System Availability. This is a very important topic, that has received a lot of attention, especially in the area of handling system failover, redundancy, and disaster recovery. This is obviously and important topic, but for most organizations, represents the smallest fraction of system outages with their PeopleSoft applications. It is the planned outages where an organization needs to kick people off the system to perform system administration functions that represents the majority of downtime for most PeopleSoft environments, and the one area that we will discuss in more detail in this blog entry.

System Maintenance and Downtime

In a PeopleSoft environment, there are 3 main drivers that drive planned outages:

• Minimizing online access during normal batch windows.
• Performing system administration functions, such as backups
• Applying PeopleSoft maintenance or performing a PeopleSoft upgrade

The real goal of the outage is to ensure that end-users are not accessing parts of the system that are being affected by the processing, maintenance, or upgrade.

It's just the way it's done...

Because your PeopleSoft application is architected and managed as a single entity, most organizations need to block access to the whole PeopleSoft application regardless of what pieces they are administering. Quite often this is accomplished by having a web server that services the general population, and a different one that services the people performing the administration. When the system is unavailable to the general population, that web server is simply brought down.

So, how do I reduce Downtime?

Well, you're never going to be able to eliminate the need to have an outage. You're probably also not going even have a dramatic impact on the amount of time you need to restrict access for your batch windows, backups, or upgrades without spending a lot of money on hardware or additional resources.

But don't despair. The way to look at this problem is not at the overall system level, but by breaking it up into the different areas that you wish to manage separately. For example, instead of bringing the whole system down because you are performing maintenance on Purchasing (see the following notification), just block access to the Purchasing entities, while allowing access to other functions, such as expense entry, to occur.

The following page is an example of how an administrator might bring parts of a PeopleSoft application down while leaving the rest up.

There are 3 steps to the process:

1. Identify and group together the parts of the system you want to manage together
2. Provide a user interface where administrators can block or grant access to those parts of the system
3. Provide a means where those pages look to the rules to either block or grant access

Implementation Options

Because we recently released our ERP Firewall for PeopleSoft, we quickly recognized that all 3 of these steps are already part of the feature set provided by the product. This means that after a 1-hour installation, our customers can start managing system access in this manner. Instead of describing that here, I'll simply provide you the link to watch the demonstration for yourself.

If you're not in the market to purchase an application that automatically accomplishes this and are willing to do a bit of coding yourself, there are other options available to you as well. Probably the best option is to implement generic firewall product on your web server. There are several out there, including open source application firewalls (like ModSecurity.) Because the component name is part of the URL, you can have the firewall see if the page falls under the list to be blocked and whether the user is an administrator and allow or deny the request based on that.

Notification

Finally, because users need to be able to plan around these outages (especially when the whole system is brought down for any type of maintenance), it's also important to be able to notify users ahead of time. Although email is the most common method used today, email just doesn't cut it most of the time (especially with all the spam people are receiving nowadays). We're seeing a lot of folks using social networking tools, such as blogging and twitter to do this. Here are a couple of items that we recently found:

• Here's a blog post notifying users of a planned PeopleSoft Financials outage.
• Here's a tweet that notifies users of an outage due to year end processing.

Both of these techniques allow people to set up an RSS feed to tell them when there's something new to look at (which may work well if your users are RSS feed savvy). Two other techniques are to update the portal home page and/or the PeopleSoft signon page to display a message.

One technique we've added as a feature to our ERP Firewall is to display a notification inside the PeopleSoft application upon access to PeopleSoft. This provides the information in the context that a user would use it, and also makes it harder for users to ignore it because they have to look at it before they can move to the next step. Again, when you have a product that knows how use rules to manage the display of PeopleSoft pages, this feature became very easy for us to add.

Labels: Firewall, Products, Security

In the past few weeks, we've had a lot of interest in our new Version Control for PeopleSoft product. For those interested in learning more about it, here's a link to the product pages (with a full demo embedded into the "Demonstration" tab).

http://www.greysparling.com/GSVersionControl.html

If you aren't using anything for Version Control for your PeopleSoft objects, you'll definitely want to check it out (and share it with others in your organization).

Feel free to contact us at Info@GreySparling.com if you are interested in trying this product out.

Labels: Products

Workflow History

When workflow was first added to PeopleSoft 5 back in 1995, the mantra was the three Rs: Rules, Roles, and Routings. I'll bet that Rick Bergquist still has dreams where he is talking about rules, roles, and routings :-)

Routings are the part that I wanted to highlight here. The two primary mechanisms for routings that PeopleSoft delivered as part of PeopleSoft 5 were worklists and email.

