Software as a Service: Build a Web-delivered SaaS framework ...

Software as a Service: Build a Web-deliveredSaaS framework for forms and workflow-drivenapplicationsUse products from IBM's Enterprise Software Portfolio

Skill Level: Introductory

Tamer Nassar ([email protected])Software EngineerIBM

Murali Vridhachalam ([email protected])IT ArchitectIBM

09 Dec 2008

Software as a Service (SaaS), largely enabled by the Internet and corporateintranets, has become an innovative way for enterprises to do business. In the past,software had to be installed in an infrastructure close to end users. The currentindustry-wide trend is for Internet based services. Deployment of software as aservice, accessible on the Internet and supported by multi-tenant architecture, makesnew applications (or tenants) available with significantly lower costs. In this article,learn how a team built a Web-delivered SaaS framework to host applications, fromdifferent business domains, that were driven by forms and workflow.

Introduction

Software as a Service (SaaS), largely enabled by the Internet and corporateintranets, has become an innovative, cost-efficient way for enterprises to dobusiness. Many people predict that SaaS will grow much faster within corporateintranets. Companies can reduce costs by providing SaaS frameworks rather thantraditional infrastructure-based applications.

Software as a Service: Build a Web-delivered SaaS framework for forms and workflow-driven applications© Copyright IBM Corporation 1994, 2008. All rights reserved. of 19

mailto:[email protected]

mailto:[email protected]

http://www.ibm.com/legal/copytrade.shtml

This article describes how a team built a Web-delivered SaaS framework to hostvarious applications, from different business domains, that are forms and workflowdriven. Before an application (or tenant) can be added to the deployed SaaSframework, it has to be designed and implemented following technical guidelinespublished by the SaaS framework provider. From a technical perspective, the mainbenefit of this solution is that no code changes are required to the SaaS frameworkwhen new tenants are added.

In this article, the terms tenant and application are used interchangeably. The SalesApplication or HR Application shown in Figure 3 are an example of a tenant.

The team used Lotus Forms 3.0, WebSphere Process Server 6.1, Business ProcessExecution Language (BPEL), and the pureXML capabilities of DB2 9.5 to build anddeploy the solution.

Traditional approach

Many enterprises have numerous forms-driven processes, across several businessdomains, requiring workflow processing. Enterprises usually meet these variedneeds with custom application development, as shown in Figure 1.Custom-developed applications have proven to be very expensive; customdevelopment, infrastructure needs, and maintenance and upgrades are costly.

Figure 1. Traditional approach

developerWorks® ibm.com/developerWorks

Software as a Service: Build a Web-delivered SaaS framework for forms and workflow-driven applications of 19 © Copyright IBM Corporation 1994, 2008. All rights reserved.


SaaS framework approach

The SaaS framework uses the multi-tenant architecture, shown in Figure 2, whichsignificantly reduces costs by hosting a generic solution for all forms and workflowdriven applications. With this approach, a new forms and workflow-driven applicationcan be added to the SaaS framework without code changes to the framework itself.

Figure 2. SaaS approach

ibm.com/developerWorks developerWorks®



This article describes how a team built a SaaS framework for forms andworkflow-driven applications with parallel and serial approval flows, as shown inFigure 3. This SaaS framework may have multiple applications from differentdomains, such as Sales, Human Resources, Procurement, and so on. Theapplications might have multiple forms that require different approval workflows.

Figure 3. SaaS framework




Technology and software products enabling the framework

To build the Web-delivered SaaS framework the team used the following productsfrom IBM's enterprise software portfolio.

Lotus Forms 3.0Is open standards based (w3c XForms specification), and provides digitalsignature capabilities to support compliance with government and industryregulations. Lotus Forms 3.0 also supports integration with business processworkflows and file attachments. The Lotus forms suite includes Lotus Forms




server, Lotus Forms API, Lotus Forms Viewer, Webform Server, and LotusForms Designer. The following components were used to build the SaaSframework:

• Webform Server, which translates Extensible Forms DescriptionLanguage (XFDL) documents into HTML/JavaScript documents, allowsusers to view, fill out, sign, and submit XFDL documents using only aWeb browser. Users can fill out XFDL forms without downloading orinstalling browser plug-ins or other programs.

