group.
This SIF agent publishes one object: the Identity SIF object.
Depending on which business rules are activated, the SIF agent can perform a number of functions:
A learner moving from one school to another is a very common occurrence within a school system and ends up being a significant amount of tedious effort for an IT department when totaled up over the course of a school year.
The SIF agent, when it sees what looks like a learner school-to-school move does what an IT would likely do:
This part of the application allows its users to manage other users' roles for installed applications across an enterprise. It uses information collected through the SIF interface, identities created through the Identity Management part of this application and any other information provided through its Web Services interface to determine the user base from which to assign roles.
This
is an example of the Ipseity user interface home screen (click on the screen image to see a full size image).
This screen allows administrators to:
For the already managed applications, it also allows the administrator to view statistics showing how many users are provisioned in each school and for which role.
Under the "collected info" tab, there are pages that display the information that has been collected through Ipseity's input sources (the SIF interface and/or the Web Services interface).
The "audits" interface allows the user to see all of the activity that has been generated by the system either through this user interface or through the Web services interface.
The "about the web service" tab (optionally) gives the user interactive access to the Web Service calls, so that single users may be added, users may be assigned to a "scope" (a school or a SIF zone (whichever is smaller)), etc.. There are presently 16 Web Service calls to the interface that allow an application access to a variety of different functions and to query its data in a number of different ways.
To be able to provision a new application, the user is presented a simple-to-use wizard interface. Before it gets to the first page, it recognizes who is logged in (see the "Welcome" notice at the top-right of the screen) and will scope the list of schools presented in the list so that only those available to this account will appear.
The following "screen deck" shows you the steps a user would need to go through to provision roles for an application for several schools at a time:
For more information, please give us a
call on one of the phone numbers below or send us an information request at:
Contact Us
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)