Visual Software designs, creates, licenses and maintains:

Configurable, interoperability infrastructure products – these connect existing applications and enable real-time transfer of information between them. (ZIAgent, ZIServer, Mimic, and Veracity)
Identity management solutions – this manages identities for objects (people, buildings, other assets, etc.) in a connected system. (See Ipseity below for more information)
End-user, large-scale applications that provide data management and electronic document management features (health care, education). (See Sustainable Solutions for more information)

ZIAgent

ZIAgent — Configurable Application Adapter

Products

ZIAgent changes the rules in enabling existing applications to communicate with other applications. In general, applications are either built with interoperability features as part of their integral design or need an adapter to allow them to participate in a community of connected applications.

Some application makers who needed adapters have gone the expensive and time-consuming route of hand-writing their own using a toolkit. Many others, however, have chosen ZIAgent, a configurable adapter, that takes advantage of existing facilities that an application has already, without requiring changes to the application itself.

Instead of taking weeks or months to develop and test, users can create deployable adapters with ZIAgent in a matter of hours or days, depending on the complexity of the application and the amount of information being exchanged.

Level of expertise required? Typically, if you can build SQL queries, you can configure an application adapter with ZIAgent.

The Interoperability Challenge

The "interoperability challenge" has been addressed in the past, but wherever and whenever it was approached, very similar steps were taken: It started with making design changes in the application, writing new code, testing the code, finding out that extra levels of security are needed (because the connected community is larger), then implementing and testing the extra levels of security, etc.

With an Agent (Adapter) Development Kit, even though some of the pieces may have been built for you, the agent must still be built, debugged and tested. One of our customers who had experience with both described it this way: "It's like building a house: even though some of the pieces come ready-built, most of the work still needs to be done. For example, house builders may use pre-fabricated truss (roof) systems and furnaces, but they still need to pour the foundation, build the walls, run the plumbing, electrical, etc."

ZIAgent was first built back in 2001 and has been in a process of being refined ever since. In our customer's analogy, it's the finished house — ready to configure (decorate) and use (move in). Because of the way we designed ZIAgent, we don't rebuild every new adapter from the beginning or almost the beginning (as you would even with the best ADK). As a result, we've been able to spend many years making it more:

Scalable — Deployments can be installed easily on a single server or across several servers to support large hosted environments with many customers.
Flexible — Agents can support applications that use almost every commercially available database through a variety of interfaces.
Reliable — We've had years' of experience seeing what can happen in the field, so we have built detection and recovery procedures into ZIAgent. Companies who build agents using an ADK will likely gain this experience through trial and error.
Secure — ZIAgent has many built-in features for data security and privacy that have come from customer requests over the years such as message auditing, record filtering and activity logging.
Supported — ZIAgent was first released in 2001, and we've been refining it ever since. We are continually adding new features, enhancing the runtime engine and improving the user interface.

Microsoft Commercial App Certification is a validation service for cloud and on-premise applications built-on or integrated with commercial Microsoft technologies such as Azure, SQL Server, Windows Server and others. Certification logo badges give buyers confidence that this solution is:

- Fully compatible with Microsoft technologies Certification tests validate that the solution follows coding principles and integrates seamlessly with Microsoft technologies.
- Managed by a trusted partner Certified solutions are created and supported by validated and trustworthy partners.

Certified for Windows Server 2019

ZIAgent is certified by Microsoft to run reliably on the Windows Server 2019 platform and integrate seamlessly with other Microsoft technologies.

Fully compatible with Microsoft technologies Certification tests validate that the solution follows coding principles and integrates seamlessly with Microsoft technologies.
Managed by a trusted partner Certified solutions are created and supported by validated and trustworthy partners.

Certified for Windows Server 2016

ZIAgent is certified by Microsoft to run reliably on the Windows Server 2016 platform and integrate seamlessly with other Microsoft technologies.

How it Works

The ZIAgent back end runs as a web site. It communicates with ZIServer using standard Internet protocols (HTTP or HTTPS) and formats defined in the specifications created for the industry. For education, this the SIF specification; for healthcare, , while other industries may have their own standardized specifications. In other cases, specifications may have been developed to meet a particular need.

ZIAgent supports several security and authentication models including all those listed in the specifications. We have also extended these models to reflect recommendations from the OWASP 2017 Top 10 list. See OWASP (pdf) for more information.

When ZIAgent is at the beginning of the configuration process, it already knows about every element and every attribute of every object defined in the specification to be used (this was set up beforehand). In its configuration database, it has tables that contain staging areas for incoming data, validation tables for all possible legal

Information Sharing Applications — Publishers

Publishers are applications that store information to be shared with other applications in a particular zone. Student management systems are typical examples of publishers. Many applications that mostly subscribe may also publish as well. For example, a transportation system may subscribe to student and workforce information, but it may also publish bus stop and route information.

Agents for publishing applications are configured through a simple two-step process using the ZIAgent designer. The first step involves specifying where the data can be found in the application’s database. The second step consists of mapping each of the application’s fields to corresponding SIF fields and determining if there should be translations set up for it.

Target Database Discovery

When configuring an object for publication, the ZIAgent designer asks for a statement that “requests all records” for the object being configured. With the results of that query, it takes whatever information it can (types, sizes, locations, etc.) and uses that information to build internal tables.

These tables are used in other parts of the designer for validation checks to automate the process wherever possible or to make the process as error-free as possible.

Note

If you look at the data shown in this example, there are two things to point out:

The names of the columns and the encoded field values in the application database do not need to match the definitions in the standard. ZIAgent handles mapping these names and values.
Student information used in these screen captures are for fictional student records randomly created from lists of popular last and first names. Any resemblance to real persons, living or dead, is purely coincidental.

Object Field Mapping

Once the designer has learned as much as it can from looking at the sample data, it presents a simple screen to the user, allowing him or her to select the fields from the SQL statement that match the XML field in the message to be transferred.

If the data element (or attribute) represents an encoded value, the last column will contain a “configuration” icon indicating that translations should be set up for this element or attribute. Clicking this icon brings the user to the next screen.

Automatic Translation Discovery

If an application gives its users an ability to define or extend code value sets, then whenever the application is installed somewhere new, these new code values need to be mapped to the values defined by the standard.

To address this common problem, we added a feature that searches for any values that may have been added locally by a customer. If any of these values need have a translation, the application alerts the user.

Information Subscribing Applications

Subscribing agents are configured by defining rules that are triggered on receipt of either an “Add”, “Change” or ”Delete” event. These same rules are reused when a response is received. In this case, the agent decides if it is proper to use the “Add” or “Change” rule depending on whether or not the object has been “seen” by the adapter already. There is a fourth rule type: “SYNC” – this rule type is executed for both “Add” and “Change” events.

