When using PeopleCode and Java mixed together, one thing that will cause problems for you is the inability to do any casting of Java objects from the PeopleCode side. For example, if you were storing some Java objects in a HashMap.

Local JavaObject &map = CreateJavaObject("java.util.HashMap");
Local JavaObject &int = CreateJavaObject("java.lang.Integer", 28);
&map.put("TEST", &int);

Later on, when you want to get the object back out and use it for something

Local JavaObject &int2 = &map.get("TEST");
Warning(&int2.intValue());

You'll get an error "Java method intValue not found for class java.lang.Object.".

This is because the PeopleCode runtime is using the return type for the "get" method on the HashMap object to decide what object it has. Fair enough, that's how Java works as well. If you're writing Java, you'd do something like this.

Integer int2 = (Integer)map.get("TEST");

The (Integer) part changes (or casts) the returned value of the get method from java.lang.Object to Integer. Unfortunately, there is no way to do this in PeopleCode, so you'd have to write (and distribute to the application servers) some Java glue code that could handle the casting, but that's a bit of a headache.

We've shown in previous blog entries how to use Java reflection from PeopleCode to work around this, but Java 5 brings a new option for us to try. PeopleTools 8.49 (the current version of PeopleTools as of the moment) is the first version of PeopleTools to use Java 5.

As a side note, Java 1.4 end of life is October 30, 2008, so those of you looking for a good reason to justify a PeopleTools upgrade to your management, here it is :-)

So what helps us in Java 5 with casting? There is a new method in java.lang.Class called cast, which according to the doc, "Casts an object to the class or interface represented by this Class object.".

Great!

So we update the code

Local JavaObject &int2 = &map.get("TEST");
Local JavaObject &int3 = &int.getClass().cast(&int2);
Warning(&int3.intValue());

PeopleCode knows that the &int object is of type java.lang.Integer so we can get it's Class object and use that to cast our object that came back out of the HashMap and we'll be all set, right?

Nope. Same error as before. "Java method intValue not found for class java.lang.Object.".

Labels: 2008, Java, PeopleCode

Here's a quick quiz for you PeopleCode experts out there. Which of these lines of code will Application Designer accept (and run) and which ones will it not?

&! = "Am I valid?";
&@ = "Am I valid?";
&# = "Am I valid?";
&$ = "Am I valid?";
&% = "Am I valid?";
&^ = "Am I valid?";
&& = "Am I valid?";
&* = "Am I valid?";
&( = "Am I valid?";
&) = "Am I valid?";
&_ = "Am I valid?";
&- = "Am I valid?";

Here are the valid lines

&@ = "Am I valid?";
&# = "Am I valid?";
&$ = "Am I valid?";
&_ = "Am I valid?";

and here are the invalid lines

&! = "Am I valid?";
&% = "Am I valid?";
&^ = "Am I valid?";
&& = "Am I valid?";
&* = "Am I valid?";
&( = "Am I valid?";
&) = "Am I valid?";
&- = "Am I valid?";

Of course, this is more just interesting trivia as opposed to something that we would recommend doing.

Labels: 2008, PeopleCode

Jim Marion has a good writeup on his blog with some ideas for customizing the PeopleSoft signout page, but it doesn't directly cover a common use case that I get asked about a lot, which is redirecting the user somewhere else at signout time.

A common reason for doing that is if you have a primary portal, such as the Oracle Portal, that provides access into your PeopleSoft applications. When the PeopleSoft session is done, you want the user to return to the main portal home page. Another reason is that you have some sort of single signon external to PeopleSoft, so you don't want the PeopleSoft users to see the PeopleSoft signon page.

How to do it

The process for doing this is pretty straightforward. The HTML that gets displayed at signout time is defined in the "Look and Feel" page of the Web Profile. One common source of confusion with the values defined on this page is that they are not URLs, but they are references to files in the web server. So you can't set a different URL here, you need to have the redirection logic in the appropriate file on the web server.

By default, the file that gets displayed at signout time is called signin.html. We'll want to make a copy of this since by default it gets used for the signon page as well as the signout page. You can give it a name like signout_redirect.html ; end users will never see this name though so just name it so that you remember it's purpose later. Whatever name that you call it, you'll want to reference that name for the logout page in your Web Profile.

For example, if you wanted to send your users to the Grey Sparling home page with a 0 second delay when they log out from PeopleSoft, you would add the following line immediately after the <HEAD> tag at the top of your new file.

<meta equiv="REFRESH" content="0;url=http://www.greysparling.com/">

The contents of these files are read into memory when the web server starts up, so you'll need to bounce the web server in order to get that to take effect.

Preventing Page Flash at Signout Time

What I've outlined above is the simplest way to solve the problem. One small usability issue exists though. In spite of the fact that we have specified 0 seconds for the delay, the browser will still render all of the HTML onscreen before sending the user to the new home page. The best course of action here is to remove everything between the <BODY> tags. That saves the browser from having to render the page so it can get to the redirect quicker. There is still a quick page flash, but it is quicker and it is just a blank screen so it doesn't look quite as bad.

The HTTP gurus in the crowd are probably wondering why this isn't solved with an HTTP level redirect, which would make the whole page flash issue go away. The answer is that you don't have easy access to do this. You can use some of the options that Jim mentions in his blog (we do something similar in our ERP Firewall for PeopleSoft product) if it is really a big deal to you though.

Upgrade Issues

Each time you install PIA (whether from an upgrade or just adding a new web server) you'll need to copy this newly created file from an existing web server (since you no longer care about what new features/layout changes that Oracle might add to these pages in new releases).

If you install a lot of web server instances, you can put this file in the setup program so that you always end up with your custom one instead of the default. Just search for the file PTSitePsftdocs.jar in your PSHOME\setup directory. That has the source files that get put into the web server.

Session Expiration

Thankfully there is a separate page that gets displayed when a session expires vs someone signing out. That file is called expire.html. You may want to setup some separate handling for this one so that the user does see a message about their session having timed out instead of just being redirected to a different page.

Where are the files?

The actual files to edit in the web server are stored in WEB-INF\psftdocs\<sitename>. I'd list the whole path, but it's so incredibly deeply nested that you'd need a special wide monitor for the browser to be able to scroll that far :-) That's a subject for another blog post some day though.

