Copyright © 2005, SAS Institute Inc. All rights reserved. SAS ® Corporate Compliance – A case study for developing reusable J2EE applications Zhiyong Li Lead Application Architect SAS Pharmaceutical / Corporate Compliance Software Development
Copyright © 2005, SAS Institute Inc. All rights reserved. 2 Agenda Background SAS Drug Development Key Architecture Components Reuse Summary Demo
Copyright © 2005, SAS Institute Inc. All rights reserved. 3 The Sarbanes-Oxley Act of What is It? Contains 11 Titles, 66 Sections §404 – Management Assessment of Internal Controls §302 – Corporate Responsibility for Financial Reports §409 – Real-time Issuer Disclosures
Copyright © 2005, SAS Institute Inc. All rights reserved. 4 The Sarbanes-Oxley Act of Who is Impacted? All public companies Foreign-based companies / foreign subsidiaries of US companies Chief Executive Officer and Chief Financial Officer Finance, internal audit, audit committee of the Board of Directors, Chief Risk Officer, Chief Audit Officer IT, Sales & Marketing, Shipping & Receiving… theoretically the entire company
Copyright © 2005, SAS Institute Inc. All rights reserved. 5 SAS ® Corporate Compliance Secure, auditable repository, versioning, electronic signatures Highly configurable Assessment-oriented workflow Documentation for control procedure, testing activities, issues, etc. Report for viewing control effectiveness, outstanding issues, etc. J2EE web application with zero footprint client
Copyright © 2005, SAS Institute Inc. All rights reserved. 6 SAS ® Drug Development Centralized object repository, versioning and electronic signature Enables compliant environment Data transformation and integration Data exploration Statistical analysis and reporting Study reports and submissions (Very) Thin client
Copyright © 2005, SAS Institute Inc. All rights reserved. 7 SAS Drug Development and SAS Corporate Compliance Key Comparison Similarities Compliant solution −Strong audit trail and security functionalities Web-based platform Content Management functionality −objects, documents, versioning, electronic signing Differences SAS Drug Development −Clinic trial oriented concepts (studies, protocols, submissions) −Java Swing applications SAS Corporate Compliance −Process oriented workflow for control self assessment
Copyright © 2005, SAS Institute Inc. All rights reserved. 8 Agenda Background SAS Drug Development Key Architecture Components Reuse Summary Demo
Copyright © 2005, SAS Institute Inc. All rights reserved. 9 SAS Drug Development Key Architecture Components Firewall WebDAV Server SASServerSASServer Data Server AppServer Mapped Drive\Web Folder WebServer HTTPS Oracle
Copyright © 2005, SAS Institute Inc. All rights reserved. 10 Client User Interface HTML, Javascript and Java Swing applications Client Requirements Include: Windows 98, NT, 2000 and XP Browser IE 5.5 or higher, Netscape 7.0 MAC OS10 Safari on MAC
Copyright © 2005, SAS Institute Inc. All rights reserved. 11 Web/App Server Web-tier Handles request/request between client and server Maintains user interface flow and user’s states (sessions) Communicates with the business tier Business-tier EJB based APIs Provides business logic services −searching, events, object management, security, audit trail, etc.
Copyright © 2005, SAS Institute Inc. All rights reserved. 12 Backend Servers Data Storage-tier Accesses data in the backend servers. WebDAV server −Stands for "Web-based Distributed Authoring and Versioning". −Content Management: Version control, security, permission-based access, metadata Data server −Stores all objects and metadata −Stores all data, documents and files SAS server −The analytical engine: Generating all reports
Copyright © 2005, SAS Institute Inc. All rights reserved. 13 Agenda Background SAS Drug Development Key Architecture Components Reuse Summary Demo
Copyright © 2005, SAS Institute Inc. All rights reserved. 14 Reuse - Architecture Shares a similar architecture SAS Corporate Compliance is built on top of SAS Drug Development Reuses components SDD/SCC Database and Backend Servers SCC Business Tier SDD Business Tier SCC Web Tier SDD Web Tier SCC User InterfaceSDD User Interface
Copyright © 2005, SAS Institute Inc. All rights reserved. 15 Reuse – User Interface Shares the same frame_based layout Shares the same components / JSP tags Tree view Tab view Menu bar and menu Dynamically generated property pages Configures menu items, url link, etc.