Event Rules Overview

In the following examples, we will use some examples from an education example that uses the SIF specification from the A4L organization.

In this screen, we see a summary of the event rules defined for the StudentSchoolEnrollment object for a subscribing application SIF agent.

Five of the rules are defined to handle incoming "Add” events and another three to handle "Change” events. Although it would be possible, this agent is not configured to handle "Delete” events. To see the details for one of the rules, the user clicks on the ‘Edit’ button.

Event Rules — Dynamic Matching

This is an example of a Dynamic Matching rule. Some subscribing applications have multiple sources of input, including interactive user input.

This rule tells the adapter to search the application database (using the supplied matching criteria) before adding a new record to see if there might already be a record that was created through another interface. If the same record was already added, the ‘Add’ event is turned into a ‘Change’ event, and the two records are synchronized. This avoids the possibility of creating duplicate records.

Multiple DMATCH rules may be created for the same object using different matching patterns.

Event Rule — Add Event

This example is also an ‘Add’ event.

It combines information from several objects, adds information from the environment and passes the information to a CEDS Data Warehouse that is housed in an Oracle environment on another server.

Only the records that have passed all of the validation checks in rules 20, 30 and 40 will update the Oracle DW. The records that fail validation will be set aside for alternative processing.

In addition to sending information to target applications using a variety of methods, ZIAgent also provides a number of other unique features:

Error Handling — ZIAgent provides extensive support for error handling, depending on the needs of the application. Some subscribing applications choose to only allow the agent to pass “clean” data from the input stream to it and send “less than clean” data to a “suspense” location. Others configure the rules so that all data is forwarded from the agent to the applications, allowing it to handle errors.. Some others are in-between. ZIAgent has the flexibility to support them all.
Self-healing Rules — These rules are written in a way that detects when something wrong has occurred, and they trigger other events to correct the problem and cause theto be repeated. For example, let’s say that in education, a StudentSchoolEnrollment (student enrollment in a school) event was received by an adapter, but it never received a StudentPersonal (student demographics) record for one of the students. The rule can make a request for the missing StudentPersonal record, exit, and then have the student’s complete record processed later after the StudentPersonal event has been received.
Email Notifications — These can be attached to any rule (event or business rule) to notify someone that immediate attention is needed.

Common Features

Many applications behave as both publishers and subscribers. ZIAgent supports these more complex configurations as well as the features that are common to all applications that use the adapter:

Import/Export — Once a configuration is completed, it may be exported and saved to an XML file. This allows us to migrate a configuration from one standard XML version (SIF, HL7, or other) to the next. The migration process generally involves exporting from the old version and importing to the new version. It also eliminates the need for database backups and when deploying ZIAgent to multiple locations.
Business Rules — Business rules are much like event rules, except that they are not associated with any particular event. Business rules may be run on demand (from the agent dashboard) or may be scheduled to be run at prescribed intervals.
Web Service Call Auditing — Similar to the XML Message Ledger, ZIAgent also stores a Web Service Call Ledger that keeps track of any calls that the agent made to an external web service. This includes information passed to or returned from it, as well as the time it took to complete the action.

Message Auditing

ZIAgent keeps track of its message activity in a message ledger and presents it through a searchable, sortable user interface.

This message ledger keeps track of when the message was sent, any errors returned by ZIServer, the agent it was sent to, and a drill-down feature that allows the user to view the contents.

Rule Tracing

While developing or troubleshooting an agent, tracing can be turned on through the administration panel. This causes it to maintain a limited set of “rolling logfiles” that store, on a very detailed level, what the agent is doing internally.

This allows support staff to easily track down issues with the agent’s configuration or possibly with data it is receiving from other agents.

Licensing

We offer several licensing models that vary depending on differing needs.

Type of User	License Includes	License Characteristics
Application Supplier (Vendor)	ZIAgent Designer ZIAgent Runtime	Licensed for supplier’s application No runtime royalties Includes new versions Includes 20 hours of Tier 2 support during the first 6 months (Standard Edition) or unlimited Tier 2 support during the first year (Platinum Edition) to help you with your first agent deployments VSI developer spends time with supplier’s staff, configures agent and runs through SIF certification process.
Municipality, School District, other School Organization, or Corporate Entity with many locations	ZIAgent Designer ZIAgent Runtime	Licensed for all applications developed by organization staff No runtime royalties – may be installed and used anywhere in the organization Includes new versions VSI developers provide training to organization’s staff on how to configure SIF agents. Developers use one or two applications from the school organization during the training session so that the school staff has useful, working examples at the end of the session.
Municipality, School District, other School Organization, or Corporate Entity with many locations	ZIAgent Runtime	Licensed per school for the purpose of running publicly available configuration sets Includes new versions
Systems Integrator	ZIAgent Designer	VSI developers provide in-depth training on how to configure agents Royalty paid per installation for each agent configured
Regional, State or National Organization or Education Office	ZIAgent Designer ZIAgent Runtime	Region or state-wide license available for all non-commercial applications No runtime royalties VSI provides Regional or State office staff training and provides classroom training to member organizations.

ZIServer

ZIServer — High-Speed Message Broker

At the foundation of any interoperability environment is a message broker. It is software, the invisible courier, that reliably delivers information from one source to one or more destinations. This is not done blindly, since the software is aware of the information objects that are of interest to the various applications. It is also aware of what the applications send and receive as well as the security requirements of each application's connections.

Translating this awareness into enforced policies, provides secure and reliable message broker services.

ZIServer is…

[kswr_iconinfoboxlist][kswr_infoboxitem_child iibl_title="Secure / Private" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15157"]

ZIServer supports multiple levels of network security to make sure that any data transferred across the Internet is done so safely. In addition to all levels required by the SIF education specification, we have added in support for items listed in the OWASP Top 10.

With respect to privacy, one server supports multiple zones, the number of which is limited only by the memory and disk space available on the server. In addition, ZIServer supports clusters of zones which can be independently administered, so it is suitable for state or other regional implementations. For each of the zones, ZIServer provides multiple levels of privacy including

Learn More

[/kswr_infoboxitem_child][kswr_infoboxitem_child iibl_title="Scalable" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15142"]

One server supports multiple zones, the number of which is limited only by the memory and disk space available on the server. In addition, ZIServer supports clusters of zones which can be independently administered, suitable for state, nationwide or other regional implementations.

