This came as a comment from the following posting, and I felt that it deserved its own blog entry.

The exact question is as follows:

What would be the best approach to share reports between two PeopleSoft environments, considering we use drill down extensively?

Background

This is an extremely good question, and it brings back memories of some of the discussions we had when updating the report repository in PeopleTools 8.40. Therefore, it makes sense to talk a bit about the history of the report repository as a starting point.

Prior to PeopleTools 8.0

Prior to PeopleTools 8.0, the report repository did not exist. Customers would run reports either locally using the client/server tools (PSQED.EXE, PSNVS.EXE, PSSQR.EXE, CRW32.EXE), or on the process scheduler server. The reports would either be viewed with online viewers (when using the client/server tools), or saved in the file system accessible to the process scheduler server. Users would then access the files using network shares (and secured using network security).

PeopleTools 8.13

PeopleTools 8.13 represents the first release where we had a report repository and report manager. At the time, it was architected to work with only one system, and would not actually authenticate the user accessing a report (it would create an RBAN that was impossible to guess as the identifier of the report --- for those geeks out there, RBAN stands for Really Big Alpha-Numeric). Other limitations include a lack of using folders to categorize reports in the user interface.

PeopleTools 8.40

One of the main projects in PeopleTools 8.40 was to extend report manager to address some of its limitations. One of the primary use cases was to make it easier for users of nVision to utilize it. Here is a snopsis of some of the features that went into that release

• Folders, so that reports could have some level of categorization.
• Support for cross-system report lists
• Improved security over accessing reports (thus eliminating the imfamous RBAN).

The designs for this release pulled together all the requirements into one solution. Because foldering and cross-system access required additional data and infrastructure, it was decided to leverage integration broker for both (and the PSRF application messages were born). The report manager pages were reorganized, including two additional pages added to report manager that utilize the information published and subscribed by these new messages.

• The List tab is a standard search page against cross-system data and the first level of foldering.
• The Explorer tab is a tree view over the foldering metadata attached to the reports.
• Finally, the old report manager page was renamed to "Administration", so that you could access reports on the local system, even if integration broker wasn't working in your environment.

About Deployment Strategies

Okay, now that we have some of the background covered, let's go into a little more detail about how the cross-system report access was intended to work (because we leverage the same concepts in our Report Explorer product).

Notification versus Ownership

The key to understanding deployment options is to understand that conceptually we are separating report notification from report ownership. In other words, the system that generated a report is always owned by that report. Ownership means that the system continues to secure and grant access to the report, and any actions taken when viewing that report are specific to the system that generated the report (more on this later). This also means that any means of aggregating the list of reports and/ore notifying end-users of those reports (with links back) is just that: a list of reports with links to access them in place.

For a product like nVision, where you need to drill, the information needed to do the drilling is embedded directly in the report from the system running the nVision report. There's actually PeopleCode that embeds this information as a parameter on the command line. This means that regardless of how you open the nVision report, it will go back to the system that ran the report to perform the drill (which is exactly what you would want it to do). This works the same way if you use one of the drilling techniques discussed in the following blog entry. Because the local system is running and managing the report, you don't have to worry about it if you use the PSRF integration broker messages as a means of pulling it together. Even if you physically move the reports to a new location, the metadata needed to drill contains the URL to access the system it was generated from (but if you delete the report from the report repository after you move it, you will prevent the drilling from occurring because the process scheduler won't be able to find it).

So, the simple answer is that because the system that ran the report also puts in the additional drilling metadata (including the URLs to access the system), drilling will continue to work even if you copy or aggregate the links to access the reports elsewhere.

Labels: Drilling, Report_Manager

In honor of Oracle finally completing the BEA acquisition, I asked one of my old bosses, Peter Gassner, to write a guest post on some of BEA memories.

Peter actually came to PeopleSoft to fix up the old 2 tier client/server architecture and BEA played a big role in that. But I'll let Peter tell the story.

---------

Oracle finally owns TUXEDO. You can read it here. Sure, it does not mention TUXEDO, but it is in there, and it started it all.

The TUXEDO middleware product played a big part in PeopleSoft's technical history, starting from the release of PeopleSoft 7 in 1997. It is kind of interesting to trace the history of TUXEDO as it passed on from company to company and became involved with PeopleTools.

