Customer Solution Case Study
/ / Records Management Solution Demonstrates Power of SharePoint As A Development Platform
Overview
Country or Region:United States
Industry:Professional Services
Customer Profile
Applied Information Sciences, Inc. (AIS), a systems and software engineering firm, applies a process-oriented approach to solutions for Fortune 100 corporations and all levels of government organizations.
Business Situation
Many organizations still lack effective policies and procedures for records management, risking extensive penalties, a tarnished reputation, and potential legal liability.
Solution
AIS developed an add-on pack for Microsoft® Office SharePoint® Server 2007 by connecting and extending features and functionality of the 2007 Microsoft Office system to meet DoD 5015.2 compliance.
Benefits
Cost-effective DoD 5015.2 compliance
Familiar, consistent user experience
A powerful development platform
Easy alignment of workflow with business needs / “Almost everything needed to support the DoD 5015.2 requirements were provided by SharePoint Server 2007. Using SharePoint as a development platform we were able address any gaps necessary.”
Russ Stalters, CTO Portals & Collaboration, Applied Information Sciences
Recent regulatory requirements make managing information both a business priority and a legal obligation. However, many organizations lack effective policies and procedures for the systematic control of business records and thus, risk penalties, a tarnished reputation, and legal liability. The DoD 5015.2-STD is a widely-adopted standard for records management, but can be expensive to meet. As a cost-effective solution for records management the SharePoint Product Group engaged Microsoft®Gold Certified Partner,Applied Information Sciences to develop an add-on pack for Microsoft Office SharePoint® Server 2007. The add-on pack will be provided to SharePoint customers and will be supported by Microsoft. By using only the object model and capabilities native to SharePoint Server 2007 and the .NET framework, AIS also demonstrated the power of the 2007 Microsoft Office system as an extensible development platform, while providing customers with a robust compliance solution without the investment in third-party software.
Situation
Recent regulatory requirements, such as the Sarbanes-Oxley Act of 2002, make managing information both a business priority and a legal obligation that demand the attention of executives and corporate boards. Many organizations still lack effective policies and procedures for systematic control of recorded information. As a result, they risk:
Extensive penalties for non-compliance
A tarnished reputation
Possible legal liability
The DoD 5015.2-STD, “Design Criteria Standards for Electronic Records Management Software Applications” (DoD 5015), is a well-known and widely-adopted industry standard for records management applications in the enterprise content management (ECM) industry. The standard offers guidelines, such as how to:
Manage records and permissions
Periodically review vital records
Manage e-mail as records
Support multi-phase lifecycle management for documents that require more-complex retention rules.
Thus, the DoD 5015 standard sets the bar for companies and other organizations in highly-regulated industries when they are choosing a records management solution.
In the past, customers using Microsoft® Office SharePoint® Portal Server 2003 needed to invest in third-party applications that would allow them to transfer documents out of a SharePoint site into a separate records management repository. Microsoft has since introduced a Records Center as a component of Microsoft Office SharePoint Server 2007, which provides a framework for creating and supporting formal records management capabilities.
While the addition of the Records Center enables SharePoint Server 2007 to provide records management capabilities, many customers require a solution that also complies with the DoD 5015 standard. Microsoft selected Applied Information Sciences (AIS), a Microsoft Gold Certified Partner, to help develop and extend the records management capabilities of SharePoint Server 2007 to include the DoD 5015 records management compliance functionality.
Solution
Based on its DoD 5015 compliance and professional software engineering expertise, AIS was hired by Microsoft to jointly develop an add-on pack to meet DoD 5015 compliance and carry the solution through certification with Microsoft. According to Russ Stalters, CTO, Portals and Collaboration, AIS, “This was an extremely collaborative project during which many of the design and implementation decisions were driven by the SharePoint Product Team.” The result is a Microsoft supported Records Center add-on pack is available to all SharePoint Server 2007 licensed customers.
A Solid, Extensible Development Platform
The development of the DoD 5015 Records Center add-on pack was made possible by the rich features and functionality of SharePoint Server 2007 and the ease of connecting and extending the features and functionality to meet the complex requirements for DoD 5015 compliance. In fact, AIS was able to develop every aspect of the solution using only the object model and capabilities native to SharePoint Server 2007and the .NET framework.