• Lotus Forms Server API, commonly called the API, is a collection ofspecialized functions that allow users to extend the capabilities of LotusForms.

• Lotus Forms Viewer, commonly called the Viewer, lets users view,complete, and submit forms. In a typical scenario, users go to a Web siteand click a link to open a form within their browser. The Viewerautomatically opens as a browser plug-in. The Viewer can also be usedas a standalone application, independent of any browser.

• Lotus Forms Designer, commonly called the Designer, is a graphicaldesign tool for creating and editing forms.

Lotus Forms uses XFDL as its form templates language. XFDL is a standardforms design and document processing meta-language. The end user maysave the form locally to disk and work offline, or e-mail the form to othersinvolved in a workflow. Once a form is completed, the full document can bearchived in a records management system for auditing. The XML data caneasily be harvested from the surrounding XML document to drive back-enddata processing systems.

Lotus Forms integration with Web services helps end users complete formsquickly and efficiently. For example, an end user is filling out a purchase orderform to buy stationery. When a supplier number is entered, a Web service callcan be made to automatically fill in the supplier's name, address, and contactinformation from another source, thus reducing data entry and enhancing dataintegrity.

DB2 version 9.5A market-leading relational database that supports XML as a native data type.This powerful feature facilitates multi-tenant architectures from the dataperspective. The example implementation stores XFDL (Lotus Forms structure)in XML columns within relational tables.

WebSphere Process Server 6.1Using WebSphere Process Server 6.1 to deploy the solution enables simple




and flexible execution of standards-based business process solutions in aService Oriented Architecture (SOA). Process Server provides robust processautomation, advanced human workflow, business rules, and integrationcapabilities on a common SOA platform.WebSphere Process Server is built on WebSphere Application Server, so itinherits the robust capabilities and qualities of service provided by ApplicationServer. Process Server also provides flexible connectivity infrastructure forintegrating applications, data, and services. The plug-and-play capabilities, andability to modify business rules on the fly, make the promise of SaaS a reality.

Costs are greatly reduced when existing applications can be changed, and newapplications added, with significantly lower -- or no -- down time.

Process Server also ensures interoperability and flexibility through adoption ofpopular standards such as WS-BPEL, JMS, XML, SCA, SDO, Web services,and many more.

WS-BPELWeb Services BPEL was used to handle the notification flow. WS-BPEL, anXML-based language, enables the description of business process activities asWeb services and defines how the Web services are connected to accomplishcertain business tasks.

Difference between SaaS and ASP (ApplicationService Provider)With the SaaS model, application functions are delivered remotelyover the Internet and by a subscription model. Customers don't ownthe software, and have no choice of what type of hardware andmiddleware are used to host the software.In the ASP model, customers buy the software which is hosted bythe service provider, who may decide to bring it in-house at anytime. The infrastructure may be tailored to customer needs.

Dave Mitchell's interview has more about SaaS in IBM, ASP andhow SaaS is changing IT.

Technical design

To understand the rationale for the technical design of the SaaS framework, it'sbeneficial to understand some of the major stakeholders and user roles. While thereare many players, fundamentally there are two major stakeholders and two majoruser roles in a Web-delivered SaaS framework.

The two major stakeholder roles are:




• SaaS provider, who owns the SaaS framework and provides differentservices. For example, if the SaaS framework is deployed within acompany or enterprise, the company or enterprise may be the SaaSprovider. Another example of an SaaS provider in the customerrelationship management (CRM) arena is Salesforce.com.

• Infrastructure services include hardware provisioning, security,performance monitoring, and capacity planning.

• Tenant services include billing, service level agreements, contracts,and subscriber management.