Can I change signout behaviour based on the user?

By the time the signout page is displayed, the user's session has already been wiped out. You no longer even know who the user is/was. There are no PeopleCode events that run at signout time by default (although it can be done).

Read Jim's blog post or talk to us about ideas for getting around this.

Any other tips?

If you want to change the label/text of the Signout link, it is defined in the Message Catalog. The message set number is 95, and the message id is 408. Don't forget to update any other languages that you may be using with your PeopleSoft applications.

Labels: 2008, Security, Sysadmin

Last thursday, I presented at the Philadelphia PeopleSoft and JD Edwards RUG. I was able to meet with lots of PeopleSoft customers and even catch up with a few folks I hadn't seen since the 2006 FSIUG meeting in Manhattan.

I even had a chance to spend some time with Kevin Agatone, fellow nVisionary, PeopleSoft Projects developer, and Fusion Projects developer. Kevin used to work for me on the reporting development team and ended moving on to bigger and better things.

I ended up creating new versions of our award-winning Advanced Tips and Techniques sessions, and the slide where I discussed PeopleSoft's control surfaces was very well received. I think I see a future blog intry coming.

Here are the links to the powerpoints

• More Advanced PeopleTools Tips and Techniques
• More Advanced Reporting Tips and Techniques
• Noetix Views for PeopleSoft HRMS (I covered hoverboards in this topic).

We look forward to our next user group meeting: Quest Northeast. Hope to see you there.

Labels: 2008, Events

In honor of Oracle finally completing the BEA acquisition, I asked one of my old bosses, Peter Gassner, to write a guest post on some of BEA memories.

Peter actually came to PeopleSoft to fix up the old 2 tier client/server architecture and BEA played a big role in that. But I'll let Peter tell the story.

---------

Oracle finally owns TUXEDO. You can read it here. Sure, it does not mention TUXEDO, but it is in there, and it started it all.

The TUXEDO middleware product played a big part in PeopleSoft's technical history, starting from the release of PeopleSoft 7 in 1997. It is kind of interesting to trace the history of TUXEDO as it passed on from company to company and became involved with PeopleTools.

It started inside AT&T in the early 1983 and found it's way to Novell in 1993 (by way of Unix System Laboratories). It was there in early 1996 that PeopleSoft and TUXEDO met. I still remember the very small conference room (no windows) in New Jersey where Baer Tierkel, Rick Bergquist and I met with some of the core inventors of TUXEDO, including Mark Carges and Randy McBlane. We liked the software and the people. We liked it better than Tibco, MQseries, or the various other things we saw. We really did not feel like building middleware ourselves (very hard work!), so we thought OEMing TUXEDO would be good.

But, before we could complete an OEM deal, TUXEDO was snapped up again, by a tiny company that was just forming called "BEA", which stood for Bill, Ed, and Alfred. What was this BEA, we thought? Rick, Baer and I met with Bill, Ed, and Alfred, and decided "still good people, still good software, lets go ahead". That became a great partnership for BEA and PeopleSoft. It made PeopleTools more robust, and it had some not small hand in the OEM success that BEA had with TUXEDO and later with Weblogic.

Over the years BEA grow. BEA acquired WebLogic in 1998 and PeopleSoft OEMed that as well. I still remember talking to Alfred over lunch one day in 1998 after the weblogic purchase. He made a small comment that I always remember. He said with a very straight face: "That weblogic stuff is just flying off the shelves." I probably should have bought some BEA stock at that point:-) TUXEDO meanwhile was alive and ticking inside PeopleTools. Sure, it was all wrapped up in "psadmin" so that the quite unsightly configuration files were not seen, but it was there.

And now, TUXEDO finally comes home to roost in the great enterprise software roosting ground, Oracle

Congratulations, TUXEDO old boy, you have done well.


Peter Gassner
CEO
Verticals onDemand
PeopleTools Alumni (1995-2003)

Labels: 2008, History

Presented by: Doris Wong, General Manager for PeopleSoft Enterprise

This was Doris's keynote, and it did a great job of showing to PeopleSoft customers reasons to upgrade to current releases, and demonstrating the vision and continued investment in PeopleSoft products.

Prior to the Session

Prior to the session, Doris recognized me in the audience, so I decided to walk up and say "Hi" to her. We talked a bit about non-PeopleSoft stuff (our kids went to preschool together, so it was good to catch up). She also wanted to know how things were going business-wise, and made sure to mention that she's been hearing good things about us from PeopleSoft customers (which is much better than her hearing bad things about us from PeopleSoft customers -- "I'm watching you, Wazowski. Always watching. Always").

Agenda

• 2008 IT Strategic Initiaives
• Oracle applicagtions strategy
• Delivering on PeopleSoft
  PeopleSoft Investment Strategy
• Key Takeaways

2008 IT Strategic Initiatives

Forrester survey where organizations found critical priority of the following areas

• 72% want improvement of integration between apps
• 59% want upgrade packaged applications
• 47% shift from functional to process orientation

Oracle's applications strategy follows this:

• Applications unlimited
• Application Integration Archietecture
• Fusion Applications

Applications unlimited -> we will continue to invest. This is strategic for us.

Second part is applications integration architecture. Designed around creating a common platform for easy integration of our systems Provides framework to easily orchistrate business processes across a heterogeneous environment.

Fusion - this continues to be a path, although optionsal. Our customers can look at this and determine what's best for their business.

Supporting all 3 parts of the strategy is Oracle Fusion Middleware. We will be standardizing on the middleware.

Doris, then showed a diagram that illustrates how fusion middleware can be used as part of a larger enterprise applications infrastructure. It started by showing different backend systems linked by fusion middleware transport. In the middle are common objects and definitions of those objects. At the top, it shows oracle's business process orchestration.

Doris, then went more into how Oracle's Application Integration Arcitecture (AIA) plays an important part. She started by showing different layers of the architecture.

• foundation is service management
• then revenue management
• then customer management
• then enterprise management
• finally, she showed processes that span the different layers.