It started inside AT&T in the early 1983 and found it's way to Novell in 1993 (by way of Unix System Laboratories). It was there in early 1996 that PeopleSoft and TUXEDO met. I still remember the very small conference room (no windows) in New Jersey where Baer Tierkel, Rick Bergquist and I met with some of the core inventors of TUXEDO, including Mark Carges and Randy McBlane. We liked the software and the people. We liked it better than Tibco, MQseries, or the various other things we saw. We really did not feel like building middleware ourselves (very hard work!), so we thought OEMing TUXEDO would be good.

But, before we could complete an OEM deal, TUXEDO was snapped up again, by a tiny company that was just forming called "BEA", which stood for Bill, Ed, and Alfred. What was this BEA, we thought? Rick, Baer and I met with Bill, Ed, and Alfred, and decided "still good people, still good software, lets go ahead". That became a great partnership for BEA and PeopleSoft. It made PeopleTools more robust, and it had some not small hand in the OEM success that BEA had with TUXEDO and later with Weblogic.

Over the years BEA grow. BEA acquired WebLogic in 1998 and PeopleSoft OEMed that as well. I still remember talking to Alfred over lunch one day in 1998 after the weblogic purchase. He made a small comment that I always remember. He said with a very straight face: "That weblogic stuff is just flying off the shelves." I probably should have bought some BEA stock at that point:-) TUXEDO meanwhile was alive and ticking inside PeopleTools. Sure, it was all wrapped up in "psadmin" so that the quite unsightly configuration files were not seen, but it was there.

And now, TUXEDO finally comes home to roost in the great enterprise software roosting ground, Oracle

Congratulations, TUXEDO old boy, you have done well.


Peter Gassner
CEO
Verticals onDemand
PeopleTools Alumni (1995-2003)

Labels: 2008, History

We've been remiss in updating our customers page. We would like to welcome the following organizations to the Grey Sparling family:

• U.S. Department of State
• Cherokee Nations Enterprises
• PMI Insurance
• Fleming College
• Rapp Collins Worldwide
• The Marketing Store
• Methanex Corporation

Labels: Business

Presented by: Doris Wong, General Manager for PeopleSoft Enterprise

This was Doris's keynote, and it did a great job of showing to PeopleSoft customers reasons to upgrade to current releases, and demonstrating the vision and continued investment in PeopleSoft products.

Prior to the Session

Prior to the session, Doris recognized me in the audience, so I decided to walk up and say "Hi" to her. We talked a bit about non-PeopleSoft stuff (our kids went to preschool together, so it was good to catch up). She also wanted to know how things were going business-wise, and made sure to mention that she's been hearing good things about us from PeopleSoft customers (which is much better than her hearing bad things about us from PeopleSoft customers -- "I'm watching you, Wazowski. Always watching. Always").

Agenda

• 2008 IT Strategic Initiaives
• Oracle applicagtions strategy
• Delivering on PeopleSoft
  PeopleSoft Investment Strategy
• Key Takeaways

2008 IT Strategic Initiatives

Forrester survey where organizations found critical priority of the following areas

• 72% want improvement of integration between apps
• 59% want upgrade packaged applications
• 47% shift from functional to process orientation

Oracle's applications strategy follows this:

• Applications unlimited
• Application Integration Archietecture
• Fusion Applications

Applications unlimited -> we will continue to invest. This is strategic for us.

Second part is applications integration architecture. Designed around creating a common platform for easy integration of our systems Provides framework to easily orchistrate business processes across a heterogeneous environment.

Fusion - this continues to be a path, although optionsal. Our customers can look at this and determine what's best for their business.

Supporting all 3 parts of the strategy is Oracle Fusion Middleware. We will be standardizing on the middleware.

Doris, then showed a diagram that illustrates how fusion middleware can be used as part of a larger enterprise applications infrastructure. It started by showing different backend systems linked by fusion middleware transport. In the middle are common objects and definitions of those objects. At the top, it shows oracle's business process orchestration.

Doris, then went more into how Oracle's Application Integration Arcitecture (AIA) plays an important part. She started by showing different layers of the architecture.

• foundation is service management
• then revenue management
• then customer management
• then enterprise management
• finally, she showed processes that span the different layers.

