This week, when I was picking up my kids at school, I ran into one of the nVision developers who used to work for me (who's still working at Oracle). She's working on taking nVision to Fusion, which will use the Siebel Analytics platform.

When I first remembered that Oracle's acquisition of Siebel included Siebel Analytics, I told my co-workers that if Oracle was smart, they'd use that as the replacement for nVision (and metric calculations in EPM).

So, Why is it a good thing?
Believe it or not, we at PeopleSoft evaluated Siebel Analytics (although under a different name) to be the infrastructure for the next generation of nVision. At the time, it was a small company called nQuire. We put together a bunch of things we wanted them to prove they could do within a week against multiple PeopleSoft systems. At the time, Chris Heller and myself had a lot of discussions about the product's claimed capabilities... his quote was "Either they're crazy or they're geniuses". We found out that they were geniuses.

Unfortunately for PeopleSoft, Siebel beat us to the punch and acquired nQuire and re-branded the product. Now that Oracle has acquired both Siebel and PeopleSoft, it looks like that original vision may be realized for PeopleSoft customers.

So, what is Siebel Analytics?
Siebel Analytics is most of the functionality we planned to provide in reporting in PeopleTools 9.

• A data abstraction layer that allows users to work with meaningful objects for building reports
• A browser-based way of building both tabular and crosstab reports by business users
• A server-based quering engine that runs the reports and delivers results

In the published PeopleTools 9 plans, we had different names for the same functionality

• Data Objects (Data Abstraction Layer)
• nVision Studio (Browser-based way of building tabular and crosstab reports)
• nVision Engine (server-based querying and reporting engine)

Mark Rittman has some good images on his weblog (which is a must-read for anybody wanting to understand what's going on with Oracle and BI) that shows screenshots for building and managing the data abstraction layer and for building queries or reports.

Data Abstraction Layer

The data abstraction layer looks exactly as it did when we reviewed the product.

The far right pane contains the list physical objects that are the sources of data and metadata. These can be tables or files (and I'm assuming XML sources now). You can think of these as record definitions in PeopleSoft.

The middle pane allows you to map the physical objects to objects that have a more meaningful business names and structures. They abstract away joins and unions and other physical attributes you don't want to present. (a good example we had them prove in the PeopleSoft evaluation was that you could have a single representation for sales, where under the covers you were getting historical sales from a data warehouse and current sales from the CRM system). These are related to Data Objects in the PeopleTools 9 feature list.

The left pane contains the presentation layer for how you would want to present these objects to business analysts. For example, you might want to have different versions of an order, depending on the vertical you're using (where fields specific to a vertical are displayed and not others, and where the terminology presented to the user is targeted to that user type). In other words, you might have a different presentation object for Universities and Commercial in CRM, where in a university a customer is displayed as a contributor and in commercial, they're displayed as customer. These are related to Data Views in the PeopleTools 9 feature list.

Reporting

Siebel analytics provides a drag-and-drop interface for building reports in the browser using these objects. Although I believe that there is some opportunity for making the user interface more targeted to business analysts, they've done the big, hairy effort to pull together crosstab and tabular reporting into a single reporting tool. Here's another screenshot from Mark Rittman's weblog that shows some of the user interface.

As you can see, you have the objects from the presentation layer in the left pane, and you have the ability to lay them out in a report.

So, What's left to be done?

Good question. Here are the major tasks I see that need to be done to get nVision using this platform:

1. Map ledgers to the Siebel Analytics metadata. This should be relatively straightforward, but it is dependent on the fusion business unit/setid project as well as how chart of accounts configuration gets done in fusion.
2. Teach the Siebel Analytics platform how to read trees. Again, this is dependent on the fusion tree project. Fortunately, there are a lot of designs in place for how an engine would utilize different approaches for modeling trees. Another good thing is that the Oracle database has sql extensions for trees/hierarchies that make this much, much simpler than what is currently being done in nVision.
3. Build a robust excel user interface that leverages the calculation engine in Siebel Analytics. From what I know about WebADI, this infrastructure may do the trick, because it is build to allow web services to be used interactively to embed application functionality into to provide a user experience targeted to a business user.
4. Extend Siebel Analytics with output management functionality (this will probably involve work with concurrent manager, which is being managed by the person who used to own PeopleSoft's process scheduler and report manager).

Conclusion

Hopefully this makes most PeopleSoft customers more comfortable with the future of things. I've already known or suspected much of this information earlier, but was waiting for Oracle to provide enough information publicly for me to safely write this entry.