Delivering on PeopleSoft

Doris, then moved into more details with respect to PeopleSoft. She started by illustrating the importance of the PeopleSoft Enterprise suite to Oracle's overall business strategy:

• 9 of top 10 commercial banks are ps customers
• 59% of top 100 of fortune 500 companies own ps
• retail - the 5 biggest use ps
• 6 of top 10 communications companies use PeopleSoft
• 60% of the top 15 insurance companies use PeopleSoft
• 70% of top 10 health care organizations use PeopleSoft
• 19 us states use PeopleSoft
• 50 of largest counties and cities use PeopleSoft
• 7 of top 10 research universities use PeopleSoft
• 8 of top 10 printing and publishing companies use PeopleSoft

PeopleSoft beates best in class. Aberdeen group survey PeopleSoft customers are not average when it comes to hcm.

• PS customers are 41% more likely than industry a verage to be satisfied
• PS customers outperform industry average in every kpi used to measure b est in class
• PS cusotmers demonstrate higher org perfomance improvement versus industry average
• PS customers leverage automated hcm tools to achieve better ROI on their software investments

PeopleSoft 9.0 themes:

Doris, then went on to talk a bit about the PeopleSoft roadmap, starting with PeopleSoft 9 (which is currently shipping):

• Extended value through technology
• best in class business processes
• a superior ownership experience

Doris, moved from the themes to talk more about the content in the release from a challenge, capability, and value perspective (which does a great job of laying out the return on investment in upgrading).

Challenges	Capabilities	Value
Heterogeneous IT environment	SOA and oracle fusion middleware, bpel process manager	Lower IT costs
Integration	Eliminate costly interfaces in cross-applicagtion business processess
Tightening/Changing Labor market	Integrated talent mangement	Attract, Engage, and Retain Ralent
Contextual Information	Transactional Dashboards	Insight-driven Business Processes
Address regulatory requirements and performance needs	Business process enhancemsnts to address OFAC, SARBOX, and more	Achieve sustainable compliance and high perfomance
Complex and changing reporting requirements	Oracle XML Publisher	Reduce reporting costs
Managing Applications Portfolio	Lifecycle Management Tools	Lower TCO
Accelerate User Adoption	Improved UE	Reduce training burden
Focusing on strategic activities	Employee self service	Improve efficiency and productivity

Doris revisited the previous table to discuss specifics of release content

Integrated talent management

• Single, enterprise wide system. proflie management, business intelligence with single source of truth.
• improved usability for employees and managers
• relevant role based activites and content
• single user experience
• line of sight visibility

Business Insight

• supplier relationship management dashboard
• Expanded KPIs for buyers and managers
• Summary metrics at business unit level
• Supplier performance analtics pagelet

Business Processes --> contract management

• SRM dashboard example.
• Shows different metrics (aggregated view of source-to-pay) business processs for buysers and managers.
• Shows dashboard, but doesn't show the actual transactions (other than lists)

Compliance and performance

• Enforcer has extended reporting including 345 reports that facilitate financial statement certification.
• Improved tracking of training hours, costs, etc for compliance
• Supply chain - auto-validation of customers and vendors against SDN list via web services for compliance with patriot acts OFAC regulations
• expanded supports for IFRS 15 evaluation requirements

Reporting

• Shows the XML publisher architecture: extract data xml publisher publishing engine formates the data using templates and then file formats.
• Showed difference between SQR report and new XML report with template availabile starting in 8.48 of tools.

Livecycle management tools

• integration with enterprise manager - enables it admin to graphicallly manager and manage Release 90 systems from same console as other oracle databases, middleware and apps

Improved SOA Support

• New UI and increased standards support
• Stronger integration with BPEL process manager

Enhanced patching and maintenance

• streamlined patching through tools that understand impact.

Why upgrade?

Business buenefits of enhancements

• Get business value of all releases
• Eliminate customations and niche vendors
• Improve efficiency and prodicvivity
• reduce costs

Available services and tools

• Upgrade aids in peopletools
• Oracle solution center upgrade lab
• Oracle consulting upgrade services

Planning Options

• Separate tools and app upgrades
• Future upgrade processes to fusion apps

Upgrade steps:

• Added a new upgrade process from hcm 8.3 that does the 2-step process in a single set of steps (8.3 t0o 9.0 wrapper).

PeopleSoft Investment Strategy

Objectives:

• Solution Value
• Innovation
• Customer success

Drivers

• Corporate strategy
• Market conditions
• Competitive landscape

More on 9.1 Strategy:

• Ensure market leadership in HCM, key industries and global markets
• Provide high value low risk releases
• Customer-driven enhancements
• Avoid creating complex upgrades
• Deliver integration and innovation
• Leverage oracles portfolio of applications
• Adopt oracle fusion middleware capabilities
• Enhance ownership experience
• Increaed usabilith and streamlined processes
• Maintain peopletools backwards compatibility

9.1 roadmap. The rollout is planned in 2009.

Summary

I was impressed with how comprehensive the update was. Doris and team have been very busy, and have spent a lot of time listening to PeopleSoft customers.

Labels: 2008, Collaborate

This session is intended to discuss OBIEE as it relates to financial services. It was nice to see as much demo-ing as they did. It was also nice to see more of the features of OBIEE highlighted, especially the ability to create a very useful semantic view of the data that users can understand.

Room was full. About 200-300 people. Standing room only.

Dan Blankenship on FSI user group board - was also in pervious session. He introduced Steve Burns, who is on the Financial Services team at Oracle.

Session started by querying the audience. Most of attendees raised hands when asked if used PeopleSoft for back-office. Only a couple who used eBusiness suite.

OBIEE plus.
The session began by introducing OBIEE plus as the technology platform for providing anlaytics in this area. Steve started by talking about semantic model in OBIEE. Put logic into semantic layer.

Listed Golman, Wachovia, Axa as organizations using OBIEE. Leverage investments you've made in data source.

Talked about strategy of bringing together hyperion, peoplesoft and other acquisitions. (Operational BI, Enterprise perormance management, transaction systems). With the addition of the ability to access Essbase content within an OBIEE meta-model, this tool is now able to bring all this together for a single, cohesive solution that encompasses the different back-office systems.

Solutions Space
Steve, then went on to cover more about how they think about financial services from an analytic application perspective. Financial services organized into 4 areas: profitability, performance, risk management, and compliance. Below are some of the notes that I captured for a few of these areas:

Profitability
Used Fidelity as an example company that looks at customer profitability.

Showed screenshots with lots of charts and supporting details. Very analytic focused gtoing from high level to lower levels.

