Saturday, June 25, 2011

User Experience in Fusion apps

Historically, Oracle is a technical company. Historically, Oracle is a database company. Once they started to offer development tools, modeling tools and applications, the whole concept always centered around data. User interfaces were things that you should generate based on a table definition, not something you should spend time on. So when I heard about the Fusion Applications User Experience efforts, I was skeptical...
...To put it mildly.
My view of Oracle and User Experience has changed drastically today. I attended the Fusion Apps User Experience training with a couple of other Ace Directors that are at Kaleidoscope 2011 in Long Beach.

The message
Companies buy Enterprise applications for support of their business. This is different than consumer facing applications like Amazon or Facebook; in Enterprise applications, users need to be able to accurately and efficiently complete their tasks. Fusion applications enables this because it takes the context of the user/customer into account. The business context consists of four things:
  • Who you are
  • What you are doing
  • Where you are
  • What information you need to complete the task
Research
Instead of looking at the data and generating a lot of screens on top of those data, Oracle has done extensive research to define the roles and persona's, the processes and tasks that need to be supported and the requirements these different users have.
They applied various user experience techniques like contextual inquiry, persona's and scenario's, card sorting, tasks analysis and qualitative methods like eye tracking and keystroke level modeling.

Analysis and modeling
This research resulted in prototypes and different solutions.
There are four key concepts in fusion apps:
  1. The right information at the right time. The information that is needed for a task is present, so the user does not have to navigate out of a screen to get to required information. Analysis of what information is needed at what time is key here. There are different patterns that are applied: showing information when hovering over an item, context sensitive actions that are available when clicking on an item, etc etc.
  2. Different types of navigation: search, dashboards, worklists (to-do lists), watch lists and bookmarks are examples of this. This caters different user preferences, and different types of tasks at different times.
  3. Collaboration and communication. People are a source of information, just like stored data. So collaboration and communication are an integral part of the fusion apps experience.
  4. Increased productivity and ease of use. By analyzing tasks, the actual productivity of the users is increased considerably.

Testing
The results were tested with customers to make sure that it actually increased the productivity and the overall experience.

The result
The approach Oracle took is very much task oriented with an emphasis on task analysis and quantitative research. This makes sense, considering the earlier statement about enterprise applications and the need to support the claims with data.
However, in addition to that, adding concepts like persuasive design into the mix to actually influence users in an organization would make it even more compelling. This is particularly true for areas like CRM or the so-called 'self service' or employee tasks like filling out expense reports, questionnaires, and updating resumes.

As I said in the beginning of this blog, my view of Oracle User Experience has changed drastically today. I think the Fusion apps people have solved the 'silo' problem that traditional ERP and CRM systems have. They did this by applying user centered design principles and of course have the architecture setup in a way that is supports this.

I look forward to hearing more from fusion apps in general and from this group in particular!

Friday, June 24, 2011

Security-per-environment using config plans

Software artifacts normally flow through several environments; for example development, test, integration, acceptance, and production. Some piece of software may be developed locally on your laptop, can be deployed to a central test environment by a developer, scheduled for deployment to the integration environment by the build manager, and then formally promoted to acceptance and production by system administrators after successful testing. These various environments rarely look the same. While a production environment might consist of a clustered and load-balanced configuration with multiple servers running on Linux, your development environment may consist of a bunch of laptops all running a single integrated server on Windows.

Not only sizing, server versions, hardware specs, and OS specifics can vary between these environments, also security configuration. It could be that the production environment enforces SSL/TLS for all internal and external Web Service calls, only uses official certificates issued by a trusted CA, applies WS-Security based message encryption for outbound Web Service calls, uses WS-Security SAML Tokens for authentication, and an appliance for SSL offloading instead of the application server itself. Maybe in the integration environment self-signed certificates and WS-Security UserName Tokens are used, while the development environment enforces no security measures whatsoever.

One way to deal with environment-specific settings is to manually configure these settings while promoting software items from one environment to the other. Maybe this is manageable for a small and simple application, this approach will soon be error-prone and high-maintenance when the size of the application increases. This is especially the case in SOA systems, where there is a high(er) number of different software components involved. A different approach is to use scripting and automated builds in which settings can be configured per environment.

Oracle SOA Suite 11g uses so-called config(uration) plans for this purpose. Environment-specifics like Web Service endpoint locations invoked by an SCA composite can be extracted from the SCA composite and stored in an XML config plan per environment. So we could have a MyComposite_cfgplan_dev.xml that indicates the endpoint of MyWebService is located at http://localhost:7001/MyWebService, while the endpoint is configured as https://some-server:8011/external/MyWebService in the MyComposite_cfgplan_prod.xml config plan for the production environment.

Oracle Web Service Manager (OWSM) is used by Oracle SOA Suite to secure services, references, and components of an SCA composite. You can for example apply the out-of-the-box oracle/wss_username_token_client_policy enforcing a WSS UserName Token to be included in the invocation of an external Web Service. While there are numerous examples online that explain the use of config plans and other examples explaining design-time addition of OWSM policies using JDeveloper, there is less information on how to include and configure OWSM-specific settings in config plans for SOA Suite 11g.