Copyright © 2005, SAS Institute Inc. All rights reserved. 16 Sample SAS Drug Development Interface
Copyright © 2005, SAS Institute Inc. All rights reserved. 17 Sample SAS Corporate Compliance Interface
Copyright © 2005, SAS Institute Inc. All rights reserved. 18 Sample Configuration File <ObjectAction nameString = "control" icon = "/p21/portal/common/images/default/icons/icon_control.gif" openIcon = "/p21/portal/common/images/default/icons/icon_control.gif" > <LinkAction nameString = "Default" url ="mainContent.do?parentPath=$path$&navigate=true&fromShortcut=$fromShortcut$" targetFrame = "RightFrame" /> <LinkAction nameString = "Assign-Control" url = "assignPersona.do?actionType=edit&objectType=control&parentPath=$parentPath$&path=$path$" /> <LinkAction nameString = "My Assignments" url = "viewAssignments.do?actionType=browse&userMode=user&viewMode=pending&parentPath=$parentPath$" /> <LinkAction nameString = "Properties" url = "property.do?objectType=control&actionType=browse&parentPath=$parentPath$&path=$path$" /> <LinkAction nameString = "Audit Trail" url = "objectAuditTrail.do?objectType=control&parentPath=$parentPath$&path=$path$&entityId=$entityId$" />
Copyright © 2005, SAS Institute Inc. All rights reserved. 19 Reuse – Web-tier Shares the same control framework Struts-based control framework Common services −Application and Session scope cache −Configuration Business-tier independent access strategy Factory pattern to access business-tier objects
Copyright © 2005, SAS Institute Inc. All rights reserved. 20 Web-tier Architecture
Copyright © 2005, SAS Institute Inc. All rights reserved. 21 Reuse – Business-tier EJB based services Audit trail, Search, Object Management Assessment Reuses EJB services Dynamically defined types and attributes Shared types: Folder, document, shortcut Product specific types: −SAS dataset, compound, protocol, … −Time period, entity, process, risk, control
Copyright © 2005, SAS Institute Inc. All rights reserved. 22 Sample Type Definition File Typedef.xml Typedef.xsd I18n.xml AttrLayout.xml Typedef.xml sdd:control control true controls com.sas.ibiomatics.p21.server.scc.control.ControlHandler 1 standardcontrol com.sas.ibiomatics.p21.server.scc.StandardIdToPathTypedefRule
Copyright © 2005, SAS Institute Inc. All rights reserved. 23 Data Access Layer Uses Xythos to store object related data Object instances and relationships Object attributes Uses Hibernate to access other data Users, Audit records, Signing, Registration SCC assessment, workflow and states Same approach of accessing Hibernate functions Sessions, transactions Shared database connection pools
Copyright © 2005, SAS Institute Inc. All rights reserved. 24 Summary Uses multiple-tier architecture Separates responsibilities Uses best practices for each tier Presentation −Templates, shared components, configurable actions Web-tier −Shared control framework −Factory pattern for configurable accessing to business-tier Business-tier −Component-oriented design with well-defined APIs −Event-driven design for easy integration (reuse) Data-tier −Uses O/R mapping tool to manage relational data −Uses external tools to manage transactions and connections
Copyright © 2005, SAS Institute Inc. All rights reserved. 25 Agenda Background SDD Key Architecture Components Reuse Summary Demo SAS Corporate Compliance SAS Drug Development
Copyright © 2005, SAS Institute Inc. All rights reserved. 26 Demo SAS ® Corporate Compliance (SCC) SAS ® Drug Development (SDD)
Copyright © 2005, SAS Institute Inc. All rights reserved. 27 Copyright © 2005, SAS Institute Inc. All rights reserved. 27