Credit suisse was listed as customer of OBIEE as well.

Risk management
Goldman Sachs, Credit Suisse and Bear Stearns listed as users of compliance solutions.

Features and Functions
They quickly went into a demonstration of a few of the areas and how the content that they're putting into OBIEE can solve many of these business poroblems.

Pervasive information delivery

• interactive dashboards
  
• ad-hoc query
  
• detections and alerts
  
• production reporting
  

Pervasive delivery

• financial reporting
  
• office
  
• disconnect and mobile anlaytics
  
• desktop gadgets
  

They also made a lot about the ability to drill from a report or analysis back into the transaction system. This feature is very similar to what we've blogged about for PeopleSoft reporting tools. I wonder if they've thought about taking this to the next level (like hoverboards)?

They moved on to demo drilling from report into more detail (starting from dashboard). Because they've pre-defined the path, they call this guided navigation.

They moved on to show how a user could start with a dashboard, extend a report, and add it to a personal dashboard. They didn't cover the administrative aspects of people creating their own dasboards, but it was cool seeing them do it. The functional area demonstrated was payables, where they started with 2 gauges and then drilled from one of them into a report.

The continued by demoing modifying the report (adding a chart). They then showed creating a new report and adding it to a dashboard. Positioned that business users can do this (do not need to get IT involved).

Summary
This was one of the better OBIEE presentations I've seen. One area I'd like to see more is a comprehensive story about how people will be able to snap these new applications onto their existing ERP solutions. This may not make sense in this presentations, but I believe that one of the primary factors in making a purchasing decision for OBIEE versus the products sold by other BI vendors is the effort to get it up and running (and really demonstrating to folks how these new applications are going to provide a seamless integration with their existing solutions... right now, I see a lot of hand-waving going on instead of showing exactly how this will work across data models of different releases of Siebel, PeopleSoft, and e-Business suite).

Labels: 2008, Collaborate, Events

Presented by: Eric Dickmann, Financial Services

Because so many of our customers are part of the Financial Services SIG, I wanted to make sure I attended this session to see what was going on here (especially since last year Amira Morcos had mentioned that there would be a business unit and general manager for this practice).

Eric is the new General Manager of the financial services IBU (discussed in this blog entry)

It was interesting to see the difference between approaches of PeopleSoft and Oracle to the Financial Services industry. Eric went through his solutions map for all 3 areas in financial services: Banking, Insurance, and Capital Markets. Where PeopleSoft focused primarily on the analytics and back-office solutions, Oracle will approach the market across all aspects of the industry including the front-office and point of sale systems (which is something PeopleSoft didn't address).

General Strategy
He described the goals of the financial institution within the following categories:

• Customer intimacy


• Competitive differentiation


• Cost effectiveness


• Compliance to regulation and risk mitigagion


• Service and speed are differentiation in industry.

He descripbed the execution strategy of his group as follows:

• Process driven


• Pre-built


• Ineroperable


• Flexible

Oracle's approach will be to assemble existing assets. Also to provide mulitiple deployment options for customers that include hosting, packaged products, or tools and custom applicagtions.

These solutions will cover all the way from front office to back office. Showed the product footprint for different areas - solution maps. These are available at http://www.oracle.com/industries/financial_services/index.html .

Product
From a product perspective, the solution will cover the following main areas

• pre-built integrations for a ccount origination


• Governance, risk, and compliance for financial services


• advisor desktop


• claims management


• profitability and asset/liability management analytics (new products)


• flexcube with oracle identity managmeent

Compliance
On the Compliance side, the solution will include GRC for banking, insurance, capital markets, covering

• sox


• mifid, regnms


• operational risk


• compliance risk


• basel 2 and 1a, solvency 2


• aml, kyc, fraud prevention

Role of Siebel
Siebel looks to be a very important part of the financial services strategy:

• Siebel will cover a good amount of the back-end systems, such as Siebel CRM as bck-end for account origination (this will integrate with i-flex's flexcube for identity management).


• Siebel CRM on demand for advisor desktop. first pre-built hosted crm solutions for wealth management. web services. shows user interface and analytics.


• Enterprise claims management solution - partof siebel 8. claims management, context management, financial hub, back office.

For dashboards, Eric showed a few dashboards related to SOX and gauges of status of controls. powered by the OBIEE framework. He did not discuss where data is coming from and said that this is new. This means that PeopleSoft's solutions in this space is not going to be part of this solutions map.

Profitability - this is where PeopleSoft was strong. Instead of using PeopleSoft EPM, Risk Weighted Capital, and Funds Transfer Pricing, Oracle will be using OFSA and OBIEE as the solution for this.

Questions:

Question	Answer
Can you talk more about what's going on with PeopleSfot financial servces side?	If you're a PeopleSoft customer, you will continue to be supported by applications unlimited. HCM will continue to be a focus area for PeopleSoft.
I'm another PeopleSoft Customer. Can you tell me more about what I can expect as a PeopleSoft customer about Fusion?	Everything you saw in this presentation is based on Fusion.

What I saw missing
I didn't see any mention of PeopleSoft EPM or the financial services analytic applications that were hosted on the EPM warehouse. I also didn't see any recognition of role of PeopleSoft GL in financial services organizations who are part of this Industry Group. By reading between the lines, it looks like the development team at Oracle isn't going to be focused on these areas, even though the the vast majority of attendees (>80%) categorized themselves as PeopleSoft customers.

Summary
It will be interesting to see how this strategy plays out. The Oracle solutions map is definitely much envcompassing than PeopleSoft's, especially in the banking and CRM areas. This could be a good opportunity for them. With respect to corporate performance management, compliance, and analytics, I think that Oracle will have a challenging time getting traction with much of the members of the industry group until they come up with a better story for organizations using PeopleSoft Financials and EPM. From an engineering perspective, I believe packaging analytics in OBIEE that are targeted specifically to EPM (funds transfer pricing, risk weighted capital, etc), as well as PoepleSoft Financials will allow them to extend existing solutions with new products and features versus leaving it up to the customer to figure out how to accomplish this themselves.

Labels: 2008, Collaborate

In honor of "Enterprise RSS Day", we thought we'd offer something to help kickstart some Enterprise RSS action for PeopleSoft customers.