Worklists are great for people that spend a lot of time in PeopleSoft applications and have enough activity being routed to them that they actually check their worklist, but the broader audience does not typically login to PeopleSoft to check their worklist to see if there is anything waiting for them to do.

It's sort of shame that more work didn't happen on pushing out PeopleSoft worklist entries to whatever the end-user really use as their "stuff I need to do" list. There are some decent APIs that PeopleSoft delivers these days for accessing that data, but I'm not familiar with them being used for generically pushing PeopleSoft worklists into something like the Todo List functionality in Outlook or Lotus Notes.

In the absence of integrating their worklist entries with something else, most people ended up just using email as the primary mechanism of notifying people that they needed to do something like approve a purchase order in PeopleSoft.

Issues with Workflow Email Notifications.

There are some problems with relying on email though.

Please Do Not Reply To This Email.

Historically the emails generated by PeopleSoft came from a system account, instead of being from an actual person. So PeopleSoft customers would make sure that the emails that were sent out all had text in them telling the person "please do not respond to this email".

Makes sense, except that the whole reason that we're sending out emails is because of it's universality. Getting an email that you can't respond to is kind of like getting phone calls from the robot dialers that political campaigns use; pretty annoying.

In newer releases of PeopleSoft this is less of an issue because there are more places where application developers took advantage of the ability to generate emails themselves in PeopleCode with more control than the core workflow framework provided. In fact, the Financials/Supply Chain development group did enough of this that they wrote an entire workflow framework using PeopleCode application classes.

In PeopleTools 8.48, that code (known as Approval Workflow Engine) was moved to core PeopleTools so that all applications and customers could use them. So if you're up on an applications release 9.0 and higher, be sure to take a look at that.

Stop Sending Me So Many Emails!

We've talked with a number of PeopleSoft customers over the years that have ended up turning off workflow because of user complaints regarding the sheer volume of email that they receive. In fact, we just had someone searching our blog today for how to turn off notifications in PeopleSoft HCM.

The problem is that each event that happens (purchase order is entered) and the notification is tied directly to that. Immediate notification is important in some scenarios (confirmation of a customer's order, employee terminations, etc.), but when someone in management gets 12 expense report, 15 purchase orders, 9 regularly scheduled reports, etc. showing up in their inbox scattered during the day they sometimes get annoyed.

One way of solving this problem is to re-write your notification processes so that the event and the notification are de-coupled. When the event happens, save off the data (could be in the worklist tables or some other tables) and then have a separate process that delivers the notifications separately.

The problem with re-writing these processes is that it's time consuming and expensive, which is why a lot of people end up just turning off the notifications altogether.

The 1990's are calling and they want their email formats back

It's possible to send HTML email with PeopleTools, but a lot of the delivered workflow does not take advantage of this. On top of that the lengthy hyperlinks that can be generated for navigating directly to particular place in PeopleSoft (the navigation, plus the key values for pulling up the data) are not that attractive.

Who got what and when

Generating notifications as worklist entries leaves a rich history of when the notification was created, worked on, and closed out. There are some nice delivered reports that come with PeopleTools that can show this sort of information. Take a look at the PeopleTools delivered Queries that start with WF. There are some Crystal Reports for those as well.

Tracking email notifications doesn't happen unless it has been specifically coded into the notification process though. Lots of applications within PeopleSoft have added this functionality to key processes, but it's very tied to specific processes. There's no way to figure out what are all of the emails that a particular user is receiving (or see how many notifications are being generated for a particular process).



The topics discussed in this blog entry come direct from conversations that we have had with different PeopleSoft customers (especially from folks that are familiar with the email functionality in our Report Security and Distribution product; see the Report Notification section on the flash demo). Since we've seen continued interest in this topic, we went ahead and built something to fix it.

Announcing the Grey Sparling Email Proxy for PeopleSoft

Here is a high level overview of what the Email Proxy does:

1. It intercepts emails that PeopleSoft generates.
   
2. Classifies them according to your rules (who is getting it, what process is it part of, etc.)
3. Optionally rewrites the email
1. Provides nicer formatting, rewrite generated links, custom signatures, etc.
   
2. Combine multiple emails together (so someone that gets 20 purchase order notifications in a day can just get one summary email).
   