Delivering on PeopleSoft

Doris, then moved into more details with respect to PeopleSoft. She started by illustrating the importance of the PeopleSoft Enterprise suite to Oracle's overall business strategy:

• 9 of top 10 commercial banks are ps customers
• 59% of top 100 of fortune 500 companies own ps
• retail - the 5 biggest use ps
• 6 of top 10 communications companies use PeopleSoft
• 60% of the top 15 insurance companies use PeopleSoft
• 70% of top 10 health care organizations use PeopleSoft
• 19 us states use PeopleSoft
• 50 of largest counties and cities use PeopleSoft
• 7 of top 10 research universities use PeopleSoft
• 8 of top 10 printing and publishing companies use PeopleSoft

PeopleSoft beates best in class. Aberdeen group survey PeopleSoft customers are not average when it comes to hcm.

• PS customers are 41% more likely than industry a verage to be satisfied
• PS customers outperform industry average in every kpi used to measure b est in class
• PS cusotmers demonstrate higher org perfomance improvement versus industry average
• PS customers leverage automated hcm tools to achieve better ROI on their software investments

PeopleSoft 9.0 themes:

Doris, then went on to talk a bit about the PeopleSoft roadmap, starting with PeopleSoft 9 (which is currently shipping):

• Extended value through technology
• best in class business processes
• a superior ownership experience

Doris, moved from the themes to talk more about the content in the release from a challenge, capability, and value perspective (which does a great job of laying out the return on investment in upgrading).

Challenges	Capabilities	Value
Heterogeneous IT environment	SOA and oracle fusion middleware, bpel process manager	Lower IT costs
Integration	Eliminate costly interfaces in cross-applicagtion business processess
Tightening/Changing Labor market	Integrated talent mangement	Attract, Engage, and Retain Ralent
Contextual Information	Transactional Dashboards	Insight-driven Business Processes
Address regulatory requirements and performance needs	Business process enhancemsnts to address OFAC, SARBOX, and more	Achieve sustainable compliance and high perfomance
Complex and changing reporting requirements	Oracle XML Publisher	Reduce reporting costs
Managing Applications Portfolio	Lifecycle Management Tools	Lower TCO
Accelerate User Adoption	Improved UE	Reduce training burden
Focusing on strategic activities	Employee self service	Improve efficiency and productivity

Doris revisited the previous table to discuss specifics of release content

Integrated talent management

• Single, enterprise wide system. proflie management, business intelligence with single source of truth.
• improved usability for employees and managers
• relevant role based activites and content
• single user experience
• line of sight visibility

Business Insight

• supplier relationship management dashboard
• Expanded KPIs for buyers and managers
• Summary metrics at business unit level
• Supplier performance analtics pagelet

Business Processes --> contract management

• SRM dashboard example.
• Shows different metrics (aggregated view of source-to-pay) business processs for buysers and managers.
• Shows dashboard, but doesn't show the actual transactions (other than lists)

Compliance and performance

• Enforcer has extended reporting including 345 reports that facilitate financial statement certification.
• Improved tracking of training hours, costs, etc for compliance
• Supply chain - auto-validation of customers and vendors against SDN list via web services for compliance with patriot acts OFAC regulations
• expanded supports for IFRS 15 evaluation requirements

Reporting

• Shows the XML publisher architecture: extract data xml publisher publishing engine formates the data using templates and then file formats.
• Showed difference between SQR report and new XML report with template availabile starting in 8.48 of tools.

Livecycle management tools

• integration with enterprise manager - enables it admin to graphicallly manager and manage Release 90 systems from same console as other oracle databases, middleware and apps

Improved SOA Support

• New UI and increased standards support
• Stronger integration with BPEL process manager

Enhanced patching and maintenance

• streamlined patching through tools that understand impact.

Why upgrade?

Business buenefits of enhancements

• Get business value of all releases
• Eliminate customations and niche vendors
• Improve efficiency and prodicvivity
• reduce costs

Available services and tools

• Upgrade aids in peopletools
• Oracle solution center upgrade lab
• Oracle consulting upgrade services

Planning Options

• Separate tools and app upgrades
• Future upgrade processes to fusion apps

Upgrade steps:

• Added a new upgrade process from hcm 8.3 that does the 2-step process in a single set of steps (8.3 t0o 9.0 wrapper).

PeopleSoft Investment Strategy

Objectives:

• Solution Value
• Innovation
• Customer success

Drivers

• Corporate strategy
• Market conditions
• Competitive landscape

More on 9.1 Strategy:

• Ensure market leadership in HCM, key industries and global markets
• Provide high value low risk releases
• Customer-driven enhancements
• Avoid creating complex upgrades
• Deliver integration and innovation
• Leverage oracles portfolio of applications
• Adopt oracle fusion middleware capabilities
• Enhance ownership experience
• Increaed usabilith and streamlined processes
• Maintain peopletools backwards compatibility

9.1 roadmap. The rollout is planned in 2009.