ZIServer provides web-based administration and management with separate roles for (all capabilities in all zones), Zone Administrators (most capabilities for specified zones) and Agent Viewers (limited capabilities for specified agents).

Learn More

[/kswr_infoboxitem_child][kswr_infoboxitem_child iibl_title="Highly Available" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15141"]

ZIServer may be deployed as a high-availability server farm on as many servers as needed in single or multiple location (disaster recovery) configurations.

It supports SQL Server AlwaysOn Availability Groups in local and distributed configurations, so that the database can be duplicated in real-time and available as a "hot spare" should a server become unavailable.

ZIServer supports inbound load balancing using either hardware or Windows Network Load Balancing and implements outbound load balancing, including automatic support for failover and recovery.

Learn More

[/kswr_infoboxitem_child][/kswr_iconinfoboxlist]

[kswr_iconinfoboxlist iibl_list_default="1"][kswr_infoboxitem_child iibl_title="Flexible" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15158"]

ZIServer supports PULL (polled) and PUSH (real-time) events as well as request/response modes. It can be hosted by a service provider or installed on-premise. A single implementation can host many independent groups of applications (zones), each of which is isolated from the others.

A single server (or cluster of servers) supports multiple zones (groups of associated applications). The number of these is limited only by the memory and disk space available on the server.

In the education market, a common interoperability standard already exists, and many applications already conform to it. ZIServer has the ability to connect to any of these applications through a simple configuration process.

Learn More

[/kswr_infoboxitem_child][kswr_infoboxitem_child iibl_title="High-Performance" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15143"]

Since 2001, Visual Software has been continually refining the ZIServer back end, making it faster, more secure, more efficient, more flexible and more reliable.

With our current release and modest hardware, ZIServer can maintain traffic loads even with millions of complex messages being passed per hour over secure connections to many (dozens to thousands of) connections simultaneously.

Learn More

[/kswr_infoboxitem_child][kswr_infoboxitem_child iibl_title="Auditable" iibl_title_color="#333333" iibl_subtitle_color="#777777" iibl_content_color="#555555" iibl_image_width="40" iibl_image_height="40" iibl_font_default="1" iibl_image_enable="1" iibl_icon_margins="margin-top:0px;margin-bottom:0px;" iibl_title_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:10px;" iibl_subtitle_margins="margin-top:0px;margin-left:0px;margin-right:0px;margin-bottom:0px;" iibl_content_margins="margin-top:0px;margin-left:15px;margin-right:15px;margin-bottom:0px;" iibl_image="15159"]

ZIServer provides user logging, detailed tracing and full message auditing capabilities. ZIServer also has the ability to move older messages into to archive databases, so that these can be stored on less expensive storage and be put onto a separate backup schedule.

Learn More

[/kswr_infoboxitem_child][/kswr_iconinfoboxlist]

The User Interface

	The ZIServer Dashboard The ZIServer dashboard gives administrators a quick overview of the health of the ZIS, how busy it has been lately, how the tunable parameters are set and, in general, how servers in the server farm are balanced (if this server participates in a load-balanced server farm). Each of the dashboard’s four panels can be maximized to either provide more detail (as with archetype libraries or with zone health) or provide system administrators the ability to override ZIServer’s tunable parameters. The detailed view of the Zone Health panel displays agent health for each agent that has pending messages.
	The ZIServer Neighborhood — Zones We have redesigned ZIServer’s interface to support many thousands of SIF zones by making the list of zones a paged, scrollable list. When a zone is selected from the top list, the lower half of the screen updates to show: any messages waiting to be sent to any of the agents in that zone all detailed information for the zone – in this tab, administrators are allowed to change selected information for the zone
	The ZIServer Neighborhood — Agents When the ‘+’ icon is pressed at the beginning of one of the zone rows, that row expands to show information for all of the agents in that zone. The lower half of the screen now shows detailed information for the selected agent in the agent list. For each agent, the lower screen display shows: messages waiting to be sent to the agent detailed information about the agent (some was entered when the agent was created, other was received when the agent registered and still other information may be entered by and administrator) object permissions (ACL list) element-level filters a list of the objects that this agent is providing a list of the objects to which this agent is subscribing
	The ZIServer Neighborhood — Viewing Waiting Messages While a message is waiting, it can be viewed by pressing the hourglass icon at the end of its detail row. This will bring up a window that looks like the image on the left, displaying the message.

Security / Privacy Features

Besides passing messages from one application to another, managing security is the other main function of the ZIServer product. The following table illustrates some of these ZIServer features:

	ZIServer Accounts ZIServer provides web-based administration and management with separate roles for Global Administrators (all capabilities in all zones), Zone Administrators (most capabilities for specified zones) and Agent Viewers (limited capabilities for specified connections). This is a screen capture from a Global Administrator’s account which allows administration of all other accounts.
	ZIServer Zone Level Administrators This is a view from a Global Administrator’s account where a Zone Administrator’s account is being set up. In this example, the account ‘bwilde’ is given access to two zones.
	ZIServer Agent (connector) Level Administrators In this example, the account ‘opayne’ is given access to view some limited information from agents (connectors) in two zones. In the currently selected zone, access is only given to information about the ‘SubscriberB’ agent (connector).
	Object-Level Permissions ZIServer maintains object level privileges by application connector to send events (Add, Change or Delete), subscribe to events, make requests or respond to requests. Agents (connectors) need to be pre-authorized by the administrator before they can publish or receive data to or from a zone. The last column in the permissions table contains a button. If the button is green, there are element-level filters defined for this object (but none have been set). If the button is yellow, some filters have been set.
	Element-Level Filtering ZIServer supports element-level filtering by agent connection. This allows administrators to define privacy filters for object types by application, causing data to be removed from messages before delivering them to the application (based on a need-to-know basis). For example, in the SIF education standard, there is a “Medical Alert” field in the Student Demographics object. Since this is not needed by (and, for privacy reasons, should not be sent to a Library application, that one field can be removed before passing the message to the Library application. During the publication of the same event, the entire message would be forwarded to the Nurse’s office application. All versions of delivered messages are audited separately. In this screen, an administrator may choose to remove/replace certain elements (fields) from messages before they are sent to a receiving application. The administrator is also able to control globally whether elements are replaced (with a string such as “removed for privacy reasons”) or simply removed.
	HTTP/HTTPS Authentication ZIServer supports several authentication (including certificate pinning) and encryption models (including TLS 1.2 and 1.3) for bank-level security. The set-up is simple: install a certificate on the server where ZIServer is being installed, obtain a copy of the remote server’s certificate, and copy it to a secure place on the local server. Lastly, tell ZIServer where that local copy is, and it will configure the rest and handle all the difficult parts.