There are setup pages where you define the rules that you want for classifying the emails as well as the look and feel of the generated emails, as well as pages for being able to view the emails being generated, statistics regarding the emails, etc.

The Email Proxy server is in beta-testing now at a large PeopleSoft customer that services multi businesses with their PeopleSoft applications and should be generally available shortly.

Labels: 2009, Email, Products, Workflow

Continuing on in the cool stuff we've been working on series, I wanted to post something about a topic that goes way, way back.

Many years ago, Dave Yoder of Rainbird asked me at a DMUG user conference about how to get variable expansion support for file name references when building a project inside Application Designer.

Without having variables that you can expand, you always have to remember to change the name of the file that will be generated each time you build records/views/indexes, etc. It's really easy to forget and lose old copies. If you care about saving copies for yourself or for audit purposes, then it gets tiresome to always remember.

Here's some screenshots of what we have put together to address this particular issue. The first two screenshots show the Application Designer Build Settings dialog with the build log file set to c:\temp\%YEAR%\%MONTH%\%DAY%\PSBUILD_%DBNAME%.log. Here we are just changing the log file, but it works for any of the files that would get generated when doing builds in Application Designer.





The strings that are between percent signs (YEAR, MONTH, etc.) are variables that get expanded out to real values at the appropriate moment.

Here is what it looks like when you actually run the build.



As you can see, the generated log file has been created as c:\temp\2009\01\26\PSBUILD_PTSYS.log. Since today is January 26, 2009 and I was working in a PTSYS database, that's exactly what we expected :-)

There are also tokens for things like current hour, minute, second so if you like to do lots of builds in a short time frame you might want to take advantage of those as well.

In addition to things like date/time and connectivity info, there are also tokens that are supported by other Grey Sparling products.

For example, when you are using Grey Sparling Version Control for PeopleSoft you can also do things like reference which ticket number that you are currently working on. Here's the build settings showing the log file setting as c:\temp\Ticket-%TICKET%\PSBUILD_%DBNAME%.log



After running the build (note that our version control plugin is active now; it has to be to supply the current ticket number), you'll see that the build log file was generated as c:\temp\Ticket-4\PSBUILD_PTSYS.log. We could have included the date/time tokens as well if we had wanted to.



Now the build scripts, log files, etc. can easily be associated with the work that you are doing, and even automatically attached to the ticketing system if you want. That helps when your developers and DBAs need an audit trail of these sorts of activities. Fun to use and keeps the suits happy!

So if you run into Dave Yoder at a conference, be sure to thank him for coming up with the idea (and asking about it enough that it finally got built!)

Labels: 2009, ApplicationDesigner, Database, Products, VersionControl

Here's a quick little post on some cool stuff that we've been working on recently.

When you're accessing PeopleSoft via the web browser, it's pretty easy to see which environment that you are connected to - it's in the URL. But if you are using the client/server tools like PS/Query or Application Designer and have multiple sessions going, it can be hard to quickly tell them apart.

It would be nice if you could see what environment that you are connected to along with the current user ID directly in the title bar. Then you could see in the task bar (or in the window list when alt-tabbing) which session is which.



Which is exactly what we've done. If you take a close look at that title bar (click on the image for full size), you'll see that we have automatically prepended the current database name (HCM89) and the current user ID (PS) to the title bar.

Here's another picture of it in action when pressing Alt-Tab to cycle through the open windows. All of the Application Designer sessions now have good descriptive text in the title to be able to distinguish between environments.



This was done as part of our Version Control for PeopleSoft product. In addition to the current database and user ID, we also show which version control repository you are working with. If you look at the titles in the screenshots above you'll notice that some sessions are using a version control repository called "localdemo" (which is really just for experimenting/demoing) and some are using a version control repository called "gsdev", which is our production version control repository for Grey Sparling development. Definitely don't want to get those mixed up!

If you have an active ticket in the change request system that you are working on, we'll display that as well. In the screenshot below, I've selected ticket number 6 from the list of open tickets that are currently assigned to me and the title bar reflects that.



It's a not a huge feature, but it comes in very handy when you have multiple sessions going.

Update: here's what it looks with Windows XP "icon group combining".

Labels: 2009, ApplicationDesigner, Products, VersionControl

We're pleased to announce the release of our new Report Retention Manager product. After we posted the following blog entry, we had several PeopleSoft customers ask us about providing a product that allows them to more easily manage the retention of all their reports, provide a review step prior to distributing reports widely, and tracking signatures of report results.

