Copyright © 2005, SAS Institute Inc. All rights reserved. SAS ® Corporate Compliance – A case study for developing reusable J2EE applications Zhiyong Li.

Copyright © 2005, SAS Institute Inc. All rights reserved.

SAS® Corporate Compliance – A case study for developing reusable

J2EE applications

Zhiyong LiLead Application ArchitectSAS Pharmaceutical / Corporate Compliance Software Development

Gary Klonicki

Copyright © 2005, SAS Institute Inc. All rights reserved. 2

Agenda Background

SAS Drug Development Key Architecture Components

Reuse

Summary

Demo


The Sarbanes-Oxley Act of 2002 - What is It?

Contains 11 Titles, 66 Sections • §404 – Management Assessment of Internal Controls• §302 – Corporate Responsibility for Financial Reports• §409 – Real-time Issuer Disclosures


The Sarbanes-Oxley Act of 2002 - Who is Impacted? All public companies

Foreign-based companies / foreign subsidiaries of US companies

Chief Executive Officer and Chief Financial Officer

Finance, internal audit, audit committee of the Board of Directors, Chief Risk Officer, Chief Audit Officer

IT, Sales & Marketing, Shipping & Receiving… theoretically the entire company


SAS® Corporate Compliance Secure, auditable repository, versioning,

electronic signatures

Highly configurable

Assessment-oriented workflow

Documentation for control procedure, testing activities, issues, etc.

Report for viewing control effectiveness, outstanding issues, etc.

J2EE web application with zero footprint client


SAS® Drug Development

Centralized object repository, versioning and electronic signature

Enables compliant environment

Data transformation and integration

Data exploration

Statistical analysis and reporting

Study reports and submissions

(Very) Thin client


SAS Drug Development and SAS Corporate Compliance Key Comparison

Similarities• Compliant solution

− Strong audit trail and security functionalities• Web-based platform• Content Management functionality

− objects, documents, versioning, electronic signing

Differences• SAS Drug Development

− Clinic trial oriented concepts (studies, protocols, submissions)

− Java Swing applications • SAS Corporate Compliance

− Process oriented workflow for control self assessment


Agenda Background


Reuse

Summary

Demo



FirewallFirewall

WebDAVWebDAV ServerServer

WebDAVWebDAV ServerServer

SASSASServerServerSASSAS

ServerServer

DataData ServerServerDataData

ServerServer

App App ServeServe

rr

Mapped Drive\Web Mapped Drive\Web FolderFolder

WebWebServerServerHTTPSHTTPS

OracleOracle


Client

User Interface • HTML, Javascript and Java Swing applications

Client Requirements Include:• Windows 98, NT, 2000 and XP

Browser IE 5.5 or higher, Netscape 7.0

• MAC OS10

Safari on MAC


Web/App Server

Web-tier • Handles request/request between client and server

• Maintains user interface flow and user’s states (sessions)

• Communicates with the business tier

Business-tier• EJB based APIs

• Provides business logic services

− searching, events, object management, security, audit trail, etc.


Backend Servers

Data Storage-tier• Accesses data in the backend servers.

• WebDAV server

− Stands for "Web-based Distributed Authoring and Versioning".

− Content Management: Version control, security, permission-based access, metadata

• Data server

− Stores all objects and metadata

− Stores all data, documents and files

• SAS server

− The analytical engine: Generating all reports


Agenda Background


Reuse

Summary

Demo


Reuse - Architecture Shares a similar architecture

SAS Corporate Compliance is built on top of SAS Drug Development

Reuses components

SDD/SCC Database and Backend Servers

SCC Business Tier SDD Business Tier

SCC Web Tier SDD Web Tier

SCC User Interface SDD User Interface


Reuse – User Interface

Shares the same frame_based layout

Shares the same components / JSP tags• Tree view

• Tab view

• Menu bar and menu

Dynamically generated property pages

Configures menu items, url link, etc.


Sample SAS Drug Development Interface


Sample SAS Corporate Compliance Interface


Sample Configuration File <ObjectAction nameString = "control"

icon = "/p21/portal/common/images/default/icons/icon_control.gif"

openIcon = "/p21/portal/common/images/default/icons/icon_control.gif"

>

<LinkAction nameString = "Default"

url ="mainContent.do?parentPath=$path$&navigate=true&fromShortcut=$fromShortcut$"

targetFrame = "RightFrame"

/>

<LinkAction nameString = "Assign-Control"

url = "assignPersona.do?actionType=edit&objectType=control&parentPath=$parentPath$&path=$path$"

/>

<LinkAction nameString = "My Assignments"

url = "viewAssignments.do?actionType=browse&userMode=user&viewMode=pending&parentPath=$parentPath$"

/>

<LinkAction nameString = "Properties"

url = "property.do?objectType=control&actionType=browse&parentPath=$parentPath$&path=$path$"

/>

<LinkAction nameString = "Audit Trail"

url = "objectAuditTrail.do?objectType=control&parentPath=$parentPath$&path=$path$&entityId=$entityId$"

/>

</ObjectAction>


Reuse – Web-tier

Shares the same control framework• Struts-based control framework

• Common services

− Application and Session scope cache

− Configuration

Business-tier independent access strategy• Factory pattern to access business-tier objects


Web-tier Architecture


Reuse – Business-tier EJB based services

• Audit trail, Search, Object Management

• Assessment

Reuses EJB services

Dynamically defined types and attributes• Shared types: Folder, document, shortcut

• Product specific types:

− SAS dataset, compound, protocol, …

− Time period, entity, process, risk, control


Sample Type Definition File Typedef.xml

Typedef.xsd

I18n.xml

AttrLayout.xml

Typedef.xml

<?xml version="1.0" encoding="UTF-8"?>

<TypeDef>

<id>sdd:control</id>

<typeName>control</typeName>

<isContainer>true</isContainer>

<isStateful>true</isStateful>

<typeNamePlural>controls</typeNamePlural>

<handlerClass>com.sas.ibiomatics.p21.server.scc.control.ControlHandler

</handlerClass>

<notifyUpLevel>1</notifyUpLevel>

<standardType>standardcontrol</standardType>

<validationClass>com.sas.ibiomatics.p21.server.scc.StandardIdToPathTypedefRule

</validationClass>

</TypeDef>


Data Access Layer Uses Xythos to store object related data

• Object instances and relationships

• Object attributes

Uses Hibernate to access other data • Users, Audit records, Signing, Registration

• SCC assessment, workflow and states

Same approach of accessing Hibernate functions• Sessions, transactions

• Shared database connection pools


Summary Uses multiple-tier architecture

• Separates responsibilities

Uses best practices for each tier• Presentation

− Templates, shared components, configurable actions• Web-tier

− Shared control framework− Factory pattern for configurable accessing to business-tier

• Business-tier− Component-oriented design with well-defined APIs− Event-driven design for easy integration (reuse)

• Data-tier− Uses O/R mapping tool to manage relational data− Uses external tools to manage transactions and

connections


Agenda Background

SDD Key Architecture Components

Reuse

Summary

Demo• SAS Corporate Compliance

• SAS Drug Development


Demo

SAS® Corporate Compliance (SCC)

SAS® Drug Development (SDD)

Copyright © 2005, SAS Institute Inc. All rights reserved. 27Copyright © 2005, SAS Institute Inc. All rights reserved. 27

Copyright © 2005, SAS Institute Inc. All rights reserved. SAS ® Corporate Compliance – A case study for developing reusable J2EE applications Zhiyong Li.

Documents

sas institute

mac slide

footprint client slide

summary demo slide

control self assessment

chief audit officer

corporate responsibility

chief risk officer