Labels: Fusion, nVision, Performance

(Sept. 20 update: since writing this we have created a Desktop Single Signon snap-on product that works with PeopleSoft Enterprise. Here's the announcement and here is the product page).

Single signon is widely desired, yet not widely understood. As usual with PeopleSoft, there isn't one simple answer, but the good news is that it's not that hard to get what you want. The biggest challenges are political rather than technical.

So, let's start by listing a few of the different common definitions of single signon. What most people mean (and want) is that a user signs on once in the morning and is then granted access to all other applications based on that signon. No additional login screens, etc.

Another common definition is that there is only one place for a user to authenticate with. No need to remember 17 different passwords from systems that have different rules about how often to change the password and how long it has to be. The drawback here is that the user still has to authenticate for each system that they access. I'll refer to this style as "single password".

Note that I use the word "authenticate" rather than saying "fill in their username and password". Although most environments are based on username and passwords, the best run environments go beyond just username/password in order to validate the user (think SecureID token).

One interesting wrinkle to all of this is somewhat PeopleSoft specific. PeopleSoft supports a notion of single signon between PeopleSoft instances.

If you have PeopleSoft HR, Financials, CRM, and EPM, then you actually have four different environments, not just four different product lines in one environment. There are some advantages to this loosely coupled model, but unified administration wasn't one of them. We actually made some progress at this at PeopleSoft towards the end, but it still never got to be as simple as administering one large system.

Given those four separate environments, PeopleSoft supported single signon between them. If a user logged into, say, Financials and then followed a link to the HR system they would not have to signon again. You do need to configure each system to trust each other (you don't want someone with access to a demo CRM system to be able to access your production Financials), but that is not difficult at all. PeopleBooks has good information on how to do this.

Note that the word LDAP has not yet been mentioned. LDAP is just a common place for storing user information (such as their password, their email address, etc.). By itself, it doesn't provide single signon. It only simplifies getting single signon working by having a standards-based common location for storing user credentials.

We made some big bets on LDAP support in PeopleSoft 8. When that came out back in 2000, there weren't really too many enterprise application vendors that supported LDAP. Of course, all of our customers in Higher Education had been telling us to do this for years (especially the University of Michigan). We even had fantasies about dropping our internal authentication support and using LDAP as the out of the box authentication mechanism for PeopleTools 9.

One problem that we had though was that when our field was trying to explain to other customers how this stuff worked, that the concept of single signon and LDAP got confused. Even to the point where the single signon section in PeopleBooks had to be changed to explain that they are not the same thing.

So, out of the box, you can get support for "single password" from the desktop level if your desktop signon uses a backend that supports LDAP (such as Microsoft Active Directory). The first time that the user accesses PeopleSoft they get prompted for their password again, but then (via the PeopleSoft single signon) the user can access all of your PeopleSoft systems.

If you want to go beyond this and have desktop level single signon, then you'll need to do some customization. A common way of doing this is to have a Windows server running IIS that acts as a proxy server to PeopleSoft. You setup IIS to use NTLM authentication for the proxy link, which will cause Internet Explorer to send in the user's desktop signon information. Then you create a little bit of signon PeopleCode that will check the custom HTTP header that IIS will attach to the request with the user's domain and login ID.

If you do this make ABSOLUTELY sure that you validate requests with this header come through the IIS server. Otherwise you've just opened up access to your entire PeopleSoft system to anyone that knows how to create an HTTP request with a custom header (which is painfully easy). This is because the IIS server just passes back the domain and username, but does not cryptographically secure it.

The nice thing is that this is not just limited to Internet Explorer. Recent versions of Mozilla based browsers (Mozilla 1.6+, Netscape 7.2+, Firefox 0.8+) also have support for Microsoft's NTLM protocol. If the user is on a different platform than Windows, then their desktop signon won't be passed along, but at least they won't be locked out.

If you want to do this type of Windows desktop single signon, but don't want/can't have an IIS proxy server, then you'll want to look at using jCIFS for that.

How about if you don't want to use the Windows login as the basis for desktop single signon. Is that even possible with PeopleSoft applications?

Sure. It takes a little bit more work, but it's possible. You'd have to install something locally on the client machine that get the user's credentials once, and then passes that along to somewhere where the PeopleSoft server can validate it. Either by passing it along in the browser headers or some other way. If you're interested in this, take a look at Steve Friedl's Illustrated Guide to SSH Forwarding. Using SSH as a mechanism for desktop single signon for PeopleSoft applications strikes me as an interesting idea.

Well, there's more to be said on this topic, but this has been sitting in the queue for too long, so I'm publishing what I've got. Please comment if you're interested in hearing more (as well as what you'd like to hear).

Labels: Products, Security