Why worry about this?

Good question. As delivered, PeopleSoft provides only one option for setting report expiration settings. However, each report is not created equal in terms of value and usage. Therefore, organizations often incur additional cost in terms of processing load of running and re-running expired reports, storage capacity for storing all reports for a long period of time, and usability in either wading through long lists of drills and ad-hoc reports to find the ones they're interested in. This also doesn't consider the fact that you're not easily identifying and keeping your most important regulatory or control documents (unless you're doing it manually).

The Report Retention Manager automates this and allows you to manage it in the ways that make most sense for your organization.

More about the Product

Without covering everything that's already in the product page, this product takes a little different approach than what was covered in the blog. Instead of hooking the PSRF_REPORT_CREATE application message, we decided to leverage application engine. This is because we are supporting much more robust rules, we want to process higher volumes of reports, and we don't want to be dependent on organizations setting up Integration Broker properly. The product allows you to look at the reports that you've already run to help you make the settings. It also has components that allow end-users to participate in setting retention, reviewing and releasing results, and approving their reports.

Interested in learning more?

We've recorded a demo on the product page, but are also willing to do live demos and even let you try it out with a trial version. Feel free to contact us at Info@GreySparling.com.

Labels: Products

Well, it's official. We've expanded our add-in to provide lots of cool new features for excel output in PeopleSoft.

It's always interesting to see how one of your products gets used at a customer site and the value of it. When we added query features to the product, we knew they were cool (otherwise, why would you spend the time, right?). What we didn't realize how much it could change the way people use PeopleSoft.

What do you mean?

Well, we recently did some travelling to spend some time looking at how customers were using the new features of the product, and here's what we found.

• Requests for new Reports went to near zero.
• End-users were able to cut the time the spent looking for information in half.

Although we realized there would be some impact here, the numbers were surprising. However, this is merely an aspect of scale and is limited to the aspect of reporting. What really surprised us is how the feature of drilling to pages from queries changed the way end-users utilized PeopleSoft.

• End-users used queries in place of PeopleSoft search pages in the application, because the queries gave them a more efficient list of items to work.
• End-users also used our Excel drill menu in place of the PeopleSoft menus wherever possible because it allowed them to get to pages more quickly than using the PeopleSoft-delivered navigation (with the added bonus of passing the context from where they were)

And, finally the metrics: Some end-users at one customer were almost 50% more productive with these features because so much of the time spent using PeopleSoft for them was navigating to pages and finding the list of items that they needed to work. Bringing it all together and streamlining the navigation made a dramatic impact for them (and gave them the additional time to tackle other projects that had been languishing).

Want to learn more?

You can learn more about the product here. In addition, we've put together a flash demo that shows it in action.

Labels: Drilling, nVision, Products, Query, User

Although we've got a bunch of in-process blog entries, it's been much too long since our last posting (especially since our last set of posts weren't really tips or techniques). Although we plan to fix that in the coming days, I thought it might make sense to talk about what we've been up to on the business side of the house (most of which has come out of recent activity meeting with customers).

Excel Add-in Extensions - Part 1
Since we initially created our nVision add-in and began selling and marketing it, we've learned a lot about the PeopleSoft customer base and some of the things that drive evaluating and purchasing software. This deserves its own blog entry, so suffice to say that we've taken these learnings into account with new releases of this product.

The first thing we did was to extend the product to eliminate the need to package up code on the server. Yes, that means that this product has "NO CODE ON THE SERVER". We thought that was pretty funny, considering PeopleSoft's mantra. The benefit of keeping all code in the add-in is that the people evaluating the product can try it without having to change anything in their PeopleSoft environment.

Because we had to add code to manage the interaction between PeopleSoft and excel, a side benefit is that we've also been able to address many common issues customers have to face with the PeopleSoft version, such as proliferation the Ren Server windows (when excel isn't hosted in the browser) and locking of the excel menus (when the spreadsheet is hosted in the browser). This was version 2.0 of the product.

Excel Add-in Extensions - Part 2
At Collaborate, we also met with a bunch of PeopleSoft customers who wanted better formatting for their queries (even something as simple as column widths is problematic). Funny enough, the infrastructure we just developed for "no code on the server" also allows us to solve some problems with Query and add some pretty cool enhancements, such as:

• Query Context: desribing the query (record names, field names, SQL)
• fixing number formatting
• fixing column witdth
• other formatting, such as putting in company logos, etc.
• subtotalling
• automatically adding auto-filters
• drilling from queries to other queries or pages

Therefore, we've held off distributing code snippets from Collaborate to add many of these features to our add-in (version 3 of the product). We expect to release it before the end of next week (less than 1 month from the release the prior release), so look for an announcement on that (if you want to try it out as soon as it's available, feel free to contact us at info@greysparling.com ).

