The Partner Portal Application
This topic describes the high-level architecture and design of the Partner Portal application and discusses how different aspects of the guidance and various SharePoint capabilities implement the stories that are described in The Business Scenario. For detailed information about the Partner Portal application, see the Partner Portal Reference Implementation.
The following illustration shows the high-level elements of the Partner Portal application, the content database, and the shared services providers (SSPs).
The Partner Portal site is the entry point that all partners use to access the application. The Partner Portal presents an integrated view of the application's different capabilities and provides all partners with their own site collection. The Contoso IT department provisions a partner's site collection. For detailed information about this process, see New Partner Provisioning.
The Partner Portal site provides a dedicated collaboration space for interacting with Contoso, access to the product catalog, promotional offers, and other line-of-business information. Subsites are automatically created to collaborate on individual incidents. The Partner Portal integrates with multiple line-of-business (LOB) systems to provide business information to partners. This has two benefits. One benefit is that partners can access relevant information themselves, without requiring help from a Contoso employee. The other benefit is that formal LOB processes are introduced into informal collaboration processes.
The Partner Central internal portal site represents the entry point that Contoso employees use to process information from partners and to access a specific partner's collaboration space. Additionally, Contoso employees use the site's authoring capabilities to create promotional offers that are reviewed, approved, and then deployed to the production farm. (The reviewing and approval process is not implemented.)
The Partner Portal application is a combination of standard SharePoint functionality and custom application logic. The following sections describe the Partner Portal application's main features of the reference implementation, reference the relevant sections of the guidance, and show how SharePoint’s capabilities were used or extended.
Partner Portal and Incident Subsites
SharePoint automatically creates an incident subsite when a partner has a problem whose severity is termed "tier three." Partners access their subsites through the Partner Portal site.
SharePoint uses both site definitions and features to produce repeatable instances of a site or a capability. For more information, see An Overview of the SharePoint Platform for ASP.NET Developers. The Partner Portal application uses site definitions and features in the following ways:
- Creating a new partner extranet site. Contoso frequently adds new partners. SharePoint provides an infrastructure that automatically provisions an instance of a new site when a company becomes a Contoso partner. This process requires no development effort and no need to make any physical changes to the operating environment. To add a partner, administrators create a new site collection, add it to the site directory, apply the appropriate features, and configure the site's security permissions. For more information, see New Partner Provisioning.
- Adding subsites for incident and order exception management. Collaboration subsites allow partners and Contoso employees to resolve order exceptions and incidents. The type of subsite and the information that is retrieved from the LOB systems varies, depending on the type of incident. Templates allow instances of each subsite type to be created automatically when a particular business event occurs. The guidance shows how application patterns describe a general solution to the challenge of automatically creating subsites. For more information, see Application Patterns. The guidance also includes a library of reuseable components that make the implementation of the patterns simpler. For more information, see Workflow-Driven Site Creation.
In addition to its site provisioning capabilities, the Partner Portal site and subsites take advantage of many of the features that SharePoint provides for building scalable, enterprise-quality applications. For more information, see Building for Scale.
Data Isolation and Security
The following illustration shows the relationship between data on a partner's site, the content database, and the SSPs.
SharePoint is designed to simultaneously support multiple applications and users on a single infrastructure. To provide a secure environment for each application and user, SharePoint has different levels of data and security isolation. The Partner Portal application demonstrates some advanced techniques for implementing them. The following are some of the highlights:
Site collection security and data isolation boundary. The Partner Portal application uses separate site collections for each partner's collaboration space. Roles that are specific to the partner are assigned to this collaboration site collection. Within the database, data for a site collection is isolated from other site collections. As a result, there is no possibility of data from one site collection appearing on another site collection. For more information, see Considerations for Extranet Development.
Note that although the Partner Portal application uses the site collection as the boundary between partners, SharePoint includes resources and configuration capabilities that provide even greater separation. For example, all partners can have their own Web applications. This provides a process boundary and allows you to assign a dedicated database to each partner. The increased security must be weighed against the increased operational complexity and additional hardware costs, but this may be a feasible solution in high-security environments. For more information, see "Subsite scripting" in Plan site security and Logical architecture components on TechNet.