Key out-of-the-box features and functionality of SharePoint Server 2007 that were creatively extended and integrated to develop the DoD 5015 Records Center add-on pack include:
SharePoint lists and framework
Content types
Field types
Access Control Logic (ACL)
Workflow
Integration with Microsoft Exchange Server and Microsoft Office Outlook® 2007 communication and collaboration client
Search
SharePoint Lists and Policy Framework
The DoD 5015 Records Center add-on pack consists of one SharePoint Site where records are stored in document libraries. Each library has specific metadata associated with it, including metadata about each record category and record folder. These exist as lists within the site. According to Steve Rapids, Technical Lead, AIS, “SharePoint fulfills all the core requirements for a records management platform because it is a scalable metadata repository, allows metadata abstraction through content types, and permits event handling at both the list and content type levels.”
Pre-configured Data Structures: New content types, lists, and other data structures were created by AIS that are enabled in the Records Center add-on pack to provide compliance with the DoD 5015 requirements. These data structures and lists provide the infrastructure for the additional functional capabilities throughout the solution. For example, the record content type extends a stock content type by adding required metadata through new column definitions.
File Plan Builder (See Diagram 1): This feature provides a Records Manager with an updated user interface for configuring a file plan in a DoD 5015 compliant Records Center. The new user interface supports creating record categories and other file plan related constructs such as SharePoint folders, whichcan be closed to new records and can also have their own retention and disposition rules.
Created through SharePoint lists and event handlers on those lists, the File Plan Builder ties together the description of the metadata on record categories and record folders and then creates the libraries that act as the repositories for the record categories where the records are stored.
Global Events and Periods: A DoD 5015 compliant records center must address the management of global events and periods for controlling the lifecycle of records. To accomplish this, AIS established a process by which global events are defined once per site, but can be referenced by any group of records in that site where the retention rule is based on that global event. In addition, this same framework defines global periods (e.g. the fiscal year) which are used for accurately computing retention rules. This was done by simply defining specific characteristics within basic SharePoint lists and also allows customers to add, identify, and define their own events and periods as needed (See Figure 1).
Records Filed Into Multiple Categories or Folders: DoD 5015 compliance requires that a record can be stored in multiple folders or even across categories. As the retention period on a multi-location record becomes due, it must be removed from that folder but remain in the other locations. To accomplish this, the solution stores the metadata with each record, using business logic to propagate metadata from one record to another. Metadata propagation is implemented as an event receiver to the base record content type to seamlessly support this requirement. Authorized users will be able to move a record to a different folder/category. All metadata will be transferred in this move and the old copy of the record will be removed.
Applying Holds to Folders: This capability addresses the DoD 5015 requirement regarding placing an entire Record Folder on hold. To accomplish this, AIS extended the current SharePoint Server 2007 Records Center concept of a record hold to an entire folder. Now, when applied to a particular folder, a hold will trickle down to every record in that folder. In addition, any documents added to that folder after a hold is applied will be placed on hold.
This capability is a great example of the ability to extend the existing SharePoint hold framework through the API. According to Stalters, “The work required to extend the existing hold framework was pretty minimal since the heavy lifting was already handled and we could access the hold functionality through the API and object model.”
Content Types
A significant obstacle to automating compliance to meet increasingly complex standards has been the limits on how information can be classified. By using content types within SharePoint Server 2007, AIS was able to eliminate this obstacle. Microsoft Windows SharePoint Services 3.0 allows pre-defined metadata boilerplates, whichare developed so that all newly created documents automatically have appropriate metadata such as workflows, resulting actions, expiration, and other policies.
Because content types can be defined, independent of any specific list or document library, it is possible to make a given content type available to the lists on multiple SharePoint sites. This provides the ability to centrally define and manage the types of content that are stored in the site collection. Additionally, each content type is a reusable collection of settings that may be applied to any appropriate category of content.
By identifying and implementing the appropriate content types, the solution enables users to:
Manage metadata and behaviors of a document or item type in a centralized way.
Store documents with different metadata and separate workflows in the same document library or list.
Encapsulate a data schema and make it independent of a SharePoint list location.
Rapids comments, “We were able to encapsulate the metadata requirements into the content types and inherit from one content type to another, which allowed us to ‘genericize’ the code and process instances of those content types based on the business needs. This conceptually empowers end users to further extend metadata to support their individual corporate needs.”