Desktop Single Signon Extensions - Part 1
This one also falls under the category of doing 2 things at once. As many blog readers know, we have a desktop single signon product that takes their windows credentials, determines what their PeopleSoft userid is, and automatically signs them into the web application. This product has been receiving rave reviews (even from folks we worked with at PeopleSoft who were our biggest critics... they know who they are ;-)

Anyway, we had just finished beta-testing a new release that adds support for the client/server tools. This means that customers who deploy the windows tools (such as PS/Query, PS/nVision and app designer) can take advantage of this as well. However, due to considerations with PeopleTools, this version only worked when the initial authentication was done through the app server (we could get into a long discussion as to why we decided to do this, but we'll leave that for another blog entry as well).

Desktop Single Signon Extensions - Part 2
Anyway, we had one customer who wanted to use this as a way to demonstrate to their auditors that they have appropriate safeguards against passwords etc (since the network userid and password are the only point of failure from that perspective). Unfortunately, one cannot perform upgrade actions (such as moving code from development to test) with a 3-tier connection.

Therefore, again, we found ourselves completing one release and quickly turning around and developing the next one (true 2-tier desktop single signon). We're finally ready to release that (but were pretty busy doing this to meet a customer's schedule).

PeopleSoft Reviews
Finally, we've been very busy taking the PeopleSoft Experts Corner to customers for quick, high-value consulting engagements. We call them PeopleSoft Reviews, and consist of 2 days onsite, with prep work and a follow-on findings report. It's a great value for folks who want guidance with respect to:

• Their most pressing PeopleSoft issues
• Improving how they develop, administer, and support their PeopleSoft application
• Planning their next set of development initiatives

We had a bunch of these leading up to Collaborate (focusing on things from Performance tuning, Development practices, Security practices, and Reporting practices). Much of the value to customers for this type of engagement is a formal "findings report, " which is essentially a roadmap of recommendations targeted to the individual customer. Because of this, we've been very busy writing them and packaging up code snippets that support our recommendations.

We're in the process of finalizing our schedule for this summer, so if you're interested in having us come onsite to provide recommendations for you, feel free to contact us at info@greysparling.com Here's a brochure that describes some of the things we can do for you.

Labels: 2007, Events, Products

Many PeopleSoft Customers literally have forests of trees that they need to maintain to support their various needs. Many times these trees are needed to support several different reporting structures over their data. Keeping these trees up to date over time can be a very expensive and time consuming process.

For example, insurance companies are required by law to maintain two different account structures: one for standard GAAP reporting and one for the statuatory reporting required by licensing entities. This means that at a minimum, two trees have to be updated each time a new account is added to the system.

Tree Maintenance Snapon

Over the past few months, we've had several companies ask us to help them reduce the time and effort needed to maintain their trees as well as reducing the inaccuracies that occur in their reports because of tree maintenance errors. We're just wrapping up development on a product meeting these needs, the Grey Sparling Tree Maintenance Snapon

Intriguing... So what does it do?

Great question! This product helps organizations better keep their trees up to date through the following:

• By identifying all the trees that should contain a given value and whether those trees actually contain them
• By helping users to pick where the values should be added to the tree and using some ingenious logic to try to apply the selection to multiple trees
• By exposing this functionality at the point where the valid values supporting a tree are maintained
• And, by allowing the same functionality to be leveraged after the fact, by enabling a user to add values to trees by generating a list of trees that should contain a value (and doesn't) after the fact

Here's a brochure that discusses it.

If you're interested in seeing how the product works, we've put together a short demo of it in action.

Okay... We've finally put up the product pages as well... Here's where you can learn more about it.

Labels: 2007, Products, Tree_Manager

With the interest we've gotten with the PSIDE Helper, we decided to put together another product that solves a niche need. This is nVision Context Helper.

What is it?
This tool shows you the context of any number in an nVision report (report instance or drilldown result). We've packaged it as an excel add-in that adds a menu item into Excel that can be used in place of the DrillToPIA.XLA.