Summary

I was impressed with how comprehensive the update was. Doris and team have been very busy, and have spent a lot of time listening to PeopleSoft customers.

Labels: 2008, Collaborate

This session is intended to discuss OBIEE as it relates to financial services. It was nice to see as much demo-ing as they did. It was also nice to see more of the features of OBIEE highlighted, especially the ability to create a very useful semantic view of the data that users can understand.

Room was full. About 200-300 people. Standing room only.

Dan Blankenship on FSI user group board - was also in pervious session. He introduced Steve Burns, who is on the Financial Services team at Oracle.

Session started by querying the audience. Most of attendees raised hands when asked if used PeopleSoft for back-office. Only a couple who used eBusiness suite.

OBIEE plus.
The session began by introducing OBIEE plus as the technology platform for providing anlaytics in this area. Steve started by talking about semantic model in OBIEE. Put logic into semantic layer.

Listed Golman, Wachovia, Axa as organizations using OBIEE. Leverage investments you've made in data source.

Talked about strategy of bringing together hyperion, peoplesoft and other acquisitions. (Operational BI, Enterprise perormance management, transaction systems). With the addition of the ability to access Essbase content within an OBIEE meta-model, this tool is now able to bring all this together for a single, cohesive solution that encompasses the different back-office systems.

Solutions Space
Steve, then went on to cover more about how they think about financial services from an analytic application perspective. Financial services organized into 4 areas: profitability, performance, risk management, and compliance. Below are some of the notes that I captured for a few of these areas:

Profitability
Used Fidelity as an example company that looks at customer profitability.

Showed screenshots with lots of charts and supporting details. Very analytic focused gtoing from high level to lower levels.

Credit suisse was listed as customer of OBIEE as well.

Risk management
Goldman Sachs, Credit Suisse and Bear Stearns listed as users of compliance solutions.

Features and Functions
They quickly went into a demonstration of a few of the areas and how the content that they're putting into OBIEE can solve many of these business poroblems.

Pervasive information delivery

• interactive dashboards
  
• ad-hoc query
  
• detections and alerts
  
• production reporting
  

Pervasive delivery

• financial reporting
  
• office
  
• disconnect and mobile anlaytics
  
• desktop gadgets
  

They also made a lot about the ability to drill from a report or analysis back into the transaction system. This feature is very similar to what we've blogged about for PeopleSoft reporting tools. I wonder if they've thought about taking this to the next level (like hoverboards)?

They moved on to demo drilling from report into more detail (starting from dashboard). Because they've pre-defined the path, they call this guided navigation.

They moved on to show how a user could start with a dashboard, extend a report, and add it to a personal dashboard. They didn't cover the administrative aspects of people creating their own dasboards, but it was cool seeing them do it. The functional area demonstrated was payables, where they started with 2 gauges and then drilled from one of them into a report.

The continued by demoing modifying the report (adding a chart). They then showed creating a new report and adding it to a dashboard. Positioned that business users can do this (do not need to get IT involved).

Summary
This was one of the better OBIEE presentations I've seen. One area I'd like to see more is a comprehensive story about how people will be able to snap these new applications onto their existing ERP solutions. This may not make sense in this presentations, but I believe that one of the primary factors in making a purchasing decision for OBIEE versus the products sold by other BI vendors is the effort to get it up and running (and really demonstrating to folks how these new applications are going to provide a seamless integration with their existing solutions... right now, I see a lot of hand-waving going on instead of showing exactly how this will work across data models of different releases of Siebel, PeopleSoft, and e-Business suite).

Labels: 2008, Collaborate, Events

Presented by: Eric Dickmann, Financial Services

Because so many of our customers are part of the Financial Services SIG, I wanted to make sure I attended this session to see what was going on here (especially since last year Amira Morcos had mentioned that there would be a business unit and general manager for this practice).

Eric is the new General Manager of the financial services IBU (discussed in this blog entry)

It was interesting to see the difference between approaches of PeopleSoft and Oracle to the Financial Services industry. Eric went through his solutions map for all 3 areas in financial services: Banking, Insurance, and Capital Markets. Where PeopleSoft focused primarily on the analytics and back-office solutions, Oracle will approach the market across all aspects of the industry including the front-office and point of sale systems (which is something PeopleSoft didn't address).