• Developer services include providing a platform for developers todevelop and test tenant applications before boarding them onto theSaaS platform. The provider will give technical guidance todevelopers to ensure an application or tenant is designed correctly sothe application can be offered through the SaaS provider.

• End user customer services provide 24x7 technical and non-technicalsupport and training.

• Application owner or tenant, who typically owns one or more applicationsin the SaaS platform. This stakeholder is responsible for providingfeatures to meet end user requirements. The features and forms-drivenprocesses in a sales application may be different from those in an HRapplication. If the SaaS framework is deployed within a company, differentbusiness units within the company could be the application owner.

The two major user roles are:

• Developers who use the services of the platform provider to develop, test,and deploy new applications (tenants) or new releases of the application.For example, the developers will need to understand the data model thatsupports multi-tenancy before designing their application.

• End user who uses the features of one or more applications offered bythe tenants. In the example in this article, the end user is a user of theSales application, HR application, or Procurement application (see Figure3).

Figure 4 shows the architecture of the SaaS framework.

Figure 4. SaaS framework architecture




Design in the context of stakeholders and users

The SaaS provider architects and develops the framework using the following designpoints. The design points are published as technical guidance to the applicationdevelopers.

• A multi-tenant data model is implemented to host multiple applicationswithin the framework, providing extensibility and security. Figure 8 showsan example of the multi-tenant data model.

• The forms that are part of an application in the framework must includethe following metadata fields.Field name Description

ApplicationID Unique ID for each application

ApplicationName Name of the application

FormID Unique ID for each form

FormName Name of the form

Status Contains the form status and isupdated during processing

DisplayFormState Contains the initial state of the form

PreviousDisplayFormState Contains previous state of the form

LevelOfApprovals Contains how many levels of




approvals are needed

ParallelApproval Contains value to indicate parallelapproval or serial approval

ParallelApprovalBothNeeded Contains value to indicate if formneeds both parallelapprovals or just one to move tonext approval level

• The approver data is stored as XML in DB2, as shown in Figure 5. Thisdata contains an approver ID for each approval level. The approver ID isused to look up approver information from the person_directory table.Figure 5. Approver data in XML




• Approval routing is handled by BPEL. When the form is inserted orupdated in DB2, a JDBC adaptor in BPEL is triggered. It passes routinginformation to the approval routing flow through the Java Bridgecomponent, as shown in Figure 6.Figure 6. Approver routing using BPEL

The Application owner (tenant) determines the need to add forms-driven applicationsto the framework, and engages developers to develop the application so that it canbe added to the framework.

The developers follow technical guidance published by the SaaS provider to designthe application. Approver data, and user information such as name, ID, roles, and soforth are provided when the application is added to the SaaS framework. Figure 7shows the form with application specific fields and metadata fields.

Figure 7. Form with metadata and application specific fields




End user scenario

The following sequence outlines an end user scenario.

1. The end user authenticates to the SaaS framework. The frameworkretrieves user details such as Name, Organization, and so on from anLDAP directory. Roles are retrieved from data stored in the database orLDAP directory.

2. Based on the user's role, the framework determines which applicationsthe end user is allowed to work with. A list of applications is thendisplayed. The user interface menus are generated based on the user'srole.For example, the Procurement application may be restricted to theProcurement department employees in an organization. In this case, onlyemployees belonging to the Procurement department will see theProcurement application in the user interface.




3. The end user may choose to work with one of the forms within theapplication. When they open the form, field-level security is enabled andis based on the user's role.For example, an end user may not act as an approver.

4. The user fills the form, and the fields are validated. After validation, theuser submits the form.The SaaS framework parses the XFDL in the servlet (using the LotusForms API), retrieves the key metadata fields, and looks up the approverdata to determine the next approver in the approval workflow. Appropriatemetadata fields are updated, and the XFDL form is saved as XML in aDB2 table.

5. When the form is inserted or updated in DB2, the notification flow will betriggered to invoke the e-mail service. It could also invoke any otherinterface or Web service to update external systems.

