Envase Identity Manager ============================================================================= The |im| service provides a set of APIs to manage |orgs|, |tms|, and |usrs| with access to the |env| ecosystem of products. It also provides the means to authenticate and authorize external applications to access information from those products. External applications will rarely require access to the |im| API. Instead, they will :doc:`authenticate ` their application and users and gain permission to access other |en| services and APIs. The |im| service provides a `REST API <./openapi>`_ targeted to internal |en| services and applications. It allows those applications and services to manage |orgs| (|en| customers), |tms| associated with those |orgs|, and |usrs| with access to the applications and services. Overview ----------------------------------------------------------------------------- The main concern of the |im| service is to protect customer data, insuring that only the right applications, services, and users have access to such data. The service controls access by providing a set of resources that represent those entities and the associations between them. It is important to understand those resources and their associations to understand how the service works. The |im| service provides the concept of an |org|. An |org| represents an |en| customer. This customer can be a company, entity, or individual that uses |en| products. Customers using |en| applications and services should register an organization with the |im| service, so that their data can be protected. Those |orgs| registered with the |im| service will have individual employees or partners for which the |org| will want to provide access to their data. These individuals will be required to have a |usr| account registered with the |im| service. .. important:: The |im| service provides the necessary relationships to insure that each individual |usr| has only one account registered in the system. When a user requires access to data from multiple |orgs| or |tms|, the associations can be created to insure that the user only manages one individual account. The final concept the |im| service provides is that of a |tms|. |en| customers can choose among the different |en| TMS products. This TMS products should be associated with their accounts to insure that only the right applications, services, and individuals can access the data from them. The |im| service provides the concept of a |tms| that can be associated with an |org|. The |oa| can then associate |usrs| with the |tms| to enable access for those |usrs| to the data. The following diagram shows the different entities managed through the |im| service and their relationships: .. image:: /_static/im_relationships.png The diagram shows how **Fast Transportation**, an |en| customer, has two TMS applications registered. The company uses Profit Tools for some of their work and Envase TMS for other. The Fast Transportation |org| has been registered with the |im| service, and both |tms| have been associated with it. You can also see that Fast Transportation has multiple employees. The employees in **Users A** have been given access to the Envase TMS, where the employees in **Users B** have access to the Profit Tools |tms|. Employees in **Users C** have access to both |tms|. .. important:: Although users seem to be depicted as part of a group, there is no concept of a group in the |im| service. You can think that group access is controlled at the |tms| level. The diagram above also shows the **Reliable Carrier** company which is a partner of **Fast Transportation**. Reliable Carrier does not manage a TMS, but they have been given access to the Envase TMS instance of Fast Transportation. Reliable Carrier has two sets of employees. The employees in **Users D** have access to the Envase TMS instance owned by Fast Transportation. The employees in **Users E** do not have access to any TMS, and they don't need to register an account with the |im| service. This model allows **Fast Transportation** to control access to their information at the |tms| and |usr| level. It also allows **Reliable Carrier** to define which employees will work with Fast Transportation. Learn More ----------------------------------------------------------------------------- The different sections in this guide provide in-depth information about the |im| service. You want to check those sections depending on how you plan to use the service. For |en| **development partners** working on external applications, you will want to check the |authentication| topic in this guide. You should also check the information on the |gw|_ documentation, as well as the information related to the |coreapi|_ and its `specification `_. If you are an |en| **tech-support** specialist, you should check the |im-tech-guide| for information on how to create and manage customer accounts and other information. |en| internal development teams should check the |im-dev-guide| for more information about integrating their applications and services with the |im| service. .. toctree:: :caption: Next Topics :maxdepth: 1 identity/im-authentication identity/im-tech-guide identity/im-dev-guide identity/im-use-cases