General Strategy
He described the goals of the financial institution within the following categories:

• Customer intimacy


• Competitive differentiation


• Cost effectiveness


• Compliance to regulation and risk mitigagion


• Service and speed are differentiation in industry.

He descripbed the execution strategy of his group as follows:

• Process driven


• Pre-built


• Ineroperable


• Flexible

Oracle's approach will be to assemble existing assets. Also to provide mulitiple deployment options for customers that include hosting, packaged products, or tools and custom applicagtions.

These solutions will cover all the way from front office to back office. Showed the product footprint for different areas - solution maps. These are available at http://www.oracle.com/industries/financial_services/index.html .

Product
From a product perspective, the solution will cover the following main areas

• pre-built integrations for a ccount origination


• Governance, risk, and compliance for financial services


• advisor desktop


• claims management


• profitability and asset/liability management analytics (new products)


• flexcube with oracle identity managmeent

Compliance
On the Compliance side, the solution will include GRC for banking, insurance, capital markets, covering

• sox


• mifid, regnms


• operational risk


• compliance risk


• basel 2 and 1a, solvency 2


• aml, kyc, fraud prevention

Role of Siebel
Siebel looks to be a very important part of the financial services strategy:

• Siebel will cover a good amount of the back-end systems, such as Siebel CRM as bck-end for account origination (this will integrate with i-flex's flexcube for identity management).


• Siebel CRM on demand for advisor desktop. first pre-built hosted crm solutions for wealth management. web services. shows user interface and analytics.


• Enterprise claims management solution - partof siebel 8. claims management, context management, financial hub, back office.

For dashboards, Eric showed a few dashboards related to SOX and gauges of status of controls. powered by the OBIEE framework. He did not discuss where data is coming from and said that this is new. This means that PeopleSoft's solutions in this space is not going to be part of this solutions map.

Profitability - this is where PeopleSoft was strong. Instead of using PeopleSoft EPM, Risk Weighted Capital, and Funds Transfer Pricing, Oracle will be using OFSA and OBIEE as the solution for this.

Questions:

Question	Answer
Can you talk more about what's going on with PeopleSfot financial servces side?	If you're a PeopleSoft customer, you will continue to be supported by applications unlimited. HCM will continue to be a focus area for PeopleSoft.
I'm another PeopleSoft Customer. Can you tell me more about what I can expect as a PeopleSoft customer about Fusion?	Everything you saw in this presentation is based on Fusion.

What I saw missing
I didn't see any mention of PeopleSoft EPM or the financial services analytic applications that were hosted on the EPM warehouse. I also didn't see any recognition of role of PeopleSoft GL in financial services organizations who are part of this Industry Group. By reading between the lines, it looks like the development team at Oracle isn't going to be focused on these areas, even though the the vast majority of attendees (>80%) categorized themselves as PeopleSoft customers.

Summary
It will be interesting to see how this strategy plays out. The Oracle solutions map is definitely much envcompassing than PeopleSoft's, especially in the banking and CRM areas. This could be a good opportunity for them. With respect to corporate performance management, compliance, and analytics, I think that Oracle will have a challenging time getting traction with much of the members of the industry group until they come up with a better story for organizations using PeopleSoft Financials and EPM. From an engineering perspective, I believe packaging analytics in OBIEE that are targeted specifically to EPM (funds transfer pricing, risk weighted capital, etc), as well as PoepleSoft Financials will allow them to extend existing solutions with new products and features versus leaving it up to the customer to figure out how to accomplish this themselves.

Labels: 2008, Collaborate

In honor of "Enterprise RSS Day", we thought we'd offer something to help kickstart some Enterprise RSS action for PeopleSoft customers.

One of the reasons why Enterprise level RSS is not more popular is that most RSS news readers don't understand the security rules of enterprise applications. Some RSS readers understand HTTP level authentication, but I'm not aware of any enterprise level applications that actually use HTTP level authentication. Everything that I've ever seen is forms-based (I'm excluding fancy options like smartcards, biometrics, etc.; just what comes out of the box).

If the news readers can't get into the enterprise system, then the enterprise system owners never feels any pressure to produce the RSS feeds. Classic chicken and egg problem.