Because it looks at the nVision results in Excel to identify the context, this tool has no server code that needs to be installed and configured. Register the add-in to excel, and you're up and running.

From a user's perspective, they merely select a cell in their nVision report and use the menu to get more information about that cell (GSDrill --> About this Cell).



Benefits
In other words, if your users or auditors ever wonder what went into a number in a report, this tool will tell them. It understands and displays criteria in the report, filters applied by scopes, report requests, and the act of drilling. It provides transparency to end-users that isn't possible with other tools.

More Information
We've put together a product page and flash demo, if you want to see it in action. We've also added this as a standard feature to the nVision drillling Snap-on.

Labels: nVision, Products

Wish Application Designer were easier to use? Everyone always does.

What's funny to me is that ever since I started using PeopleTools (PeopleTools 2!), each major release has been so much better than the last that I couldn't stand to use the older version. But the exact same release that would make me so happy when it came out was the same one that I couldn't stand a few years later.

There are ways of breathing new life into Application Designer though. We've just released a new product, the Grey Sparling PSIDE Helper, that does just that. It's probably easiest to just watch the Flash demo to see how it works. Suffice to say that if you enjoy being able to press Control-J in a PeopleSoft page to learn which definitions is being used so that you can then open it in Application Designer, then you'll really like this.

Labels: Products

For those who know about Report Manager, it's the PeopleSoft-delivered means of finding and accessing reports. For those who support people who use Report Manager, there are quite a few significant usability issues with it.

Issues? What issues?
The main issue with Report Manager is that it doesn't know very much about the reports that it manages, which means that it's limited from the start. It also has limited features to allow configuration of the behavior of this product. Because it's the primary means by which users access reports, these limitations have significant ramifications with the user satisfaction, adoption and productivity in reporting.

Unfortunately, most BI tools aren't a whole lot better in terms of managing and accessing reports.

So, how do you fix it?
Grey Sparling fixed it by doing three main things:

1. We capture the information that describes the content of a report.
2. We allow you to use that information in combination with information in your PeopleSoft application to provide a rich user interface for organizing, finding, and describing the reports.
3. We allow you to configure the behavior of organizing, accessing, and using reports.

The end-result is a product named Report Explorer, which is revolutionary in how it solves these problems.

What do you mean, revolutionary???

The reason its revolutionary is that it is the only product that uses artifacts in your business application to help describe and organize reports in business terms. It's also revolutionary in the amount of control you have over the behavior of the user interface.

So, how do I learn more?

I'm glad you asked. We've recorded a demo that shows the product in action here. We've also put out a marketing brief that describes it here. Finally, if you want to talk with us about it in person, our contact information can be found here.

Labels: Products, Report_Manager

(Sept. 20 update: since writing this we have created a Desktop Single Signon snap-on product that works with PeopleSoft Enterprise. Here's the announcement and here is the product page).

Single signon is widely desired, yet not widely understood. As usual with PeopleSoft, there isn't one simple answer, but the good news is that it's not that hard to get what you want. The biggest challenges are political rather than technical.

So, let's start by listing a few of the different common definitions of single signon. What most people mean (and want) is that a user signs on once in the morning and is then granted access to all other applications based on that signon. No additional login screens, etc.

Another common definition is that there is only one place for a user to authenticate with. No need to remember 17 different passwords from systems that have different rules about how often to change the password and how long it has to be. The drawback here is that the user still has to authenticate for each system that they access. I'll refer to this style as "single password".

Note that I use the word "authenticate" rather than saying "fill in their username and password". Although most environments are based on username and passwords, the best run environments go beyond just username/password in order to validate the user (think SecureID token).

One interesting wrinkle to all of this is somewhat PeopleSoft specific. PeopleSoft supports a notion of single signon between PeopleSoft instances.

If you have PeopleSoft HR, Financials, CRM, and EPM, then you actually have four different environments, not just four different product lines in one environment. There are some advantages to this loosely coupled model, but unified administration wasn't one of them. We actually made some progress at this at PeopleSoft towards the end, but it still never got to be as simple as administering one large system.

Given those four separate environments, PeopleSoft supported single signon between them. If a user logged into, say, Financials and then followed a link to the HR system they would not have to signon again. You do need to configure each system to trust each other (you don't want someone with access to a demo CRM system to be able to access your production Financials), but that is not difficult at all. PeopleBooks has good information on how to do this.