Flexibility — Other Applications

Although originally created for the education market (as were all other products in the Visual Software suite), ZIServer was designed to support any class of application from any industry, from a small, locally developed database system to a multi-server, line-of-business system. However, some environments will be easier to connect than others because they already have industry-wide standards available. A partial list of these include:

Agriculture: AgXML (grain- and oilseed-related business processes)
Automotive
- STAR — STandards in Automotive Retail
- OTX — Open Test sequence eXchange
Business
- B2MML (Business to Manufacturing)
- CIDX (Chemical Industry Data Exchange)
- FpML (set of Financial Products standards)
- HR-XML (Human Resources related standards)
- Mail.XML (Mailing, Addresses and Deliveries)
- OASIS UBL (Business Documents, Processes)
- RETS (Real Estate Transactions)
- XBRL (Business Reporting)
Education
- SIF (Systems Interoperability Framework)
- IMS global learning consortium (a set of standards)
Health Care: HL7 — Health Level 7
Government — NIEM (set of standards)
News
- EventsML (News Exchange)
- SportsML (Sports Data)
Publishing
- AdsML (Advertising)
- papiNet (Paper and Forest Supply Chain)
- Prism (Publishing Content)
- RIXML (Global Investment Research)
Scientific: DWML (Digital Weather)
Security: OVAL (Open Vulnerability and Assessment Language)

Hosting Capabilities

ZIServer was designed from the ground up to support a hosted implementation model. In a single implementation, it supports thousands of zones (groups of related applications), each of which is capable of connecting dozens to hundreds of applications.

ZIServer also supports global administration as well as distributed administration. In a hosted environment, the global administrator would work for the hosting provider where a distributed administrator (or zone administrator) role would be given to a customer account. For more information on this, see “Security / Privacy Features” above.

Performance

A Little History

When we created our first version of ZIServer, we built it “on top of” a popular Enterprise Application Integration (EAI) platform. It did the same basic things that our current ZIServer product does (passed messages and managed permissions), but it required our customers to buy a copy of the EAI platform when they purchased our ZIServer product.

In 2007, we were working with an existing XML specification that was changing and not maintaining backwards compatibility. Because this also involved changes to the transport mechanism (how messages are passed between applications), it was forcing us into a ground-up rewrite. At the same time, we heard from the maker of the EAI platform that their next release was not going to be backwards-compatible. In addition, it was still over a year away from being released. This left us with reduced options.

Assessing Our Strengths and Market Needs

At that point, we saw that the current product worked well, but it lacked the performance needed by very large . In addition, because it required customers to also purchase an EAI platform, it excluded smaller potential customers who couldn’t administer or afford the EAI platform. Since we had an extensive background in operating system-level development already, we decided to create a new generation ZIServer from the ground up, based on the design principles we were most familiar with: . As a result of a significant development effort, our base model was ready. After a side-by-side comparison, we found that it was:

significantly faster than the older version based on the EAI platform. It was roughly 8–15 times faster, depending on the mix of traffic.
more scalable. The new version could handle load-balanced input as well as load-balanced output – an advantage it still offers even today.
easier to administer. We were able to create an installer that allowed for a simple, “click-through” process and an easy-to-use GUI administrative interface.
much more affordable. The new version didn’t require the purchase of the EAI platform.

Since Then

We have spent the years since then improving ZIServer’s speed, scalability and overall usability. We’ve improved the product in these ways without increasing its administrative complexity or system-level basic requirements. This allows us to still support implementations of all sizes without requiring dedicated administrative support, even in the largest installations.

Scalability / High Availability

The new ZIServer has many features to support large and/or hosted implementations:

It supports a one-to-many model. This is ideal in situations where information published by one source needs to be distributed to several recipients. With this model
1. the publisher doesn’t need to keep track of who needs to receive the message. (The list of subscribers can change without requiring that the publisher be notified.)
2. the publisher only sends a single message (less network traffic).
3. the speed at which the publisher sends messages is not dependent on the speed at which receivers are able to receive messages.
4. messages can be screened for privacy at ZIServer if needed.

It retains messages across agent and system failures. If any of the endpoints goes offline, ZIServer saves its messages and sends them when the application returns to an online state – even if it takes days to do so.
It protects the environment against XML-based denial-of-service attacks (the only broker of its kind to offer this protection).
It guarantees that messages are delivered in .
It may be deployed as a high-availability server farm on as many servers as needed in single or multiple location (disaster recovery) configurations. ZIServer is the only message broker of its kind to offer load-balanced delivery of messages (others provide distributed message receiving capabilities). Providing load-balancing in both directions gives ZIServer a unique advantage in the areas of:

- Overall throughput
- Server failover and recovery – events in both directions are handled automatically within milliseconds
It has been certified by the A4L organization.
It supports incremental adoption; different models of ZIServer are available from Compact Edition (single small server) to large Enterprise Edition installations. Migrating from a smaller edition to a larger edition can be done without the loss of any information and can often be done without any downtime.

Typically, Enterprise Application Integration (EAI) software is referred to by terms such as "Point-to-Point" (P2P), "Enterprise Service Bus" (ESB) or "Hub and Spoke" (HAS). ZIServer falls somewhere in the category of a "Federated Hub-and-Spoke" model, providing all of its advantages without the disadvantages for which other EAI models are criticized. For more information, see: EAI Models

Auditing

ZIServer audits each message that is passed through it. The application maintains two “working databases” one for active messages and another for audits. They are separated so that the audits’ data can be stored on different storage from the active messages and also for performance reasons. It also stores different levels of audits The Administration utility has a convenient capability that allows administrators and designated users to be able to search through recently delivered messages and display their contents.

The Audits Interface

Some of the features of this interface are:

Columns can be sorted by clicking on the column header
Columns with a funnel icon in the column can be filtered
Data can be grouped by any column by dragging the column header to the gray bar above the column header bar
Message contents can be viewed by clicking on the message link at the end of any line
Message contents can be searched by using the "Search Message Contents" feature at the top of the page

This interface has been designed to work efficiently with hundreds of thousands to millions of audit records.

In addition, it is also user-account sensitive. If a zone administrator views this page, the audit records displayed will only be from agents in the zones that he or she is allowed to access. This works similarly with agent viewers.

The Audits Interface — Docking Messages

Normally when an audit message is viewed, it is displayed in a pop-up window. If the user drags that window to the side of the screen, it can be docked, and the audit list will be resized accordingly.

The Audits Interface — Viewing Multiple Messages

If multiple messages are viewed simultaneously, the message window can be dragged (see below) to join an existing message and form a tab-card collection of such windows.