Security zones. Although security zones can be a complex topic, the basic concept is straightforward. Users often belong to different security groups that are authenticated in different ways with different credential stores. In the case of the Partner Portal application, Contoso employees are authenticated within the corporate network with standard Windows domain security mechanisms.
Contoso does not want their partners' credentials to be included in the Active Directory domain. Generally, organizations want to use a dedicated credential store for external users and to authenticate the users within a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). SharePoint provides zones to address this situation. Zones allow different groups of users with different security permissions to access the same application. Each group can be authenticated with a different security mechanism and assigned different rights. A commonly used authentication mechanism is forms-based authentication. For more information, see Considerations for Extranet Development.
Access control lists. In the Partner Portal application, Contoso employees create and approve partner promotions. (The approval process is not implemented.) It is possible for the same promotions to apply to several partners. In situations where information is centralized and is accessed by multiple users, SharePoint uses an access control list to determine who can view and modify information. This list assigns permissions to items in a SharePoint list or library. The Partner Portal application uses a central site collection for all published promotions, and then it uses the access control list to assign rights to each promotion. Partners can only access the promotions that apply to them. SharePoint has standard features that support this security model, such as the ability to assign permissions to users in different security zones to view the same content.
There are several other ways to control access to information. One alternative is to publish the promotions to the individual partner site collection. This approach is more complex than the one that is used by the Partner Portal application and requires custom deployment logic for the promotions. Another approach is to divide the partners into a few groups, such as a Gold group, Silver group, and Bronze group, and have a publishing site for each group. This simplifies the access control because partners are assigned to a site and not to an item, but the flexibility of the application is reduced. For more information, see Understanding Publishing and Content Deployment.
The following illustration shows the relationship between the collaboration site, the content database and the SSPs.
Contoso account managers must be able to publish information on the partners' sites, and partners must be able to exchange information with Contoso. The Partner Portal application takes advantage of SharePoint's standard collaboration features to enable these scenarios in the following ways:
- Creating collaboration spaces. The Partner Portal application uses standard SharePoint collaboration tools, such as document libraries and task lists. As a result, the collaboration spaces provide more benefits and better communications than e-mail or telephone calls. Documents are tracked and versioned, tasks are recorded and their status monitored, and pertinent information is posted in a timely manner.
- Extending collaboration. SharePoint makes it easy to add additional collaboration features, such blogs and wikis, by changing the partner site's configuration. In addition, each partner site can be branded and customized. This is not shown in the Partner Portal application.
- Aggregating promotional information. The Partner Portal application uses Web Parts to query for promotional information on the central publishing site. The information is then displayed on the partner's home page.
- Extending navigation. The Partner Portal application extends the standard SharePoint navigational features to provide cross-site navigation. This allows the partner to navigate between the Partner Portal site, the promotional information site, and the catalog site.
For more information, see Considerations for Content-Driven Applications. This topic also provides guidance on other issues such as custom navigation, site branding, content deployment, and the central template gallery.
Accessing LOB Information
The following illustration shows the relationship between the Partner Portal, the LOB systems, the content database and the SSPs.
The Partner Portal application displays information from the LOB systems on each partner's site. This means that the partners do not need to rely on Contoso employees to access this information. The SharePoint infrastructure includes security mechanisms that protect each partner's privacy. It also provides the functionality for integrating information from LOB systems into SharePoint applications. The Partner Portal application takes advantage of these capabilities in the following ways:
Promoting self-service to improve efficiency and lower cost. The Partner Portal provides a catalog that partners use to see product information, which is in the LOB systems. The LOB systems expose this data through Web services. The Business Data Catalog (BDC), which is provided by SharePoint, determines how SharePoint accesses these services and provides the Web parts that bind to and display this data.
Another way to display LOB information is with data field types, which allow you to include the information in SharePoint lists. This technique is not implemented in the Partner Portal application.
- Searching LOB data. Partners can search for product information. The Partner Portal application uses Web services and the BDC to crawl the catalog and create a search index. The detailed product information is gathered from the LOB systems and includes sensitive data such as pricing.
