• 532 Durham Rd., Newtown PA USA
  • Info@visualsi.com
  • Office Hours: 8:00 AM – 5:30PM (Eastern US)

What It Does

Ipseity is an integrated application that:

  • Collects information about “objects” in your organization
  • Assigns and manages identifiers for those objects
  • Creates and manages Active Directory accounts (if the objects correspond to people who need access to computer resources)
  • Collects information and keeps track of other applications that run in the enterprise
  • Assigns and manages application roles in the applications and Active Directory account assignments to those roles (used to implement Single Sign-On)

 

Collecting Information Collecting Information
In medium to large enterprises, “keeping track” of things, whether they are people, books, tests, student enrollments, doctors or even trucks, can be a formidable task.

Modern enterprise-level, shared applications can have thousands to millions of users or other identified objects at hundreds to thousands of locations. Each connected application can have many roles and a single user can assume several of these roles in one or more applications.

For example, a Virtual Learning Environment (VLE) could be hosted at a regional service center that manages the application for 3,000 schools. In these schools, there are 1.8 million learners, 200,000 teachers and about 2 million parents that need access to the system.

Because each of the organizations have a line of business application that manages these objects (such as a Student or Patient Information System) and since that system is attached to a connected environment, Ipseity subscribes to the objects that contain the information needed to assign identifiers, creates accounts and assigns roles in applications. This information is fed into Ipseity automatically, and as changes are made, Ipseity receives them in real time.

Assigning Identifiers Assigning Identifiers
Wherever there are many objects of the same type, identifiers are needed. Whenever many objects of the same type are collected and managed from many different sources, globally unique identifiers are typically needed. Such is the case with people and Active Directory accounts, but similar needs exist for most managed objects that originate from many different source systems (trucks, books, hospital patients, weapons, etc.).

Ipseity has a built-in facility for assigning identifiers. This facility is able to use collected data as it arrives, and it can also assign identifiers according to business rules set up at the time of configuration. These rules:

  • First, test the data for quality and completeness.
  • If the data is complete, then use the configured “ID Format Rule” to create a new ID from existing data.
  • Test to see if the proposed ID is already in use.
  • Use fallback rules to create other proposed IDs until a unique ID can be assigned.
  • Notify connected applications about the assigned identifier.

Identifiers can be in the form of numbers, mixes of strings and numbers, formulas involving received data, or combinations of these.


Managing Enterprise Active Directory Managing Enterprise Active Directory
Continuing with our education example, Ipseity integrates connected applications by receiving normal events indicating that objects have been created. These objects include:
  • Personal demographics and information about where students attend
  • Personal demographics and job assignment information for teachers and other staff members
  • Information about related contacts (parents) who also need accounts, so they can access information about their children

Ipseity then uses that information to create identities and manage Active Directory objects as needed. As it creates AD accounts and groups, it has the ability to publish back to the zones and listening applications any of the objects conveying what the agent has done. This allows the listening applications to have enough information to automate Single Sign-on.

Ipseity also has the ability to subscribe other commonly published objects by line of business applications that provide more information about users who have accounts created for them.

For example, in education, data may automatically be received containing student information about schools they attend, courses they take, and sections of classes into which students are registered. Ipseity can use that information to create Active Directory groups, which can then be used to control access to applications associated with a school, a course or a section of a course.

Some of Ipseity’s other features include:

  • Maintaining attribute stores in products such as Microsoft ADFS or Shibboleth
  • Discovering existing Active Directory accounts and groups to reorganize them to reflect the information stored in your line of business application and to create an Active Directory Organizational Unit Structure that reflects your organization’s structure
  • Maintaining an internal database that reflects everything it controls in the domain: If the domain was ever lost or damaged, Ipseity could recreate it without human intervention from its internal database – with the exception of current passwords. Note: For security reasons, Ipseity does not store current user passwords in its database.
  • Managing home directories, file permissions, moves of directory structures, resetting of file permissions, etc.

Ipseity’s directory management features are business rule-based, so the possibilities are limited by what is reasonable to do taking into consideration the value in doing the operation and  the time it takes to do the operation.


Managing Enterprise Applications and Roles Managing Enterprise Applications and Roles

In addition to managing the Active Directory, Ipseity manages role-based application access and stores all of its internal data in a format usable as an attribute store. Originally designed for use with the UK Shibboleth standard, then modified to also support OpenID (the standard used in Australia), Ipseity uses a “configurable database schema plus metadata” model for storing account and role attribute characteristics.

When Ipseity starts, it reads the metadata, learns the basic structure of the database and uses that structure internally from that point on. This design allows Ipseity to support federation systems such as ADFS or Shibboleth without modification to its core functionality.