One of the reasons why Enterprise level RSS is not more popular is that most RSS news readers don't understand the security rules of enterprise applications. Some RSS readers understand HTTP level authentication, but I'm not aware of any enterprise level applications that actually use HTTP level authentication. Everything that I've ever seen is forms-based (I'm excluding fancy options like smartcards, biometrics, etc.; just what comes out of the box).

If the news readers can't get into the enterprise system, then the enterprise system owners never feels any pressure to produce the RSS feeds. Classic chicken and egg problem.

So, what is Grey Sparling doing to help?

As you're probably aware, Grey Sparling has a Desktop Single Signon product for PeopleSoft that uses your Windows login credentials to establish your PeopleSoft session for you. We also have a new PeopleSoft specific Web Application Firewall, which we call ERP Firewall for PeopleSoft.

Combining the two of them allows us to offer the ability for desktop based RSS news readers to establish a PeopleSoft session for the user, but only for RSS feeds! The session can't be used for any other purpose but reading RSS. The user can still login to PeopleSoft themselves and do their regular work, but the automatic login for the news reader is blocked from doing anything else.

The PeopleSoft session that the RSS news reader uses is logged in as the actual PeopleSoft user, so all regular PeopleSoft data security is applied to the feeds. Take a look at some of the proof of concept RSS generation from PeopleSoft that Brent Martin put together to get some more ideas about how you could do this in your organization.

Great, how about a freebie?

To get things going here, we're going to offer a free copy of this to some one out there. If you win, you'll get full support and assistance just like any paying customer, which means a production instance of a PeopleSoft, along with as many dev and test instances that you use to support that production instance. No user limits, no CPU limits, etc. etc.

There is a catch though.

We're going to do a lottery to pick a winner, but in order to get your virtual hat thrown in the ring, you have to come up a few good scenarios where you'd put this to use within your organization. Ideally this would be something that you'd be willing to share as a case study (maybe a user conference presentation or something).

You can either email us "enterpriserss at greysparling.com" with your ideas, or better yet, post a comment here or on your blog.

Anything else to be aware of?

• In order to use this you need to be able to install software in your PeopleSoft environment.
  
• The RSS news reader that gets used should be something that runs on each user's desktop. This is because it's the Desktop Single Signon product that is providing the news reader access into PeopleSoft. If you use a server based news reader, then it won't be able to use your existing Windows login. There are some ways that this could be enabled in the future, but nothing that we're ready to provide today.
  
• Since this uses your Windows login, it's only meant for people that login to your Windows network (so this doesn't yet help with providing your external customers access to PeopleSoft RSS feeds).
  
• What we're offering is around the security of RSS access, not actual RSS feed content. Take a look at Brent Martin's blog entry for ideas on actually creating RSS feeds inside PeopleSoft.
  

Labels: 2008, EnterpriseRSS

Session 2886 in the OAUG section.

Monica Nelmes Elliott
PeopleSoft Product Marketing
Approva

Dr Marilyn Prosch, Ph.D., CIPP
Department of Accounting
Arizona State University

Monica is beginning the session by talking about when she was victimized by identity theft a few years back. A Fortune 100 company using PeopleSoft had someone access her account, open up several lines of credit. Big nightmare. So she's very passionate about this issue now.

Prior to bringing Dr. Prosch up, she takes a few questions. One was about being able to monitor specific users in PeopleSoft (maybe some new call center employees that you're worried are trying to pull up too many accounts or something). She said that Approva announced a partnership at the conference with a company, Lumigent, that does database monitoring (here is the press release )

Now Dr. Prosch is up. She's been in this area for about 7 years, came in from systems background. Has several slides showing all of the different organizations that have had privacy breaches in 2007. She mentioned that Arizona (where she is from) is now ranked first in the U.S. for identity theft, and that the governor there has just appointed 2 new positions for this.

Dr. Prosch says that PeopleSoft is used in many the organizations involved in these breaches. Most are not system hacks, but data downloads where the data/laptops get stolen or from backups that get lost/stolen.

39 states now have identity breach laws, but she does not believe that the federal government is going to do anything soon, so you're essentially required to know about the rules for all of the places that you do business (ed: of course, this is true globally as well).

Talking about FTC being more likely to be lenient if you are at least showing that you are taking action

The Federal Trade Commission is going after some big cases now. These can have a pretty significant financial impact on an organization. However, she believes that the FTC is more likely to show some leniency if you can show that you were taking action towards preventing breaches before the breach occurred.

The discussion then went into the concept of GAPP; Generally Accepted Privacy Principles. Much like GAAP (Generally Accepted Accounting Principles), the idea is to codify best practices for privacy. These are available to download for free and can be applied in your organization today. If you want someone to verify/audit your compliance with GAPP (maybe a business partner mandates this), then you can pay an auditor. The GAPP framework should address most major privacy legislation (domestic and international). It has 66 principles across 10 categories.

Dr. Prosch is now talking about the concept of Continuous Privacy Monitoring. She's showing a 5 stage "privacy lifecycle" chart. Stage 1 is ad-hoc efforts around privacy, stage 4 is being ready for a GAPP audit, and stage 5 is continuously monitoring privacy within your organization (ed: to continue the accounting analogy; being able to close the books at any time, instead of just at month's end).

Monica is back now talking about defining security rules for roles and permission lists in spreadsheets. How many people can answer who has access to a given piece of data after PeopleSoft has been running for awhile?

She's giving a list of example fields to monitor in different PeopleSoft products (the actual field names in PeopleSoft, not just what the fields are). Approva can monitor all uses of sensitive fields in PeopleSoft. Joel Hutchison is an ex-PeopleSoft person who is the main developer for this. He's sitting in the audience, but can take questions.

It would have been nice to see a bit more detail about this or maybe a demo, but overall it was a very good session.

Labels: 2008, Collaborate, Security

Session 3291 in the OAUG section.

I went to Sylvain Nguyen's presentation on PeopleSoft global rollouts. Sylvain used to be a manager for PeopleSoft Global Financials development, and is now the CEO of Ataway. Ataway is a consulting company that specializes in PeopleSoft (note that we've worked with them before)

I came in about 15 minutes late, because the OAUG tracks are not sync-ed up with the Quest tracks timewise. Which is probably driven more by scheduling lunch for everyone here than anything else. Sylvain was in the middle of discussing the question "How can a global rollout be cost efficient, fast paced, and with quality when so many odds are stacked against it?". This then led into a series of Dos and Don'ts.