Protecting confidential information. The Partner Portal application displays partner-specific pricing information and incident information on each partner's site. This requires that the application securely transmit the partner ID to the appropriate LOB system to extract the correct information. The application combines SharePoint security capabilities with Windows Communication Foundation (WCF) capabilities to accomplish this.
SharePoint also supports security trimming. Security trimming restricts access to pages or information to particular users. It can be applied to search results, such as the pricing information that the BDC gathers. This technique is not implemented in the Partner Portal application.
For more information about how to access LOB systems from a SharePoint application, see Integrating Line-of-Business Systems. This topic includes guidance on how to use the BDC and Windows Communication Framework to integrate line-of-business systems that are exposed through Web services into a SharePoint application. This chapter also provides guidance on creating Web services within a SharePoint solution and on security considerations.
Managing and Approving Content
The following illustration shows the relationship between the Partner Portal, the LOB systems, the internal publishing site, the content database, and the SSPs.
Contoso managers, business analysts, and other non-technical employees create new promotions and associate them with product data and one or more partners. Promotions include product and pricing information that is stored in the LOB systems. After they are complete, the promotions go through an approval process, which is controlled by a workflow. Finally, they are deployed from the corporate authoring site to the production Partner Portal site. (The approval process is not implemented.)
The Partner Portal application demonstrates the following SharePoint capabilities:
- Creating content. SharePoint allows non-technical information workers to create content that is based on a predefined layout. They can either use a browser or a Word document.
- Approving content. SharePoint provides an approval workflow, which routes a document or item to a group of people for approval. The Partner Portal application routes promotions through this workflow before they are published.
- Assigning permissions to content. SharePoint allows you to assign access permissions to content. The Partner Portal application uses this capability to determine which partners can see which promotions.
- Deploying content. SharePoint allows you to author content in a site that is within the corporate network and deploy it to the perimeter network. The Partner Portal uses this capability to manage how promotions are deployed to the central publishing site.
- Adding LOB information to published content. The Partner Portal application uses Web Part connections to display LOB information on promotions. A filter Web Part extracts information that is entered in the publishing page by the author of the promotion. This information is the product identifier, which is the stock-keeping unit (SKU). The filter Web Part transfers the information to another Web Part that displays the product information. The product information Web Part retrieves product information from the LOB system and displays it.
- For more information, see Considerations for Content-Driven Applications. This topic also provides guidance on custom navigation, site branding, content deployment, and the central template gallery.
Branding SharePoint Sites
Contoso wants all the partner sites to be consistently branded. It also wants the ability to change branding from a single location and have that change reflected across all the partner sites. To accomplish this, the Partner Portal application uses SharePoint themes and delegate controls to provide consistent branding and navigation to all partners.
SharePoint also includes capabilities to create custom branding. For example, you can include a partner logo on a site or site collection in different application instances. This is not implemented in the Partner Portal application but would be a desirable feature in a fully realized application.
For guidance on content and layout customization, site branding, content deployment and the use of the central template gallery, see Considerations for Content-Driven Applications.
Viewing and Aggregating Information
The Partner Portal can use SharePoint's search capabilities to aggregate information in different ways and display it in multiple views. The Partner Portal application uses these views in the following ways:
- To aggregate data across many sites. The Partner Portal application uses the search capability programmatically to aggregate large quantities of information that are distributed across all the partner collaboration sites. For example, Contoso employees can see a consolidated view of all the outstanding tasks for all partners for open incidents.
- To aggregate information within a site hierarchy. The Partner Portal application aggregates information within a site hierarchy to provide consolidated views to partners and account managers. SharePoint can perform searches and display information in real time. These capabilities can be expanded by business analysts and developers. The Partner Portal application aggregates information about incident status and outstanding tasks for each partner and displays it on that partner's collaboration site.
- To view information from related sites. You can use the SharePoint object model or Web services to query other sites for information. SharePoint ensures that authorized users view the information. SharePoint only returns information that users are authorized to see when that information is accessed through the object model for data that is contained within SharePoint. The Partner Portal application aggregates promotional information for all partners from the central publishing site. However, partners only see the specific promotions that are intended for them.
- For more information, see Techniques for Aggregating List and Site Information.