Ipseity has its own user-level user interface; the screens a user is allowed to see depends on his or her role in the enterprise and what permissions he or she has for the Ipseity application itself. Ipseity administrators have the ability to manage applications and the roles within them. Everything else is constrained by the user’s account characteristics. (Is this person a district employee or a school employee? What position does she or he hold there?). The data viewed, the audits searched and the applications that can be configured will all be limited by where the user is based and what their role is with the Ipseity application.


Provisioning User Roles in Applications Provisioning User Roles in Applications

Typically, will have a provisioning interface administered either centrally or from each of the organization’s locations wherever the application is installed. As with our Veracity product, Ipseity supports multiple levels of administration protection:

  • Global administrator- access to all levels and all applications
  • Regional administrator – state-level or other multi-location authority with permission to administer roles in applications that are available at each of those locations
  • Local administrator: authority over a single location and applications installed for use at that location

The Ipseity itself uses single sign-on and recognizes the logged-in user as one of the above types of users. It also uses Ipseity’s configuration database to understand how the enterprise is structured and where applications are installed. Lastly, it accesses the information collected through the interoperability interface to understand who might have access to these applications.

The following are the steps an administrator would go through in assigning users (who have Active Directory accounts) to roles in applications:

ApplicationRolesLocationsPopulationsUsersFiltersConfirm UsersReviewComplete

Setup1 - Ipseity - Identity and Directory Manager

Step 1 – Choose Application to be Provisioned

Every application has its own user roles that differ depending on what the application does. For example, a Virtual Learning Environment might have roles for students, teachers, parents and administrators while a transportation system may have roles for dispatchers, drivers and administrators. Ipseity allows you to use person characteristics in your line of business application to determine which roles in the application are appropriately assigned.

So, the first step in provisioning is to choose the application to be provisioned.

Click on the screen image for a larger view…

Setup2 - Ipseity - Identity and Directory Manager

Step 2 – Choose Application Role

Each application has a unique set of roles defined based on the functionality of the application. In Step 1, we chose the Virtual Learning Environment which has defined roles for Students, Parents, Teachers and Administrators.

In Step 2, choose the role associated with this application that is to be provisioned. In this example, we choose to provision a Learner role in the Virtual Learning Environment.

Click on the screen image for a larger view…

Setup3 - Ipseity - Identity and Directory Manager

Step 3 – Choose Locations (Scope)

In this step, we choose at which locations the application will be available from the complete list the user has access to. In this case, we are set up for a UK school environment, so a list of schools is displayed, and we can select the schools that will have access to this application.

Note:  Student information used in these screen captures are for fictional student records randomly created from lists of popular last and first names. Any resemblance to real persons, living or dead, is purely coincidental.

Click on the screen image for a larger view.

Setup4 - Ipseity - Identity and Directory Manager

Step 4 – Choose Populations

In this step, we narrow down the potential account population by characteristics of the different types of users. Again, this is taken from an education example where students are most often differentiated by grade level, teachers by title, and other contacts by a relationship type recorded in their demographic information.

In our example, this Virtual Learning Environment is to be used by students in grades 1-6. We may also choose to select parents from the second list (not doctors or siblings) and teachers from the third list (not business managers or cleaners). By choosing these classifications and pressing ‘Next’, the list of accounts we receive back will likely be close to the actual list we want.

Click on the screen image for a larger view.

Setup5 - Ipseity - Identity and Directory Manager

Step 5 – View Users

On this screen, we see the list of people from the collected data who match the location and other criteria we specified. This is a list of potential users for the specified role in this application.

We may or may not want to assign all of them to this role – this is just a list of potential users. In order to narrow down the list even further, we now have several other controls as shown on the next screen.

Click on the screen image for a larger view.

Setup6 - Ipseity - Identity and Directory Manager

Step 5a – Filter, Sort

In order to narrow down the list further, two things can be done with the black column headers:

  • The column header can be dragged to the gray bar above it. This will cause the contents of the grid to be sorted by that column.
  • At the right end of the column heading, there is a funnel icon. If you press it, a “filter” panel is displayed. Using this allows you to filter the values in this column.

Click on the screen image for a larger view.

Setup10 - Ipseity - Identity and Directory Manager

Step 5b – Select Users

When the list of users to be assigned to a role in the application has been selected, the ‘Next’ button becomes available. Clicking on it will move you to the next screen for review and confirmation.

Note: On the right side of the window are summary boxes showing how many items were selected at each step. If you want to go back, you can simply click on one of these boxes, and you will be directed back to that step. Keep in mind, if you do this, you will need to redo all of the steps following the one you chose.

Click on the screen image for a larger view.

Setup11 - Ipseity - Identity and Directory Manager

Step 6 – Review and Confirm

Once you arrive at this screen, you can take one final look through the data (and go back and make changes if you need to), then press ‘Finish’ to make the assignments.

Click on the screen image for a larger view.

Setup12 - Ipseity - Identity and Directory Manager

Step 6a – Complete

Once the process has finished, you will be given a confirmation that the work is complete.

Click on the screen image for a larger view.