Veracity

Veracity — Data Integrity Manager

XML data exchange specifications (such as SIF for the education market) enable applications to exchange data, so that once it is made available in one place, it can be put to good use everywhere else as well. In the process, valuable information from all sorts of applications crosses the interoperability "zone." We recognize this flow as an asset in and of itself, and we tap into it with Veracity.

The Repository and Data Quality Management

Veracity is our unique repository of exchanged, standardized objects. It leverages the infrastructure's event and request/response facilities to keep an up-to-date snapshot of the current status of all objects being exchanged. Once in Veracity, it doesn't matter whether the data came from a transportation system or a food services system, it is available from one place under one data schema.

Can you trust your data? Is it accurate and dependable?

When it comes to making decisions based on your district’s data, one of the biggest challenges to overcome is that of data integrity. Can you trust your data? Is it accurate and dependable?

One of the fundamental goals in data integrity management is to move the correction of data errors back to the source. In an education environment, for example, when census data is being prepared at a school district, the IT staff collects the data from the various systems in the school, matches up the records, cleans them, formats the result, and then submits it. This cycle is repeated several times during the school year. Many times the same error is corrected over and over because it gets fixed in the CSV file instead of the source system.

This is why we have created Veracity. The Veracity approach is the following:

Establish a common repository that always reflects the current state of the data in the source applications (Veracity).
Monitor the quality of the data by applying a set of rules and looking for problem areas.
Notify the owner of the data in question so that it can be corrected in the source application.
Use the data from the repository as the source for state reports, cross-application reports or as a feed into a data warehousing system.

By moving the correction of the problem back to the source of the error: Products

All applications in the zone benefit from the better-quality data.
The data is changed only once and in one place.
Your data becomes more reliable, giving you more confidence in decisions you make that results from the data's analysis.

See if you can rely on your data. The first thing to know is how close the quality of your data is to the standards defined by your organization.

Veracity’s rule set articulates your district’s data quality rules, applies them against data collected from the connected systems and shows you where your district’s data falls short.

These rules can be checked on a scheduled basis or in real time as data is published.

Viewing Errors in Data (Education Example)

	See How You Are Progressing This chart shows what types of errors you have and how they are distributed. If you click on the chart and hover over one of the slices, it tells you how many errors of that type there are. Clicking on the image will cause a full size image to open in a new window. Veracity requires that errors be corrected at their source, and it does not allow changes to be made in the repository. Instead, it provides a set of tools that help people track errors and correct them at the source, so that all other systems connected through the SIF interface can also benefit when they are corrected. The graph to the left gives users a sense of how the district’s data is improving over time. Clicking on the image will cause a full size image to open. Dismiss the full size image using the X at the top right. The different colors represent errors, warnings and other items of interest. If you click on this graph while using Veracity, it scrolls from side to side and, like the other graph, if you click and hover over a bar, it shows you the specific number of errors in a specific category. In this example, the data was checked several times. As the data was checked, errors were being corrected at the source until the last sample, where some new rules were introduced. These new rules caught additional errors in the source data.
	Seeing Error Details Seeing the details is also important. This screen allows you to view and drill down into the error details. This screen shows a summary of each rule that has been violated by data in your organization as well as how many records violate that rule. Clicking on the “View Records” link allows you to see student-level detail for a specific category.
	Seeing Student Details Clicking on the “View Detail” link allows you to drill down to the student detail level.
	Viewing Student Detail Record This student’s record violated rules: the birth date/school reasonableness and the school district age limit test rule. At the bottom of the screen, both rules are summarized. The specific wording for each of these rules can be modified by the Veracity administrator through this web interface to word them according to local policy definitions. NOTE: Student information used in these screen captures are for fictional student records randomly created from lists of popular last and first names. Any resemblance to real persons, living or dead, is purely coincidental. At the bottom of this screen (not shown) would be a summary of other rules that have also been violated by this record (there could be several problems with this record).

Defining Rules

Veracity helps you continuously monitor the quality of your organization's data by giving you an ability to simply define data integrity rules that will be run against the consolidated data in Veracity and point out to your staff where data needs to be corrected. It provides a simple configuration form to define rules such as "make sure every elementary school child who lives more than a half mile from school is on a bus route" or "make sure that every child has been assigned to at least one but not more than two schools".

Sets of rules can be established for different purposes. For example, you may want to run general student information checks on a daily basis while other, more detailed checks may only be appropriate once the "beginning of the school year crunch" has passed.

Rules are defined through a web interface (assuming that the user has administrative rights) using a process that typically takes only a few minutes per rule.

Data Quality Gateway

Overview

When an application’s input process is automated, and it begins to receive its input from a new source (not manually through its own , the subscribing application may start to exhibit “new behaviors.”

We found this out from our work with the special education community in the US. They began to receive data from an associated student management system, but typically, the data they already had was better quality than the new data they were receiving from the new source. They referred to the new automated data as “data pollution.” Situations like this occur wherever input is automated, but its effects can be mitigated. The way we addressed this challenge was through something we call a “Data Quality Gateway.”

Clean Zones

Veracity sets up two databases to store data collected from the schools, referred to as the “raw zone” and the “clean zone”. The raw zone stores data in the form received from the schools. The clean zone contains only data that has been tested and judged to be of good enough quality to be shared with other applications.

This is how it works: as the data arrives, Veracity checks it for validity against data quality policies defined by the ministry (implemented as business rules in Veracity). Data that passes all of the quality checks is immediately copied to the “clean zone” and becomes available for connected applications. Data that fails any of the tests is held in the “raw zone,” and the owner of the data is notified. A user interface is provided for that user to see where the errors are so that the errors can be corrected at their source. Once an error is corrected, the change comes through the SIF interface and the record is released to the clean zone, providing connected systems with up-to-date, usable information.

In the following diagram, the SMS applications represent the sources of information (Student Management Systems), and the Subscribing Application represents the place where an extraordinarily high level of quality is required (a much higher level than what is delivered by the SMS systems).

When a rule is set up at configuration time, there are several options available with respect to the gateway:

If the incoming message does not meet the requirements, notify the source of the data and do not pass the data to the subscribers.
If the incoming message does not meet the requirements, notify the source of the data and pass the data to the subscribers (warning only).
If a tested field causes the data to not meet requirements, notify the source of the data and do not pass the data to the subscribers.
If a tested field causes the data to not meet requirements, notify the source of the data and pass the record to the subscribers WITHOUT the tested field’s value.

The tests that are set up can involve any data in the incoming data record. Additionally, they can also test values in previously received data in this table or in other tables.