6. The form will be marked as completed after all approvals have beenobtained, and the form initiator will be notified.

7. The form will be marked as rejected if one of the approvers rejects theform. In this case, the form initiator will be notified to take action andresubmit the form.

SaaS framework architecture principles

From an architecture perspective, the hallmarks of the SaaS framework areextensibility, security, and scalability. This section highlights how each is achieved inthe SaaS framework.

Extensibility

The SaaS framework should be designed so new tenants or applications can beadded without having to change the framework code. In our case, the extensibilityrequirements are met through a combination of design points, as follows.

• For workflow processing, certain XML fields in the Lotus forms are usedas metadata fields. When new applications are added to the SaaSframework, the forms have to include these key metadata fields.




• Database design must provide relational and hierarchical data (XML) tosupport multi-tenancy. This was achieved by using the pureXMLcapabilities in DB2 v9.5, which let the team store the XFDL (form) into anXML column in a table. With this approach, the SaaS framework can storehundreds of tenants, as shown in the entity relationship diagram in Figure8.Figure 8. Partial entity relationship showing multi-tenant data model

• A generic BPEL implementation is used to handle the e-mail notificationsduring the approval workflow processing. No code changes are needed tohandle e-mail notifications for new forms.

Security

There are different perspectives of security in a SaaS framework. This articlefocuses on security from a tenant and end user perspective, which is achievedthrough the following guidelines.

• Control application access. Who can access the tenant is achieved withDB2 and the LDAP directory, which contain the end user information.




• Control role-based access (who can access which features within anapplication) using groups in the LDAP directory or relational tables. Thesegroups would be authorized to access certain features within theapplication.

• Achieve tenant data security with a few different approaches.

• The first approach is to grant appropriate access to the databasetables to groups to meet user authorization needs. For example:

Grant select, insert, update, delete on table to group groupname;

The queries that are issued by the application code against themulti-tenant database will always have the tenant name as aconstraint. For example:

Select columnname from schema.tablename where app_code = tenant and ...

where tenant is dynamically determined using the application contextunder which the query is being executed. Using the example tenantsin this article, tenant may be Sales, Procurement, or HR.

• The second approach is to use the powerful Label Based AccessControl (LBAC) feature in DB2 9.5 to secure the data. With LBAC,users can be restricted from accessing certain rows of data or certaincolumns in a table. In the example, you can restrict access to theSales application data from end users of the Procurement application,and so on.For example, the following statements can be issued to create LBACsecurity for the different tenants. With this approach, even a user withDBADM authority and with direct access to the database cannotaccess certain rows of data. Additional authorization will be neededfor a user with DBADM authority to view all the rows of data.

• Define security label components:

Create security label component APPLICATION_ACCESS set{'SALES',

'PROCUREMENT','HR'}

• Define the security policy:

Create security policy tenant_access_policy componentsAPPLICATION_ACCESSWith db2lbacrules




Restrict not authorized write security label

• Define the security labels:

Create security label tenant_access_policy.SALESComponent APPLICATION_ACCESS 'Sales'Create security label tenant_access_policy.PROCUREMENTComponent APPLICATION_ACCESS 'Procurement'Create security label tenant_access_policy.HRComponent APPLICATION_ACCESS 'HR'

• Update the security label column:

Alter table schema.tablename add column access_tagdb2securitylabelAdd security policy tenant_access_policy

Now, the table schema.tablename is protected.

Update schema.tablename set access_tag = seclabel_by_name('tenant_access_policy','Sales') where application_name =

'Sales'Update schema.tablename set access_tag = seclabel_by_name

('tenant_access_policy','Procurement') whereapplication_name =

'Procurement'Update schema.tablename set access_tag = seclabel_by_name

('tenant_access_policy','HR') where application_name = 'HR'

• Grant the security labels to users:

GRANT security label tenant_access_policy.SALES to group SALESFOR ALL

ACCESSGRANT security label tenant_access_policy.PROCUREMENT to groupPROCUREMENT

FOR ALL ACCESSGRANT security label tenant_access_policy.HR to group HR FORALL ACCESS

Scalability

You can achieve scalability with partitioning of applications. New tenants may behosted in another identical infrastructure instance with its own multi-tenant database.In this case, tenant traffic will be redirected using a smart balancing and routingapproach. Figure 9 shows an example.