Do

• Define template based global methodology
• Identify business leaders and analysts in the US and local countries
• Use local resources in the project team

Don't

• Start user requirement gathering before corporate business processes are mapped
• Underestimate the impacts of working with remote teams

Do you have a US based team travel to each country to gather requirements? Sylvain recommends having local people onsite for the project implementation. They know the business practices, they know the culture, so they can be of great assistance.

Gathering local requirements. When planning deployment, the first thing to do is identify/document your proper business processes. If the core business processes are documented then the requirements gathering is much easier.

One other thing that Sylvain recommended is to avoid consulting companies that don't have global experience. He gave an example of an implementation where consulting company didn't know what VAT was, so they left it to be calculated manually. The local users thought this was a joke since the most basic local packages would do this automatically, but they were told that PeopleSoft was state of the art, etc.

The presentation then got into data strategies. It's common to have a single set of vendors, a small number of setids for US based implementations. That probably won't work for a global deployment, so if you haven't looked at how PeopleSoft supports this, then it's time to learn. (note: a great resource for this is our weblog post on SetIDs and Business Units).

One thing that comes up in some implementations is that the local users already know English, so people wonder why it's necessary to have the global support. Sylvain gave an example of Japanese users that know English. But they need to interact with other people that don't. If you send an invoice in English in Japan, you probably won't get paid because the mailman won't know how to deliver it. So you do need to be sure that your Japanese users can enter things like addresses in Japanese.

Do

• Trust psft features around global
• Prototype early as possible
• Involve local business leaders in review of designs. Implementation time is too late.

Don't

• Underestimate the impact on existing customizations
• Forget that production support will have to change to handle global users and requirements

There was then a short performance discussion. Most people understand about wide area networking and that there may be performance issues when you have users half way around the world. But you also have to consider things like running batch jobs in the middle of the night in the US. There's never really a good time to do that in a global implementation because it's always someone's work day. So you have to look at better tuning of batch or even locking out users from targeted areas while batch is running.

Global deployments also impact your support organization. If a critical business issue happens at 3am headquarters time, who takes the call? (Hillary!) Would you allow the local teams to make code changes to do a critical fix if needed? Would you make your project team at headquarters wear pagers? Sylvain recommends setting service level agreements up front for these sorts of things so that it can be decided upon rationally up front, instead of waiting for a crisis to happen.

Do

• Identify and train local SME as early as possible
• Assign dedicated local support analysts
• Train the support team on the new processes and features

Don't

• Underestimate time and cultural differences in resolving problems.
• Think the project is over when the country is live.

Sylvain gave an example of a project review where there were no complaints about the new country rollout in Japan. As it turns out, the users were unhappy, but did not want to say anything. This is just a cultural difference, but the project team was not aware that no complaints was not the same thing as no issues.

One question came up at the end was about whether or not to use a single PeopleSoft instance or multiple PeopleSoft instances for development when you have different development teams around the world. Sylvain recommends a single instance so that you don't have to worry about missing changes from one environement. There were a few nodding heads in the audience that Sylvain pointed out.

Labels: 2008, Collaborate, Global

We had an interesting situation with one of our customers recently where creative use of one of our products, the ERP Firewall for PeopleSoft, saved the customer from having to do an emergency PeopleTools upgrade. Needless to say, the drinks are on them at Collaborate.

For those that aren't familiar with our ERP Firewall for PeopleSoft product, it is a Web Application Firewall that has deep knowledge of PeopleSoft applications. It doesn't just requests coming in as URL strings that someone can write regular expressions to process, it sees the request in the context of PeopleSoft. It knows what a PeopleSoft component is; it knows what a Web Profile is, it understands PeopleSoft security, etc.

The problem that our customer hit was that when someone enters an invalid password logging in to PeopleSoft, PeopleTools would drop the portal and node name from the URL. Normally this wouldn't be a problem because most people are accessing the default portal in PeopleSoft (generally the EMPLOYEE portal). When you login to PeopleSoft and don't specify a portal, you get the default portal. Makes perfect sense.

However, when you also have a large number of customers accessing the CUSTOMER portal, then it gets more interesting. The customer end user attempts to login at https://some.host.com/psp/ps/CUSTOMER/CUST/h/?cmd=login . They enter a bad password by accident, and then they get redirected to https://some.host.com/psp/ps/?cmd=login along with the standard message saying that the username or password is incorrect.

So they type in the correct password and get logged in. Except now they are pointed to the EMPLOYEE portal (because the CUSTOMER portal reference got removed). And not being an EMPLOYEE, they don't have access to anything. Oops. Their session is valid, but the URL is pointing to somewhere where they get nothing.

Turns out that this is fixed in a PeopleTools patch (8.48.13 for the 8.48 codeline, I'm not sure about other PeopleTools versions), but the customer was live with an earlier patch release in the 8.48 codeline and was concerned about dropping a new version of PeopleTools in.

Since they have the ERP Firewall product already (they use it for restricting employees from using the customer facing / internet accessible web server and force them to go through web servers that are just for employee use) we decided to treat accessing the EMPLOYEE portal as a security condition that we want to detect. However, instead of doing something like blocking access, we calculate the proper CUSTOMER portal URL and silently redirect the user there. So we're actually using a security tool to solve a usability problem.

You might think that just replacing EMPLOYEE with CUSTOMER in the URL would be enough to solve the problem, but there were a few wrinkles which ended up making the ERP Firewall piece a really good fit.

Part of the challenge was making sure that we kept all of the users correct context when redirecting. Most users would be coming through the portal home page, but some might be coming in from deep links into order history or from bookmarks, etc. So we couldn't just have a single URL to redirect people to.

The stickier problem was that the ERP Firewall needed to redirect differently based on whether the person was logged on or not. If the user was not logged in, and we redirected them to the CUSTOMER portal home page, PeopleTools viewed that as a login attempt, and gave the user the signon page. Normally PeopleTools handles this quite well; an attempt to hit a deep link in PeopleSoft when you're not logged in gets you the signon page, and once you login, you go to that deep link that you originally requested.