Note that the word LDAP has not yet been mentioned. LDAP is just a common place for storing user information (such as their password, their email address, etc.). By itself, it doesn't provide single signon. It only simplifies getting single signon working by having a standards-based common location for storing user credentials.

We made some big bets on LDAP support in PeopleSoft 8. When that came out back in 2000, there weren't really too many enterprise application vendors that supported LDAP. Of course, all of our customers in Higher Education had been telling us to do this for years (especially the University of Michigan). We even had fantasies about dropping our internal authentication support and using LDAP as the out of the box authentication mechanism for PeopleTools 9.

One problem that we had though was that when our field was trying to explain to other customers how this stuff worked, that the concept of single signon and LDAP got confused. Even to the point where the single signon section in PeopleBooks had to be changed to explain that they are not the same thing.

So, out of the box, you can get support for "single password" from the desktop level if your desktop signon uses a backend that supports LDAP (such as Microsoft Active Directory). The first time that the user accesses PeopleSoft they get prompted for their password again, but then (via the PeopleSoft single signon) the user can access all of your PeopleSoft systems.

If you want to go beyond this and have desktop level single signon, then you'll need to do some customization. A common way of doing this is to have a Windows server running IIS that acts as a proxy server to PeopleSoft. You setup IIS to use NTLM authentication for the proxy link, which will cause Internet Explorer to send in the user's desktop signon information. Then you create a little bit of signon PeopleCode that will check the custom HTTP header that IIS will attach to the request with the user's domain and login ID.

If you do this make ABSOLUTELY sure that you validate requests with this header come through the IIS server. Otherwise you've just opened up access to your entire PeopleSoft system to anyone that knows how to create an HTTP request with a custom header (which is painfully easy). This is because the IIS server just passes back the domain and username, but does not cryptographically secure it.

The nice thing is that this is not just limited to Internet Explorer. Recent versions of Mozilla based browsers (Mozilla 1.6+, Netscape 7.2+, Firefox 0.8+) also have support for Microsoft's NTLM protocol. If the user is on a different platform than Windows, then their desktop signon won't be passed along, but at least they won't be locked out.

If you want to do this type of Windows desktop single signon, but don't want/can't have an IIS proxy server, then you'll want to look at using jCIFS for that.

How about if you don't want to use the Windows login as the basis for desktop single signon. Is that even possible with PeopleSoft applications?

Sure. It takes a little bit more work, but it's possible. You'd have to install something locally on the client machine that get the user's credentials once, and then passes that along to somewhere where the PeopleSoft server can validate it. Either by passing it along in the browser headers or some other way. If you're interested in this, take a look at Steve Friedl's Illustrated Guide to SSH Forwarding. Using SSH as a mechanism for desktop single signon for PeopleSoft applications strikes me as an interesting idea.

Well, there's more to be said on this topic, but this has been sitting in the queue for too long, so I'm publishing what I've got. Please comment if you're interested in hearing more (as well as what you'd like to hear).

Labels: Products, Security

(update : here are slides from our version control with PeopleSoft presentation at OpenWorld 2007)

(update 2 : flash demo posted here)

As Larry mentioned in a post a few months back, we never managed to actually ship version control for PeopleTools. It had become a joke within the PeopleTools Product Management group that getting your feature prioritized below version control was a good way for it to never see the light of day.

But why is version control for PeopleTools objects so hard? Why were we even planning on building version control at all when there are so many other tools out there?

Well, the main reason is that a large majority of the application exists as meta-data within the database, and not in the form of text files that most version control systems expect. We did some internal benchmarking of the lines of code across our entire suite of applications and toolset and came in at approximately 10% of SAP. We were around 18 million LOC, SAP was somewhere north of 160 million (I never figured out the Oracle number). Of course, that was only counting actual lines of code, not all of the meta-data that lived in the database.

There are lots of benefits to being meta-data driven (a topic for another blog post someday), but lots of choices for version control are not one of them :-) And people do want to version control their application definitions, whether they are defined as code or as data. Hence, the long standing desire for version control for PeopleTools definitions. The change control feature that was shipped in PeopleTools 7 was better than nothing, but that's not saying much. There's a reason that you won't find many PeopleSoft customers using that.

A lot of people don't realize that version control is a tough problem to solve. Eric Sink of SourceGear has written an excellent "Source Code HOWTO" that provides the best coverage of the topic that I've seen. It treats you like you are smart, but not familiar with source code control and gets into a good level of detail without overwhelming you.