Veracity User Interface Appearance

Look and Feel

We have found that with many customers, the functionality that Veracity provides belongs on the desktop of those who regularly enter data into line of business applications. Many of these users are already likely to be logged into an organization-wide portal that provides other services needed during the day.

For this reason, we gave Veracity the ability to adopt the look and feel of almost any other website with a few simple steps (performed by an administrator) in a matter of a few hours. The Veracity user interface has about 30 different parts (page heading, footer, top of a table, table cell, etc.) – the things you would find on most portal sites. As it is being configured, an administrator views the source of a portal page, copies the style from it into Veracity and the user interface is transformed without coding. This allows the Veracity interface to then be embedded as part of the organization’s portal and look like it was always meant to be there.

Veracity Consolidated Data Access — Reporting

Using the Combined Data

At Visual Software, we understand that a school’s business is not the numbers and strings passed around from application to application, but what those data elements represent. You have data that describes how a child is doing, from discipline to grades to attendance. The problem is that there is just too much data for any human to keep track of and use effectively at the student level.

You may already have systems that give detailed reports to principals, guidance counselors and other staff members. But what happens when you take one line from three different reports, only to find out that the combined lines signal a problem, while none of lines raise any red flags on their own? For example, a particular student’s GPA may be dropping at the same time as their attendance is worsening and their discipline incidents are increasing. Any one of these factors viewed independently might not get much attention, but put together, they might signal a child “dropping off the edge.” If this information was maintained by different systems or if the information was not available in a consolidated report, that important indicator might be lost.

Veracity collects and combines information from whichever applications are publishing in a zone. Records from these different systems for common students, teachers, parents, and classes (groups) are automatically matched, allowing users to access its underlying database to create consolidated reports using tools such as SQL Reporting and Analysis Services.

Veracity Form Designer

In a system like this, especially when we create new industry specifications, the need for many forms arises – forms to display errors, search (and edit) data, and show detailed records for each type of object. This is what consumes an overwhelming amount of time for most companies trying to imitate what we do. We knew that this development would quickly make implementations like these unaffordable for those who need them most. So, we built a framework into Veracity to quickly add sets of forms with rich functionality for each new object we added to a new interoperability specification.

	The Form Designer For each object that will be quality-checked in an interoperability specification (such as SIF, HL7, etc.), a set of forms is needed by Veracity to display potential errors and allow users to browse through the consolidated data (if so desired). These include forms to: Display errors Enter search criteria (configured by user as not all fields are searchable) Show a list of search matches Show search results with any errors Edit records (optional) Delete records (optional) Manage attachments (optional) The optional forms above are for other applications (not the data quality checking described above). Once the forms have been created here, they are ready to be used in data quality rules. They can now be added to the navigation, allowing users to browse through objects of this type.
	The Object Search Screen For objects where Veracity customers want to provide users search (and optionally update) access to the combined data, a search facility will automatically be added to the interface. This happens only after a form for the object has been defined, and the object has been added into the navigation structure. Users can be restricted by scope (for example, US education users can be restricted by all state level data, school district level data or school level data only) or can be given access to all data. Searches can be specified by using natural language queries. For example, if the user is searching a date field, he or she could search using: “this year”, “ytd”, “1÷15÷2015−4÷2÷2016”, “4÷2017” or “before May 2013”. We tried to anticipate what our users might type when searching and implemented it, including what hackers might type and prevented it from doing anything. In this example, the user is searching for “Students” with the letters “jo” anywhere in their Last Name. If multiple strings are entered, it will search as if an “OR” were between them. (Logical operators such as AND, OR and NOT can be used in searches.)
	Search Results This screen shows the results from the previous search. The fields shown here were specified in the Form Designer’s “Display in Search Results” field. For a given field, if the value was set, the field will show in this form. At the beginning of each row is a link that allows the user to get to the details for this record.
	Record Detail This screen shows the detailed information for the selected student. NOTE: Student information used in these screen captures are for fictional student records randomly created from lists of popular last and first names. Any resemblance to real persons, living or dead, is purely coincidental. At the bottom of this screen (not shown) would be a summary of rules that have been violated by this record (there could be several problems with this record).

Mimic

Mimic — Interoperability Adapter for Legacy Applications

Mimic is an interface designed for certain types of applications that were never intended to be members of a connected zone. These applications contain needed information and can create comma delimited extract (often referred to as Comma Separated Values or CSV) files and have the ability to export them to a fixed location on a regular basis. Examples of applications like this might be:

Mainframe information systems
Excel^® spreadsheets
Small database files with line of business information
Locally developed applications
Applications where the supplier does not have an interest in sharing information – in which case, a connector like ZIAgent can be used to connect the application in real time and export its needed information to a CSV file

In designing Mimic, we knew that there was a need for something that would:

Support those "forgotten" applications
Be very simple to set up
Not require any assistance to run
Not be expensive to install and maintain

What Does Mimic Do?

Mimic looks at the extract file's contents and compares it against the file it looked at the last time it ran (the agent runs on a regularly scheduled basis).

If there are new records, it publishes "Add" events to the Zone.I If records have changed, it publishes "Change" events. If records are missing, it publishes "Delete" events. It also archives backup copies of the CSV files it has processed and audits any events it has generated.

Mimic responds to requests from other applications with appropriate response messages as would a ZIAgent connector from the application itself.

Mimic needs a supporting database (to keep track of what your file looked like last time and to keep track of its configuration information), and we chose a specific database family: Microsoft^® SQL Server^® (unlike our other products which will work with many different databases). We also chose a specific operating system platform: Microsoft Windows Server or Windows 10. In limiting these choices, we were able to make the configuration and deployment process simple and straightforward to further reduce the cost of supporting the platform.

How Does Mimic Differ from ZIAgent?

ZIAgent is a full-featured, configurable connector that works with any application, provider or subscriber. It handles incoming requests, events and anything else defined in the XML specification. It works with applications that use any type of database and offers a host of application interfaces. Mimic only provides objects and does not support inbound traffic (subscribers). For more information on ZIAgent, select the ZIAgent tab above.

How Does it Work?

Mimic's configuration/management is done through a wizard process that guides the user through a simple setup matching and job configuration process.