So, what is Grey Sparling doing to help?

As you're probably aware, Grey Sparling has a Desktop Single Signon product for PeopleSoft that uses your Windows login credentials to establish your PeopleSoft session for you. We also have a new PeopleSoft specific Web Application Firewall, which we call ERP Firewall for PeopleSoft.

Combining the two of them allows us to offer the ability for desktop based RSS news readers to establish a PeopleSoft session for the user, but only for RSS feeds! The session can't be used for any other purpose but reading RSS. The user can still login to PeopleSoft themselves and do their regular work, but the automatic login for the news reader is blocked from doing anything else.

The PeopleSoft session that the RSS news reader uses is logged in as the actual PeopleSoft user, so all regular PeopleSoft data security is applied to the feeds. Take a look at some of the proof of concept RSS generation from PeopleSoft that Brent Martin put together to get some more ideas about how you could do this in your organization.

Great, how about a freebie?

To get things going here, we're going to offer a free copy of this to some one out there. If you win, you'll get full support and assistance just like any paying customer, which means a production instance of a PeopleSoft, along with as many dev and test instances that you use to support that production instance. No user limits, no CPU limits, etc. etc.

There is a catch though.

We're going to do a lottery to pick a winner, but in order to get your virtual hat thrown in the ring, you have to come up a few good scenarios where you'd put this to use within your organization. Ideally this would be something that you'd be willing to share as a case study (maybe a user conference presentation or something).

You can either email us "enterpriserss at greysparling.com" with your ideas, or better yet, post a comment here or on your blog.

Anything else to be aware of?

• In order to use this you need to be able to install software in your PeopleSoft environment.
  
• The RSS news reader that gets used should be something that runs on each user's desktop. This is because it's the Desktop Single Signon product that is providing the news reader access into PeopleSoft. If you use a server based news reader, then it won't be able to use your existing Windows login. There are some ways that this could be enabled in the future, but nothing that we're ready to provide today.
  
• Since this uses your Windows login, it's only meant for people that login to your Windows network (so this doesn't yet help with providing your external customers access to PeopleSoft RSS feeds).
  
• What we're offering is around the security of RSS access, not actual RSS feed content. Take a look at Brent Martin's blog entry for ideas on actually creating RSS feeds inside PeopleSoft.
  

Labels: 2008, EnterpriseRSS

Session 2886 in the OAUG section.

Monica Nelmes Elliott
PeopleSoft Product Marketing
Approva

Dr Marilyn Prosch, Ph.D., CIPP
Department of Accounting
Arizona State University

Monica is beginning the session by talking about when she was victimized by identity theft a few years back. A Fortune 100 company using PeopleSoft had someone access her account, open up several lines of credit. Big nightmare. So she's very passionate about this issue now.

Prior to bringing Dr. Prosch up, she takes a few questions. One was about being able to monitor specific users in PeopleSoft (maybe some new call center employees that you're worried are trying to pull up too many accounts or something). She said that Approva announced a partnership at the conference with a company, Lumigent, that does database monitoring (here is the press release )

Now Dr. Prosch is up. She's been in this area for about 7 years, came in from systems background. Has several slides showing all of the different organizations that have had privacy breaches in 2007. She mentioned that Arizona (where she is from) is now ranked first in the U.S. for identity theft, and that the governor there has just appointed 2 new positions for this.

Dr. Prosch says that PeopleSoft is used in many the organizations involved in these breaches. Most are not system hacks, but data downloads where the data/laptops get stolen or from backups that get lost/stolen.

39 states now have identity breach laws, but she does not believe that the federal government is going to do anything soon, so you're essentially required to know about the rules for all of the places that you do business (ed: of course, this is true globally as well).

Talking about FTC being more likely to be lenient if you are at least showing that you are taking action

The Federal Trade Commission is going after some big cases now. These can have a pretty significant financial impact on an organization. However, she believes that the FTC is more likely to show some leniency if you can show that you were taking action towards preventing breaches before the breach occurred.

The discussion then went into the concept of GAPP; Generally Accepted Privacy Principles. Much like GAAP (Generally Accepted Accounting Principles), the idea is to codify best practices for privacy. These are available to download for free and can be applied in your organization today. If you want someone to verify/audit your compliance with GAPP (maybe a business partner mandates this), then you can pay an auditor. The GAPP framework should address most major privacy legislation (domestic and international). It has 66 principles across 10 categories.

