Twospeakers at the user group meeting last night. The first session was an eye opener for me, one of those ‘thoughts crystalising’ moments.

OBA, Office Business Applications Explained – Patrick Tissegham
I’m afraid I don’t have his slides – I suspect he’s keeping them until after another presentation in Italy on Thursday

This was an overview ‘Office Business Applications’. OBAs connect Line of Business (LOB) systems with the people that use them through the familiar user interface of Microsoft Office. It’s not a new thing, but it is a consistent vision of using Office as a development platform. Basically, the idea is that a lot of organisation have lots of structured data in systems such as SAP or CRM, but that this doesn’t really mesh very well with unstructured user activity, such as producing documents or spreadsheets. Office is being opened up to allow ISVs easier routes to bridge that gap between structured and unstructured (via SharePoint naturally).

Examples of bridging that divide do exist already – Microsoft-SAP via ‘Duet’ (although there are all sorts of politics there) and MS Dynamics for CRM (apparently).

This talk had some great demos, and I’ve got to say if you get the chance to watch Patrick ever, do so. I’ll just list the demos he did to give a bit of a flavour for the things he showed.

• Showed how to build a BDC application using the BDC MetaManager tool
• Imported the BDC app and exposed it using the OOB web parts (like in about 100 webcasts of so)
• Showed how to develop your own web parts to use the BDC. Apparently the BDC has a ‘runtime object model’ – basically, an object model that allows you to load and query a BDC application within your own code. Note that this can only be done on the server – the libraries to support this are only on the servers.
• He then used his custom web part to generate a Word document containing fields populated with data from the BDC. There was some discussion about how the .docx formats and so on are just zip files, and we looked at how to put custom data into them. Very cool.
• We then had a look at Visual Studio 2008 (aka ‘Orcas’) and Visual Studio Tools for Office. There are now projects for creating new ‘panes’ inside all the office applications, or creating new documents, or adding to the Office 2007 ‘ribbon’.
• He showed adding a new ‘tab’ and buttons to the ribbon of Word
• And he added a new ‘region’ to the Outlook ’email’ pane. A region is a thing you can add to, well, add more controls to a pain. He a showed adding a button to it, and as we’d run out of time he explained that the next step would be to upload the document to SharePoint via web services.

Conclusions:

• Microsoft Office is now part of our development platform.
• Producing add-ons to office applications will become part of our bread and butter
• Producing ‘Developed’ Office documents will also become a standard task for us. (There’s a reason that there is a hidden ‘Developer’ tab in Word!) There are lots of things you can develop
• Visual Studio 2008 and it’s Office Tools offer considerable power in monkeying around with the Office UI

In other words, we shouldn’t just consider SharePoint in isolation – we’re going to have to consider the client applications too. In some regards, they already play well with SharePoint, but there are lots of conceivable integrations there (such as the auto-populated document from the BDC).

Links:
What is OBA
More Here
VSTO team blog
Patrick’s Blog
Office Developer How to centre (WOW!)

Developers are probably only interested in the second talk…

Security Fundamentals in Microsoft SharePoint Products and Technologies 2007 – Stephen Lamb

This was a bit of an ‘evangelist’ type talk, but interesting nonetheless. His messages were, essentially “Don’t Panic!” and “Think about what you need” – security is important, but you need to think about it, and the objective risks rather than the ‘high profile hacking case that appeared in the Telegraph’. Sometimes you might want to take a less secure approach for the benefits it provides.

He talked his way through what identity, authentication and authorisation meant (and how they’re all different), permissions structure in MOSS, good practice (hint: different MOSS web apps should be in different application pools). He talked a bit about designing permissions based on what users should be doing – and therefore the rest should be locked down. (I actually disagree with this – I can imagine having a low security environment with very few restrictions, and perhaps a separate high security environment with locked down permissions. This is pretty much what I’m thinking of for Deltascheme).

We discussed Code Access Security – which as far as SharePoint is concerned, only really applies to Web Parts. These should never be run under full trust – which is typically one of the first things a developer will set his application to in order to make it less ‘fiddly’

There was some talk about PKI, certificates, symmetric/asymmetric encryption and so on – ask me if you need to know more! There was lots of mention of their Information Rights Management product (this also comes up in the MOSS Administration exam a lot) – and it’s limitations (hint: at some point someone has to be able to see the document – therefore they can photograph it!). It seems moderately neat – it can reduce, though not prevent, leakage.

Conclusions:

• Don’t be afraid of security.
• Anything you do to improve security is better than nothing.
• Consider the security trade-offs – including when less security might be much better. The answer to most security questions on ‘what is best practice’ is ‘well it depends’.
• Do the simple and easy things first.
• Defence in depth. Secure communications within organisation and within the farm. IPSEC between farm servers is a good investment.
• Trust no-one (including consultants and data centre employees!)

Information Rights Management in Office
Ten Immutable Laws of Security.
IPSEC (recommended for between front end servers and database, even in a data centre)