	When the application first opens, Mimic displays a list of objects configured for this installation. In this example, although there are over 120 objects that are available for configuring, this installation has only configured 3 so far, and it is about to configure a fourth. To see the complete list, press “Show All.”
	In the first step, the user browses to a sample CSV file containing data for the object being configured. This sample should be varied enough to cover most cases that will be encountered. Mimic will read this file and show the user the first few lines from the file. It will also learn whatever it can about the data from reading the file.
	The user is then asked which of the fields will be used from this input file.
	The user then has to choose one or more fields that can be used to create a unique identifier. Up to 9 fields may be selected.
	Then, fields need to be mapped – the application CSV file calls it “X” and the standard refers to it as “Y.” For example, in the CSV file, a field may be named “LastName”, while the XML standard refers to is as “FamilyName.”
	If a given field is linked to a field in another object, a “LOOKUP” button is displayed and the user is asked to map the fields in this file that correspond to the matching fields in the other file. For example, the field in this record refers to the “School District (LEA) Identifier” – this refers to the unique identifier of the “School District (LEA)” object. When all of the fields are mapped, the process is almost complete for this object.
	The last step in the process is scheduling how often this object’s files are to be processed. We provide separate schedules for every object because, for example, school district information doesn’t get updated very frequently, whereas student class enrollment information or assessment information would be updated much more frequently.
	This is an example of an audits screen. Complete audits are maintained for every message sent. This screen lets an administrator look through top-level information for all messages, then drill down if needed.

Two Editions

Visual Software has created two versions of Mimic:

Mimic Standard: This is aimed at a smaller, single location publisher. It publishes to a single zone using a single predefined XML specification.
Mimic Enterprise: This is similar to Mimic Standard, but it is aimed at organizations with many locations. It supports multiple, independent zones and it is implemented as a locally hosted service.

Dexterity

Dexterity — Remote Monitoring and Predictive Maintenance

The Problem — Simply Stated

Computers are very good at keeping lists of things that need to be done as well as when they need to be done. Computers have numerous sensors that can detect if the hardware is running normally or starting to fail. Computers can also be taught to gather information about the operating system (Windows), database systems, and important applications (such as your line of business systems) to make sure they are operating at peak efficiency.

For years, people have used these characteristics to build software to monitor environments, locally and remotely. When a problem is detected, the remote management software’s information is used to assign people to fix the issue.

That's where we were several years ago when we were asked to provide managed services for some of our larger customers. We used remote management software in their large environment, and it alerted us when there was an issue in one of the environments. One of the biggest issues we faced was that the root cause of the problem that needed fixing came so fast and strong (and most times unexpectedly) that by the time we could get to fixing it, the problem had escalated past the point where a simple solution was possible.

Some Examples When This Could / Does Happen

These are some examples where Dexterity would be or has been very effective:

Snow Days / Office Closed

For example, an education customer in a snowy region of the country collects attendance data from hundreds of school districts on a daily basis (one record/message per student, information is collected whether or not the child is in school).

A while back, they had a series of very snowy weather causing the entire state to be off from school for five days in a row. When school finally resumed, all schools sent all 6 days’ worth of attendance data at the same time, amounting to several million records in less than an hour.

Peak Periods

Peak Periods happen in any industry. In sales, a specific product or company may receive excellent press in the media or on a TV show or movie. Likewise, sales can be dramatically affected by law changes, requiring groups to purchase goods or services without advance notice. Sudden interest spikes demand. Increased web traffic, higher sales, and pressure to create and ship inventory all lead to potential server crashes.

Natural Disasters

Natural Disasters happen regularly across the world, often without warning. Just as a country and its people are affected by natural disasters, so too are businesses and companies.

When we consider businesses that ship products from one location to another, a disaster in a region of a country may interrupt the normal channels of product delivery for a few hours or even for months. A company may have to reroute product deliveries from one location to another. Sometimes this isn’t possible, so a new location to handle the new traffic of products is required. The new location would now be responsible for the shipping of its own usual amount of packages, as well as the new traffic from the rerouted products, all in an attempt to avoid downtime caused by a disaster. Once the storm has passed and repairs are underway, the demand for new products for these repairs will increase in order to bring the affected areas back up to working order.

As with the other examples, data traffic will increase for the locations responsible for shipping all these products, and the servers responsible for these demands can experience overloading which may result in system crashes that could cascade throughout the entire company.

Health-Related Emergencies

During disaster situations that would cause a greater influx of patients into hospitals, patient management systems can experience lag, causing errors in patient profiles. If systems aren’t performing at the level that they are expected to, there could be an increased risk of HIPAA violations during this time as well.

If a hospital is at maximum capacity, processes need to be put in place for diverting patients to the next closest hospital that is accommodated to care for those patients. For that to happen, these hospitals would need to be in sync in order to smoothly transition patients from one hospital to the other or to balance the patient load. The different data points being filled in these respective systems would also need to be able to handle the strain of doctors and nurses across an entire health network using the same system to input patient data that must be maintained at a highly accurate level.

If not, this could negatively affect health standards at these hospitals. It could also cause problems for the staff which their patients could end up paying for with their lives.

A More Realistic View

Issues like these cause trouble for most or all of your servers at the same time, requiring that they all be addressed at the same time. If they are fixed one by one, different results may happen:

The first server to be fixed could be automatically offloaded with all of the workload that can't be handled by the remaining servers, causing it to return to a failed state within a short period of time.
A fix applied to one server could begin a chain reaction that would make other servers more difficult to fix.
By the time the first server is fixed, the other servers may be past the point where relatively simple fixes will be effective.

An Enterprise Immune System

Dexterity is designed to be like an immune system for an enterprise.

First, on a regular basis, it performs many of the regular maintenance tasks normally done by administrators or scheduled scripts, plus several others that are specifically designed to maintain good performance of enterprise line of business applications.

On regular intervals, it samples the health of the system, looking for deviations from normal patterns of behavior. It checks log files, services, amounts of time the system has spent since the previous check performing certain activities, status of important system indicators and more. If it notices a behavior pattern emerging that indicates that periods of unusually high activity may be approaching, it accelerates the activities that would ensure good application performance to prevent problems such as running out of disk space, databases becoming less efficient, or tasks getting overloaded. If the pattern reverses (false alarm/rise in activity was only short-lived), the schedule of remediation returns to normal maintenance levels.

All of these things happen automatically moments after the behaviors change to all servers being impacted. With a typical remote monitoring/staff resolution scenario, it could take an hour or more to locate the source of the problem and mobilize staff to correct it. Additionally, once they know what the problem is, they will always have a disadvantage when the number of machines starting to fail exceeds the number of people working to resolve the issue.