Dr. Prosch is now talking about the concept of Continuous Privacy Monitoring. She's showing a 5 stage "privacy lifecycle" chart. Stage 1 is ad-hoc efforts around privacy, stage 4 is being ready for a GAPP audit, and stage 5 is continuously monitoring privacy within your organization (ed: to continue the accounting analogy; being able to close the books at any time, instead of just at month's end).

Monica is back now talking about defining security rules for roles and permission lists in spreadsheets. How many people can answer who has access to a given piece of data after PeopleSoft has been running for awhile?

She's giving a list of example fields to monitor in different PeopleSoft products (the actual field names in PeopleSoft, not just what the fields are). Approva can monitor all uses of sensitive fields in PeopleSoft. Joel Hutchison is an ex-PeopleSoft person who is the main developer for this. He's sitting in the audience, but can take questions.

It would have been nice to see a bit more detail about this or maybe a demo, but overall it was a very good session.

Labels: 2008, Collaborate, Security

Session 3291 in the OAUG section.

I went to Sylvain Nguyen's presentation on PeopleSoft global rollouts. Sylvain used to be a manager for PeopleSoft Global Financials development, and is now the CEO of Ataway. Ataway is a consulting company that specializes in PeopleSoft (note that we've worked with them before)

I came in about 15 minutes late, because the OAUG tracks are not sync-ed up with the Quest tracks timewise. Which is probably driven more by scheduling lunch for everyone here than anything else. Sylvain was in the middle of discussing the question "How can a global rollout be cost efficient, fast paced, and with quality when so many odds are stacked against it?". This then led into a series of Dos and Don'ts.

Do

• Define template based global methodology
• Identify business leaders and analysts in the US and local countries
• Use local resources in the project team

Don't

• Start user requirement gathering before corporate business processes are mapped
• Underestimate the impacts of working with remote teams

Do you have a US based team travel to each country to gather requirements? Sylvain recommends having local people onsite for the project implementation. They know the business practices, they know the culture, so they can be of great assistance.

Gathering local requirements. When planning deployment, the first thing to do is identify/document your proper business processes. If the core business processes are documented then the requirements gathering is much easier.

One other thing that Sylvain recommended is to avoid consulting companies that don't have global experience. He gave an example of an implementation where consulting company didn't know what VAT was, so they left it to be calculated manually. The local users thought this was a joke since the most basic local packages would do this automatically, but they were told that PeopleSoft was state of the art, etc.

The presentation then got into data strategies. It's common to have a single set of vendors, a small number of setids for US based implementations. That probably won't work for a global deployment, so if you haven't looked at how PeopleSoft supports this, then it's time to learn. (note: a great resource for this is our weblog post on SetIDs and Business Units).

One thing that comes up in some implementations is that the local users already know English, so people wonder why it's necessary to have the global support. Sylvain gave an example of Japanese users that know English. But they need to interact with other people that don't. If you send an invoice in English in Japan, you probably won't get paid because the mailman won't know how to deliver it. So you do need to be sure that your Japanese users can enter things like addresses in Japanese.

Do

• Trust psft features around global
• Prototype early as possible
• Involve local business leaders in review of designs. Implementation time is too late.

Don't

• Underestimate the impact on existing customizations
• Forget that production support will have to change to handle global users and requirements

There was then a short performance discussion. Most people understand about wide area networking and that there may be performance issues when you have users half way around the world. But you also have to consider things like running batch jobs in the middle of the night in the US. There's never really a good time to do that in a global implementation because it's always someone's work day. So you have to look at better tuning of batch or even locking out users from targeted areas while batch is running.

Global deployments also impact your support organization. If a critical business issue happens at 3am headquarters time, who takes the call? (Hillary!) Would you allow the local teams to make code changes to do a critical fix if needed? Would you make your project team at headquarters wear pagers? Sylvain recommends setting service level agreements up front for these sorts of things so that it can be decided upon rationally up front, instead of waiting for a crisis to happen.

Do

• Identify and train local SME as early as possible
• Assign dedicated local support analysts
• Train the support team on the new processes and features

Don't

• Underestimate time and cultural differences in resolving problems.
• Think the project is over when the country is live.

Sylvain gave an example of a project review where there were no complaints about the new country rollout in Japan. As it turns out, the users were unhappy, but did not want to say anything. This is just a cultural difference, but the project team was not aware that no complaints was not the same thing as no issues.