However, due to this bug, the CUSTOMER portal was getting dropped again, so it was necessary to append the cmd=login parameter that PeopleTools recognizes as a request for the login page. Of course, if the user is logged in already and you redirect them with a cmd=login link, then you just killed their session.

The nice thing is that the ERP Firewall for PeopleSoft has the deep knowledge of PeopleSoft to make this trivial. It knows what a PeopleSoft portal is, it knows what PeopleSoft roles a user has, it knows whether they are logged in or not, and it knows how to properly generate and/or modify PeopleSoft URLs in a safe fashion.

Of course, it knows lots of other things as well. Let us know if you'd like to learn more about it.

Labels: 2008, Firewall, Security

Larry recently mentioned that we had finally recorded a Flash demo for the client/server portion of our Desktop Single Signon for PeopleSoft product. In a nutshell, what it does is let your developers and reporting power users (Query, nVision) access PeopleSoft without getting prompted for their login. Instead, their Windows/Active Directory credentials that they used to login to the network are used to establish their session.

One interesting aspect of implementing our Desktop Single Signon with the client/server support is that you can now run a PeopleSoft system without anyone(3) having a password inside PeopleSoft. You'd still have the accounts needed for booting the appservers, process schedulers, etc., but no passwords that a human (1) would ever use would need to be stored inside PeopleSoft. Even developers or people promoting changes from one PeopleSoft instance to another (such as from test to production) would not have passwords within PeopleSoft.

What's really cool about this is that it leverages something that has existed since PeopleTools 1, which is the psuser.dll user exits. PeopleSoft delivers psuser.dll without any delivered functionality in it, except for a couple of C functions that PeopleTools will call at login time. The delivered psuser.dll does nothing, but PeopleBooks documents how you can supply your own implementation to override signon logic for 2 tier and 3 tier connections.

Back in the client/server heyday this functionality was used by a few different vendors for doing client/server single signon. The only one that I could find from a few web searches was Novell's Single Signon for PeopleSoft, but they appear to have given up on that as of PeopleSoft 7.x. In fact, they don't even list PeopleSoft at all in their list of applications that they support (2). So, Grey Sparling is the only vendor selling a client/server single signon product for PeopleSoft 8 applications today. We're first and last to market!

All kidding aside, it is interesting that no one does anything with the client/server aspects of PeopleSoft, since you quite literally can not run a PeopleSoft shop without at least some people using the client/server tools.

When your developers make a change to PeopleSoft, it is typically done through a 2 tier Application Designer session. Same thing for promoting changes between different environments. Same thing for applying maintenance. There are also still a number of places that use the client/server reporting tools. I know of a few places where the 3 tier Query users number in the hundreds (including one customer with somewhere north of 800 Query users).

And there are no password controls for 2 tier connections. If someone's password has expired and they try to login via 2 tier, guess what happens? They'll get logged right in. Why? Because there is no signon PeopleCode for 2 tier connections and password controls are enforced with signon PeopleCode.

Another interesting wrinkle with giving 2 tier access is that you may be inadvertently circumventing other security measures that you have in place for PeopleSoft web access. How?

Suppose that you use the delivered PeopleSoft support for validating your user logins against an LDAP directory. Your users type in their username and password in the standard PeopleSoft signon screen in their web browser and the PeopleSoft application server tries validating those against the LDAP server, where there are more stringent security measures in place than PeopleSoft supports.

Except that PeopleTools will always try the username/password against the PeopleSoft database first, checking in the PSOPRDEFN table. You can't disable this behavior (which is documented in PeopleBooks). Your 2 tier users can login to a PeopleSoft web session by just using the same user/password that they use for 2 tier. The LDAP server will never be consulted and neither will any PeopleSoft password controls.

Most PeopleSoft shops deal with this by having anyone that has 2 tier access use a different user account for client/server sessions vs web sessions. That is better than bypassing security controls, but most auditors are not too happy about people having multiple accounts for the same system.

So if your PeopleSoft auditors haven't hit you up on this issue, it's probably because they don't realize that it is an issue.



One interesting technical implementation detail is that although we plug in to the client/server tools through the delivered PeopleSoft user exit, we actually utilize the web single signon to establish the client/server session (including mapping from your Windows user name to your PeopleSoft user account name.

This means that we could potentially port the client/server single signon part of Desktop Single Signon to work with other web single signon products that support PeopleSoft (e.g. Oracle, Sun, IBM/Tivoli, home grown, etc.). No promises, but let us know your thoughts if you're interested.




(1) You would still have the database level accounts that are independent of the application being used (i.e. SYSADM or sa). I wasn't implying that DBAs aren't human though. Some of my friends are DBAs :-)

(2) Novell does still list SAP's Windows client's (SAP R/3 front.exe and saplogin.exe) in their list of supported Windows applications.

(3) See the comments. Brent Martin thought of a use case that I had forgotten about (but shouldn't have!).

Labels: 2008, Security

Back in the early days at PeopleSoft we used to ship software on floppy disks. A whole boatload of floppy disks. There was even this really cool floppy disk duplicator that we had where you would load in a stack of floppies, with the source in one stack, and blanks in the other. I think it could handle something like 50 disks at a time. Jay Hann would know for sure. Anytime the disk duplicator broke (basically whenever you looked at it), he was the one to get it going again.

Then this magical thing called a "CD" started getting popular enough that we could ship all of our software on 1 CD, and have room to spare. Wow! It wasn't quite as good as regular backup tapes, but still a huge leap forward.

A quaint blast from the past, eh? Well, I felt like I was transported back to that same era earlier today while looking at various escrow services out there (that's "escrow", as in code escrow, not escort services Mr. Spitzer). You see, we ship a lot of source with our applications, but we do have some parts that we do not ship the source to (and yes, just shipping all the source would make the question of code escrow go away). We had a customer ask about source escrow recently so we started looking into it.

The various escrow services all seem to be focused on the idea that once in a blue moon you will have a software release, send them physical copies of the software, and they will provide announcements that you have done so to the customers that you have deemed as beneficiaries. All this for several hundred dollars per customer per year.

Even worse, it doesn't appear that those entry level prices include much in the way of validating the code. A recent CIO magazine article about source code escrow mentions an incident with Radisson Hotels where they ended up having to get code out of escrow, but couldn't use it, because it was missing objects, etc.