Ipseity

Ipseity — Identity and Application Role Manager

Overview

Ipseity is an integrated application that:

Collects information about "objects" in your organization
Assigns and manages identifiers for those objects
Creates and manages Active Directory accounts (if the objects correspond to people who need access to computer resources)
Collects information and keeps track of other applications that run in the enterprise
Assigns and manages application roles in the applications and Active Directory account assignments to those roles (used to implement Single Sign-On)

Collecting Information

In medium to large enterprises, "keeping track" of things, whether they are people, books, tests, student enrollments, doctors or even trucks, can be a formidable task.

Modern enterprise-level, shared applications can have thousands to millions of users or other identified objects at hundreds to thousands of locations. Each connected application can have many roles and a single user can assume several of these roles in one or more applications.

For example, a Virtual Learning Environment (VLE) could be hosted at a regional service center that manages the application for 3,000 schools. In these schools, there are 1.8 million learners, 200,000 teachers and about 2 million parents that need access to the system.

Because each of the organizations have a line of business application that manages these objects (such as a Student or Patient Information System) and since that system is attached to a connected environment, Ipseity subscribes to the objects that contain the information needed to assign identifiers, creates accounts and assigns roles in applications. This information is fed into Ipseity automatically, and as changes are made, Ipseity receives them in real time.

Go to top

Assigning Identifiers

Wherever there are many objects of the same type, identifiers are needed. Whenever many objects of the same type are collected and managed from many different sources, globally unique identifiers are typically needed. Such is the case with people and Active Directory accounts, but similar needs exist for most managed objects that originate from many different source systems (trucks, books, hospital patients, weapons, etc.).

Ipseity has a built-in facility for assigning identifiers. This facility is able to use collected data as it arrives, and it can also assign identifiers according to business rules set up at the time of configuration. These rules:

First, test the data for quality and completeness.
If the data is complete, then use the configured "ID Format Rule" to create a new ID from existing data.
Test to see if the proposed ID is already in use.
Use fallback rules to create other proposed IDs until a unique ID can be assigned.
Notify connected applications about the assigned identifier.

Identifiers can be in the form of numbers, mixes of strings and numbers, formulas involving received data, or combinations of these.

Go to top

Managing Enterprise Active Directory

Continuing with our education example, Ipseity integrates connected applications by receiving normal events indicating that objects have been created. These objects include:

Personal demographics and information about where students attend
Personal demographics and job assignment information for teachers and other staff members
Information about related contacts (parents) who also need accounts, so they can access information about their children

Ipseity then uses that information to create identities and manage Active Directory objects as needed. As it creates AD accounts and groups, it has the ability to publish back to the zones and listening applications any of the objects conveying what the agent has done. This allows the listening applications to have enough information to automate Single Sign-on.

Ipseity also has the ability to subscribe other commonly published objects by line of business applications that provide more information about users who have accounts created for them.

For example, in education, data may automatically be received containing student information about schools they attend, courses they take, and sections of classes into which students are registered. Ipseity can use that information to create Active Directory groups, which can then be used to control access to applications associated with a school, a course or a section of a course.

Some of Ipseity's other features include:

Maintaining attribute stores in products such as Microsoft ADFS or Shibboleth
Discovering existing Active Directory accounts and groups to reorganize them to reflect the information stored in your line of business application and to create an Active Directory Organizational Unit Structure that reflects your organization's structure
Maintaining an internal database that reflects everything it controls in the domain: If the domain was ever lost or damaged, Ipseity could recreate it without human intervention from its internal database — with the exception of current passwords. Note: For security reasons, Ipseity does not store current user passwords in its database.
Managing home directories, file permissions, moves of directory structures, resetting of file permissions, etc.

Ipseity’s directory management features are business rule-based, so the possibilities are limited by what is reasonable to do taking into consideration the value in doing the operation and the time it takes to do the operation.

Go to top

Managing Enterprise Applications and Roles

In addition to managing the Active Directory, Ipseity manages role-based application access and stores all of its internal data in a format usable as an attribute store. Originally designed for use with the UK Shibboleth standard, then modified to also support OpenID (the standard used in Australia), Ipseity uses a “configurable database schema plus metadata” model for storing account and role attribute characteristics.

When Ipseity starts, it reads the metadata, learns the basic structure of the database and uses that structure internally from that point on. This design allows Ipseity to support federation systems such as ADFS or Shibboleth without modification to its core functionality.

Ipseity has its own user-level user interface; the screens a user is allowed to see depends on his or her role in the enterprise and what permissions he or she has for the Ipseity application itself. Ipseity administrators have the ability to manage applications and the roles within them. Everything else is constrained by the user’s account characteristics. (Is this person a district employee or a school employee? What position does she or he hold there?). The data viewed, the audits searched and the applications that can be configured will all be limited by where the user is based and what their role is with the Ipseity application.

Go to top

Provisioning User Roles in Applications

Typically, will have a provisioning interface administered either centrally or from each of the organization's locations wherever the application is installed. As with our Veracity product, Ipseity supports multiple levels of administration protection:

Global administrator- access to all levels and all applications
Regional administrator — state-level or other multi-location authority with permission to administer roles in applications that are available at each of those locations
Local administrator: authority over a single location and applications installed for use at that location

The Ipseity itself uses single sign-on and recognizes the logged-in user as one of the above types of users. It also uses Ipseity's configuration database to understand how the enterprise is structured and where applications are installed. Lastly, it accesses the information collected through the interoperability interface to understand who might have access to these applications.

The following are the steps an administrator would go through in assigning users (who have Active Directory accounts) to roles in applications:

ApplicationRoleScopePopulationsView UsersFilter, SortSelect UsersConfirmComplete

Step 1 — Choose Application to be Provisioned

Every application has its own user roles that differ depending on what the application does. For example, a Virtual Learning Environment might have roles for students, teachers, parents and administrators while a transportation system may have roles for dispatchers, drivers and administrators. Ipseity allows you to use person characteristics in your line of business application to determine which roles in the application are appropriately assigned.

So, the first step in provisioning is to choose the application to be provisioned.

Click on the screen image for a larger view…

Step 2 — Choose Application Role

Each application has a unique set of roles defined based on the functionality of the application. In Step 1, we chose the Virtual Learning Environment which has defined roles for Students, Parents, Teachers and Administrators.

In Step 2, choose the role associated with this application that is to be provisioned. In this example, we choose to provision a Learner role in the Virtual Learning Environment.

Click on the screen image for a larger view…

Step 3 — Choose Locations (Scope)

In this step, we choose at which locations the application will be available from the complete list the user has access to. In this case, we are set up for a UK school environment, so a list of schools is displayed, and we can select the schools that will have access to this application.

Note: Student information used in these screen captures are for fictional student records randomly created from lists of popular last and first names. Any resemblance to real persons, living or dead, is purely coincidental.