One question came up at the end was about whether or not to use a single PeopleSoft instance or multiple PeopleSoft instances for development when you have different development teams around the world. Sylvain recommends a single instance so that you don't have to worry about missing changes from one environement. There were a few nodding heads in the audience that Sylvain pointed out.

Labels: 2008, Collaborate, Global

We're heading out to the Collaborate conference today.

Like we did at OpenWorld, we'll try to blog some of the sessions that we attend, so if you can't make it stay tuned here. There should be some interesting content presented in the sessions, and I expect that there will be some good unconference material in the conference center hallways.

If you're a regular blog reader, be sure to catch us and say hello. See you in Denver.

We had an interesting situation with one of our customers recently where creative use of one of our products, the ERP Firewall for PeopleSoft, saved the customer from having to do an emergency PeopleTools upgrade. Needless to say, the drinks are on them at Collaborate.

For those that aren't familiar with our ERP Firewall for PeopleSoft product, it is a Web Application Firewall that has deep knowledge of PeopleSoft applications. It doesn't just requests coming in as URL strings that someone can write regular expressions to process, it sees the request in the context of PeopleSoft. It knows what a PeopleSoft component is; it knows what a Web Profile is, it understands PeopleSoft security, etc.

The problem that our customer hit was that when someone enters an invalid password logging in to PeopleSoft, PeopleTools would drop the portal and node name from the URL. Normally this wouldn't be a problem because most people are accessing the default portal in PeopleSoft (generally the EMPLOYEE portal). When you login to PeopleSoft and don't specify a portal, you get the default portal. Makes perfect sense.

However, when you also have a large number of customers accessing the CUSTOMER portal, then it gets more interesting. The customer end user attempts to login at https://some.host.com/psp/ps/CUSTOMER/CUST/h/?cmd=login . They enter a bad password by accident, and then they get redirected to https://some.host.com/psp/ps/?cmd=login along with the standard message saying that the username or password is incorrect.

So they type in the correct password and get logged in. Except now they are pointed to the EMPLOYEE portal (because the CUSTOMER portal reference got removed). And not being an EMPLOYEE, they don't have access to anything. Oops. Their session is valid, but the URL is pointing to somewhere where they get nothing.

Turns out that this is fixed in a PeopleTools patch (8.48.13 for the 8.48 codeline, I'm not sure about other PeopleTools versions), but the customer was live with an earlier patch release in the 8.48 codeline and was concerned about dropping a new version of PeopleTools in.

Since they have the ERP Firewall product already (they use it for restricting employees from using the customer facing / internet accessible web server and force them to go through web servers that are just for employee use) we decided to treat accessing the EMPLOYEE portal as a security condition that we want to detect. However, instead of doing something like blocking access, we calculate the proper CUSTOMER portal URL and silently redirect the user there. So we're actually using a security tool to solve a usability problem.

You might think that just replacing EMPLOYEE with CUSTOMER in the URL would be enough to solve the problem, but there were a few wrinkles which ended up making the ERP Firewall piece a really good fit.

Part of the challenge was making sure that we kept all of the users correct context when redirecting. Most users would be coming through the portal home page, but some might be coming in from deep links into order history or from bookmarks, etc. So we couldn't just have a single URL to redirect people to.

The stickier problem was that the ERP Firewall needed to redirect differently based on whether the person was logged on or not. If the user was not logged in, and we redirected them to the CUSTOMER portal home page, PeopleTools viewed that as a login attempt, and gave the user the signon page. Normally PeopleTools handles this quite well; an attempt to hit a deep link in PeopleSoft when you're not logged in gets you the signon page, and once you login, you go to that deep link that you originally requested.

However, due to this bug, the CUSTOMER portal was getting dropped again, so it was necessary to append the cmd=login parameter that PeopleTools recognizes as a request for the login page. Of course, if the user is logged in already and you redirect them with a cmd=login link, then you just killed their session.

The nice thing is that the ERP Firewall for PeopleSoft has the deep knowledge of PeopleSoft to make this trivial. It knows what a PeopleSoft portal is, it knows what PeopleSoft roles a user has, it knows whether they are logged in or not, and it knows how to properly generate and/or modify PeopleSoft URLs in a safe fashion.

Of course, it knows lots of other things as well. Let us know if you'd like to learn more about it.

Labels: 2008, Firewall, Security