Adding OWSM policies to an SCA composite at designtime in JDeveloper

Adding OWSM policies to an SCA composite at designtime in JDeveloper

OWSM policies can be applied and configured per reference, service, or component. When applying security to a reference and configuring it for a specific environment, the OWSM settings need to be placed as wsp:PolicyReference element between the attribute and property elements of the reference in the config plan. The wsp prefix refers to the http://schemas.oracle.com/ws/2006/01/policy namespace.

For example (snippet from a configuration plan):


<reference name="MyExternalService">
  <binding type="ws">
    <attribute name="location">
      <replace>http://server:8011/SomeService-1.3?wsdl</replace>
    </attribute>
    <wsp:PolicyReference 
      orawsp:category="security" 
      orawsp:status="disabled"    
      URI="oracle/wss_username_token_client_policy"/>
    <property name="csf-key">
      <replace>BPMS_USER</replace>
    </property>
  </binding>
</reference>


In the above example, the oracle/wss_username_token_client_policy is applied on the MyExternalService reference but disabled during deployment. It furthermore indicates that the credentials stored in the BPMS_USER key that is located on the server should be used in constructing the WS-Security UserName Token for the outbound SOAP call. While this may be an appropriate configuration for the test environment, for production you might want the policy to be enforced during deployment, perhaps use another policy that enforces SSL, and possibly use another CSF key. In order to do this, you can add these OWSM-specifics to the reference element in the configur plan for production.

For example (snippet from a configuration plan):


<reference name="MyExternalService">
  <binding type="ws">
    <attribute name="location">
      <replace>http://prodserver:8012/Service-1.3?wsdl</replace>
    </attribute>
    <wsp:PolicyReference 
      orawsp:category="security" 
      orawsp:status="enabled"    
      URI="oracle/wss_username_token_over_ssl_client_policy"/>
    <property name="csf-key">
      <replace>PROD_PROXY_USER</replace>
    </property>
  </binding>
</reference>

Friday, June 3, 2011

The User Experience of the Dutch Chamber of Commerce (KvK)

Almost everyone who owns a business in the Netherlands has to deal with the Dutch Chamber of Commerce, in Dutch the KvK (Kamer van Koophandel). The Dutch Chamber of Commerce manages the trade register. Its other tasks are to provide Dutch entrepreneurs with information and stimulate regional trade & industry. It targets its services at Dutch businesses across all sectors.

The Five Channels of the KvK
Every BV yearly pays the KvK a fixed amount of money. In return the Chamber gives you information and answers your questions regarding business matters by means of 5 channels:

  1. Website
  2. Call centre
  3. Email
  4. Fax
  5. Post

The information and service given by all five channels determines the User Experience of the KvK.

The Experience of Defining an Annual Account
This year my BV, although sleeping, celebrated its 1st birthday. Therefore I had to fulfill al kind of legal obligations. One of them is the publication of the BV’s annual account. Now I myself am a User Experience consultant, and therefore I don’t know much about annual accounts.

OK, of course I could hire all kind of experts to help me, but come on… a sleeping BV… how difficult can it be? So with the help of a friend and some information (hard to read, in a difficult formal language) from the KvK site, I managed to formulate the account. But now what?

The Experience of Registering an Annual Account
I checked the 1st channel of the KvK, its website and tried to figure out how I could send my annual account to them. I found a FAQ: “How to register (deponeren) an annual account?” I would never have thought of the word ‘deponeren’ but this apparently was the information I needed.

Answer: “You can send it by post (6), by fax (5), by Email (4) or online (1) to your regional KvK.”

OK clear! That sounded good. Many options available! I clicked the link to find out contact information about my regional KvK. Then the confusion started. The website now first reveals different phone numbers, a visiting address and at the end of the page an E-mail address to send in a question or a complaint. The online-way was explained nowhere.

I tried the Email form, a waste of time because there is no possibility to attach a file. I saw no other option then to set up a call to the KvK. Therefore I first had to look up the telephone number of my regional KvK. I made the call, I passed a voice response system. The moment my call was answered by a receptionist, she transfered me to the KvK-expert. I finally could pop the question. The answer seemed simple, because in no time I received an odd Email address where I could send my annual account to. “No need for an addressee or a cover letter, just send the account to this address!”.

So I did. In half an hour I received an automatically generated Email from the KvK telling me that they received my mail and that my annual account will be published in due time. Great! Pfff I did it! The whole action took me an hour, a phone call and the help of some KvK employees.

Conclusion Regarding the Overall User Experience

  • Online I couldn’t find what I needed to know; therefore I had to consult the phone-channel.
  • The info on the website was not self-explanatory, the language too formal.
  • The whole process took me too much time.



What about Channel Control?
Channels which involve people (visitor center, call center, mailroom) cost money and they don’t always offer the most suitable service. Employees are kept away from their actual work by customers asking for Email addresses.

When promoting channels, start with the most cost effective ones. But watch out for the pitfall: Make sure that this channel fulfills the needs of its users.

Leading customers to the most (cost) effective and suitable channel and making sure this channel fulfills their user needs, assures you of:

  • happy customers
  • happy employees who can do their actual work more efficiently
  • cost reduction for your organization