The article does have several comments that complain that the authors should have mentioned that best practice is to "audit" the code escrow. But, none of the commenters, nor the escrow sites, has any good details about this audit would be performed. I'm sure that people with regular code escrow experience know a few tips and tricks about this, but I don't see too many of them blogging :-)

In a perfect world what would happen is that when we signed up, they'd give us a Subversion post-commit hook that we could use to mirror our version control commits to the escrow service. Then we'd give them the configuration for our Continuous Integration server (we use and love Hudson), so that the escrow service could run the same builds that we do. Heck, they could even use Hudson's email notification services to send the build logs and unit test results to customers as proof that they are actually receiving code and it is at least in semi-decent shape.

For the customer that then wants to do even more auditing, the escrow service could make the generated binaries available for the customer to test with. If those still work properly, then that's a pretty good sign that the escrow service is working properly.

The crazy thing is that this wouldn't be all that hard to do, or even that expensive. Maybe you wouldn't want to actually send all of your commits over, but it would be easy enough to limit what gets sent to release branches and not current development work.

The biggest challenges would be things like customer A is only entitled to version 1 plus maintenance releases, while customer B gets everything, etc. But figuring out those details is the value add that an escort (whoops - escrow!) service can provide. Most of the rest of it would just a bunch of hosted servers and some fairly standard configuration.

So will someone go build that so that we can toss out the CD burner. Please.

Labels: 2008, Business, VersionControl

Here is a list of events in which we'll be participating in the coming months. We hope to see you there.

Labels: 2008, Events

Steve Chan has a link to an iSeminar from Cliff Godwin with some real meat about details on how the technical upgrade to Fusion is planned to work.

The screenshot from the presentation on Steve's website nearly made me spit out my drink though. The actual title of the tool is called "Upgrade Assistant for Fusion". One of the bullet points says "Leveraging the best ideas from PeopleSoft Change Assistant".

Don't get me wrong; the PeopleSoft Upgrade Assistant (which became Change Assistant after it learned how to deal with maintenance as well as upgrades) is a whole heck of a lot better than some of the old manual processes in PeopleSoft upgrades, but most PeopleSoft customers aren't huge fans of Change Assistant. Change Assistant has been around for awhile now¹, so a lot of folks have forgotten how much of an improvement that it really was.

In fact, when we first started Grey Sparling, we considered doing product packaging as Change Assistant Change Packages (A "Change Package" is essentially just a .zip file that obeys Change Assistant's structural conventions about what files/directories are in it; similar to the Java .jar file format), but we got a lot of pushback. Customers told us that they didn't use Change Assistant for anything beyond just standard PeopleSoft maintenance, and therefore didn't have it up and running in demo and test environments, which is typically where people install our evaluation versions.

What Change Assistant Needs

What does Change Assistant really need, even before Fusion? Two things.

One is to beef up the logic for dealing with large volumes of patches and fixes. There's one bug in particular that rears it's head regularly where there will be pauses of several minutes between each file being copied. I've seen this in action at customer sites and it came up as a question during one of the OpenWorld sessions as well. It's not a slow file copy; each file gets copied quickly. It's more like some sort of "don't swamp the network" logic swung the pendulum too far on the conservative side. People really hate this.

The other is a bit more focus on using Change Assistant as part of the regular customization process. Application Designer actually has support for PeopleSoft customers to create their own Change Packages when doing custom development, but it's not well documented or supported. This forces customers to require other procedures in place for moving customizations around (since even to this day, there are almost zero PeopleSoft shops that don't have any customizations). Since customers end up dealing with this, learning (and understanding; see item 1) Change Assistant is viewed as an extra cost.

In keeping with that second item of better integration with customer development processes, we here at Grey Sparling will have some Change Assistant integration for our version control product. Since we're already dealing with all of the pieces of a Change Package anyways (App Designer projects, SQRs, Crystals, etc.), it makes sense to go ahead and add knowledge of what a Change Package is to the product so that you can version your PeopleSoft Change Packages just like anything else and have that more deeply integrated into your development processes.

1) The number one hit on Google for "Change Assistant" is a link to the original Change Assistant Flash demo from back in early 2004. If you watch the actual demo and pay close attention you can actually see one of the demo environments labeled APOGONOS.

Andrew "Pogs" Pogonoski was the original product manager for a bunch of the work that went on to actually have PeopleSoft be able to deal with all of the Customer Connection integration and hosting the Web Services that provide Change Assistant with it's data. All of the actual demo that you see in the movie is him working away.

It's safe to say that without Pogs' diligence at the large amount of cat herding involved that Change Assistant never would have gotten off of the ground.

Labels: 2008, Fusion, Sysadmin, Upgrade, VersionControl

Well, I was going to just ignore this whole Oracle blogs tagging thing, but Rich is a good guy and he tagged me. Besides, some other normally curmudgeonly folks have ponied up (of course some others have not), so what the heck.

1. I once tried to get Baer Tierkel to start a second PeopleSoft company band doing nothing but punk covers. The band was going to be called the "Sex PSTools".


2. Both of my kids were born in the same hospital as me.


3. I've crossed the equator around 45 times, been to 35 different countries, 49 states (Alaska still eludes me), and 6 continents.


4. I have given PeopleTools presentations completely in Spanish before (but I'm a bit rusty these days though)


5. I went to the same high school as Rick Bergquist (where's that blog Rick?) and Anthony Damaschino. Knowing Anthony is what actually got me into PeopleSoft to start with. Anthony had gotten our friend Doug Ostler (also, no blog, but makes up for it by being in the Hopyard "Hall of Foam") into PeopleSoft, who then helped get me into PeopleSoft. I helped the chain along by getting Willie Suh to join PeopleSoft. Willie is still there as a Director of development in PeopleTools.


6. As a direct result of item 4, I have actually done a SQL Alter on a PeopleTools system table in the middle of a presentation. A beta version of PeopleTools 7 had a weird bug where the related language table expected 3 columns when INSERTing new items, but 4 columns when doing UPDATEs. There wasn't enough time to swap the base language before the presentation, so the SQL Alter trick was needed.


7. I invited a new sport called "car hiking" in the Swiss Alps. My wife still gets nervous thinking about it.


8. I'm wearing "footie" pajamas right now. Seriously.

No time for lengthier explanations than that though. Gotta get back to my yak shaving.

Labels: 2008, Personal