Figure 9. SaaS framework scalability




Summary

SaaS adoption is growing rapidly worldwide. In this article, you learned how productsfrom IBM's enterprise software portfolio can be used to build a very robust SaaSframework that is extensible, secure, and scalable. The example shows how you canuse the SaaS paradigm to transform businesses to be more cost effective andservices-centric.




Resources

• Learn more about WebSphere Process Server features, benefits, systemrequirements, library and more.

• IBM Lotus Forms eForms provides eForms software to speed automation offorms-based business processes and helps integrate data with existing ITsystems.

• Explore DB2 9 for Linux UNIX and Windows.

• Read and watch how WebSphere Business Services Fabric can be used fordynamic routing of multiple tenants using Web Service mediation patterns.

• The developerWorks interview with Dave Mitchell on Software as a Service andIBM explores why developers need to understand SaaS and how IBM can help.

• Find valuable information about IBM Partnerworld and SaaS.

• SaaS Showcase connects you with leading Independent Software Vendors(ISVs).

• Browse the technology bookstore for books on these and other technical topics.

About the authors

Tamer NassarTamer Nassar is a software engineer in the office of the IBM CIO, and has been withIBM since 2000. He has been involved in different projects, with a variety oftechnologies, designing, implementing, and testing many end-to-end enterprisesolutions. His areas of interest and expertise include SOA, IT architecture andmethodology, WebSphere Application Server, WebSphere Process Server,WebSphere MQ, and WebSphere Message Broker.

Murali VridhachalamMurali Vridhachalam is an Open group certified IT Architect, and has been with IBMsince 1994. He has architected and deployed several enterprise applications withinIBM. Murali currently provides technical leadership to a team whose mission is todevelop innovative solutions using IBM's wide array of enterprise software products.



http://www-01.ibm.com/software/integration/wps/

http://www-01.ibm.com/software/lotus/products/forms/

http://www-01.ibm.com/software/data/db2/9/

http://www.ibm.com/developerworks/offers/lp/demos/summary/wesd-saaswbsf.html

http://www.ibm.com/developerworks/podcast/dwi/cm-int080707txt.html

http://www.ibm.com/developerworks/podcast/dwi/cm-int080707txt.html

http://www-304.ibm.com/jct09002c/isv/marketing/saas/index.html

http://www-304.ibm.com/jct09002c/gsdod/showcase.do?cd=GAMSAS

http://www.ibm.com/developerworks/apps/SendTo?bookstore=safari


Trademarks

IBM, the IBM logo, ibm.com, DB2, developerWorks, Lotus, Rational, Tivoli, andWebSphere are trademarks or registered trademarks of International BusinessMachines Corporation in the United States, other countries, or both. These and otherIBM trademarked terms are marked on their first occurrence in this information withthe appropriate symbol (® or ™), indicating US registered or common lawtrademarks owned by IBM at the time this information was published. Suchtrademarks may also be registered or common law trademarks in other countries. Acurrent list of IBM trademarks is available on the Web athttp://www.ibm.com/legal/copytrade.shtml.Microsoft and Windows are trademarks of Microsoft Corporation in the United States,other countries, or both.UNIX is a registered trademark of The Open Group in the United States and othercountries.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in theUnited States, other countries, or both.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Windows is a trademark of Microsoft Corporation in the United States, othercountries, or both.Other company, product, or service names may be trademarks or service marks ofothers.





Software as a Service: Build a Web-delivered SaaS framework ...

Technology

Transcript of Software as a Service: Build a Web-delivered SaaS framework ...