That writeup really highlights the amount of work that goes into building a version control system. If you read it, then you'll realize that PeopleSoft needed to either provide this functionality or be able to hook into a system that did.

Aside from the normal challenges of being dependent on 3rd party stuff in your shipping products, the other challenge of integrating in an "off the shelf" version control system is that they version lines of text, as opposed to data. Not an insurmountable problem, but definitely a challenge.

One thing that some customers did was to use Quest Stat for project management. Stat handles versioning of PeopleTools objects quite well, although they never got as much traction as they might have because Stat handles a lot of things in addition to version control, so it was overkill for a lot of folks.

What we've been doing internally for our own source code management within Grey Sparling is to convert PeopleTools objects to and from their delivered representations into text formats that we can check into Subversion, which is the source code control system that we use (we also use Trac, which can sit on top of Subversion to provide additional functionality). This has saved me personally on a number of instances from overwriting other people's changes in our development work.

In a nutshell, we export a project, slice up the export file pretty heavily into it's constituent parts, do a lot of sorting and other manipulation so that each line of text matches up with a specific data attribute that is "interesting" from a source code control perspective. This depends on PeopleTools 8.4x (the older project export files were in a binary format).

So now I can browse what changes were checked in, diff those changes from previous versions, etc. via my Blackberry while I'm out at the beach via the internet. All I need to do is actually go to the beach :-)

We also use Subversion/Trac for managing other non-PeopleTools definitions as well. Highly recommended.

It's funny when we tell people that we know that we've built version control for PeopleTools. They generally freak out a bit, knowing that if we were to ship this it would cause the world to come to an end :-)

Unfortunately I have no source code snippets to share in this posting on what we've put together so far. It's still in such a rough state that you have to really understand how it all works in order to use it. Which is OK for us, since we're still a small company, but since it's just something for internal use right now and not an actual product that we're selling, it doesn't rise up to the top of the priority list.

If you catch me in person at an event sometime ask me about it and I'll try to explain more and/or give a demo (assuming I don't get around to blogging more about it in the meantime).

Labels: PeopleCode, Products

Our apologies to our loyal blog readers for the lack of content in the past few weeks. Grey Sparling Solutions has had all hands on deck for a go-live for a large financial institution with our Reporting Security and Distribution PeopleSoft Solutions Extender. Taking the lead from Joel Spolsky, a blogger that we at Grey Sparling Solutions follow, we thought it might make sense to discuss a little about the product and how the customer plans to use it.

Background
As with most financial services institutions, financial reporting is a very important aspect of their ERP solution. This customer has several thousand financial reports that they need to run periodically, and need to secure and distribute to many users. The process of securing and distributing the reports is a very challenging problem for them (and in an era where controls need to be easily audited, the lack of good report security and distribution functionality in ERP systems is a challenge for them).

Additionally, most of the people receiving reports do not use the ERP system other than to look at reports and drill into results. Therefore, the customer would prefer that reports are distributed through email. However, many of these users receive several reports at once, and the customer would like the links to the reports to be consolidated into a single report.

The solution
The Report Security and Distribution PeopleSoft Solution Extender (we recently renamed it from the process scheduler extender) is what this customer is utilizing. This extender has the following major components:

• A means of defining the security rules: as in which users should have access to what data.
• A means of defining the reports to be run and linking in the security rules to ensure that the report data is filtered appropriately and the results are distributed to the right people. The filtering and routing happens automatically.
• A means of graphically organizing the nVision reports into jobs to be run on different schedules and organized appropriately. This allows the administrator to see the complete jobstream and all the times different reports are to be run in a single graphical view.
• A means of defining and personalizing the content of the emails with information in the ERP system. This allows robust, highly formatted emails to be generated with highly descriptive information about each report in the email itself.
• A means of generating the emails on a pre-defined schedule. This allows the reports to be distributed in bulk, with multiple reports in a single email.
• A means of auditing which users have access to which data and which reports. This allows the customer to determine whether the right people are getting the right data (which makes auditing for compliance purposes very easy).

Next Steps

Once this go-live is completed, the customer will implement the report manager part of the extender, which will provide a robust means of organizing and accessing the reports outside of email (through a browser). The users will be able to find reports based on the data in the reports, as well as setting up favorite reports that they won't have to search to find. In addition, we will track which users have viewed which reports at what times (which allows the organization to understand which parts of the business are a compliance risk, because without reviewing the financial reports, they are probably not enforcing the appropriate controls in that area).

Labels: Events, Products