The ISIC Platform is the core system behind ISIC services worldwide, federating operations of local issuers into a single global ecosystem through a rich set of APIs. It comprises more than 10 modular services covering the full lifecycle of ISIC cards and Virtual IDs, a global database of benefits and their redemption, and more. At its center is the ISIC Hub, a unified back-office interface enabling consistent operations, data management, and oversight across all issuers.
The main challenge: clear rules for a global network
Each issuer organization operates as an independent entity serving its own territory, with its own user base, internal organizational hierarchy, and data. It was therefore necessary to ensure that:
- each organization could work only with its own data;
- permissions reflected the organization type and the user’s role;
- administration remained simple even in a complex environment;
- authorized super-administrators had centralized control where needed;
- the entire solution met strict requirements for security and sensitive personal data protection.
The solution: centralized identity management in Organization Manager
The core of the solution is a dedicated Organization Manager component, complemented by centralized Single Sign-On based on CAS. The platform unifies authentication and enables granular control over who can access what, where, and under which conditions.
Key solution features
- hierarchical organization management supporting multi-level parent-child relationships;
- Identity Management for personal user accounts and non-personal application or service accounts;
- hierarchical role management with user roles grouped into organizational roles for easier administration;
- RBAC-based access control driven by granular role-permission assignments;
- ABAC-based data ownership isolation respecting the organizational hierarchy, with ownership violation permissions enabling global administrators to bypass data ownership restrictions when required;
- centralized permission and authorization resolution across the organizational hierarchy;
- organization self-service for delegated administration of personnel and access within their permitted feature set, from back-office tools to points of sale;
- user self-service including password changes and resets, and personal data updates;
- comprehensive auditing and logging, including request tracing enriched with user context.
“Working with Orchitech allowed us to turn a highly complex security challenge into something that simply works. The solution fits naturally into our daily
operations and gives our teams confidence that access is handled consistently, securely, and without unnecessary friction. It has enabled us to grow and evolve our platform without having to constantly rethink our identity foundations.”
— Radek Klein, IT Manager, ISIC Association
Outcomes
Orchitech helped ISIC build a customizable, independent Identity platform designed to meet the highly specific needs of its distributed global model.
The solution delivered:
- seamless access control fully integrated into day-to-day operations;
- a flexible, reliable, and configurable architecture tailored to ISIC’s requirements;
- highly granular access control, governing both feature-level access and data ownership in full regulatory compliance;
- complete control and independence over a critical security component.
Dopad řešení je vidět i na rozsahu provozu:
- 800+ active organizations
- 1,200+ active user accounts
- 600+ active technical application accounts
- 100s of integrated applications
- ~500 daily logins
- 80+ roles
- 35,000+ role assignments
- 2,500,000 daily authenticated API requests
“What we value most is the long-term stability and the quality of collaboration. The platform has proven to be reliable over many years, while still allowing gradual improvements as our needs change. Orchitech understands our business context and delivers solutions that are practical, resilient, and designed for the long run.”
— Radek Klein, IT Manager, ISIC Association