Record Relationships: For a records center to meet the DoD 5015 standards, it must add a metadata column to every record which identifies the relationships between the records, linking each record according to an administrator-defined relationship (e.g., Record A is a rendition of Record B). All links must be reciprocal and must automatically update as items are moved or deleted. Additionally, versions of the same record must also be identified with a numeric value which also must be added to each version of a submitted document.
To accomplish this requirement, AIS defined custom columns and fields and developed a dialog box through which users can identify the appropriate relationship type and the target of that relationship whether it is hierarchical or peer-based. To provide a user friendly user interface for navigating the Records Center and selecting target records to complete the relationship, AIS leveraged the Asset Picker Tool within SharePoint Server 2007 (See Figure 2) which is used by the Web Publishing Portal site. The Asset Picker is a tool that can be used by third parties to allow a user to select a SharePoint item. It is also used by several out of the box SharePoint features, such as the Publishing Hyperlink.
Enhanced Records Upload: For DoD 5015 compliance, the solution also has to automate data population of record properties. Additionally, the solution must provide the capability to upload non-electronic records.
For an electronic record upload, the metadata values are inherited from the parent container for that record content type. Because non-electronic records do not have an electronic file that can be uploaded, AIS developed a stub file.This stub file is created to indicate that the record is non-electronic and direct the user to the metadata that identifies the location of the actual record.
Field types
AIS developers leveraged extensible field types to set up security and permissions for records to meet DoD 5015 compliance. By setting values on each field and security levels based on those field values, AIS provided the required security and permissions for such levels as “Secret” and “Top Secret”.
Metadata Propagation Between Categories, Folders, and Records: This feature addresses the DoD 5015 requirement for the propagation of metadata values between categories, folders, and records. AIS met this standard by storing metadata in three separate wells: metadata about categories, metadata about folders within those categories, and metadata about records within those folders. Each well also has a separate schema with defined columns. As needed, these metadata values can be propagated between those wells. Specifically, AIS developers created custom field types with code behind the fields, so when creating a new folder the custom field looks up to parent categories and copies the default properties from the categoryto the folder.
Closing Record Folders: To meet DoD 5015 compliance, it must be possible to close a Record Folder to prevent users from adding additional files or records to that folder, while still allowing them to view the records within the closed folder. Because there was no concept of closing a SharePoint folder, AIS developed this capability by using a combination of fields on content types to define whether a folder was closed or not. Because the filing status is checked when a record is added, an exception is presented if the container is closed.
Access Control Logic (ACL)
DoD 5015 compliance requires the capability to address advanced access control logic (ACL). Access must be controlled based upon a record’s folder, category, metadata values, and a special field called the “supplemental markings” list.
To accomplish this, AIS replaced the administrator-defined, per-item ACL’s with a system that examines the values of an item’s metadata to dynamically generate a unique ACL. In addition, users can be constrained from assigning a value to a metadata column if they do not have access or permissions to that property value. This feature will also limit the editing permission for records to enforce that constraint.
The solution also allows administrators to define how the markings are applied and be assured that they are being applied appropriately. The supplemental marking and the metadata that describes that marking are then stored in a SharePoint list that determines who has access to the supplemental marking. According to Rapids, “This allowed us to enforce security at all the required levels of granularity.”
Workflow
Because Windows SharePoint Services 3.0 now supports an extensible timer job infrastructure, the solution is able to quickly host scheduled or long running jobs within SharePoint Server 2007. According to Rapids, “Because workflows can be tied to individual content types or lists we are able to very specifically identify workflows for each business process need and enforce any given business process.”
Vital Record Review: To meet DoD 5015 compliance a records management solution must provide a mechanism to define periodic review cycles for vital records. The new framework must provide a way to track when records are due for review and then mark them with the date of the last review.
To satisfy this requirement, AIS wrote custom workflows and deployed them as features within the Records Center to make them available. These were developed using Microsoft Visual Studio® 2005 and Windows Workflow Foundation. According to Alex Holcombe, Technical Lead, AIS, “A lot of functionality, job processing framework and security was already there, so we just extended the custom fields that we needed and were able to re-use those workflows across the solution. We also implemented functionality on top of that to keep track of what the security permissions should be and apply them to the right place. We then just let SharePoint Server 2007 take it from there.”
Enhanced Disposition Processing: AIS also extended the existing disposition framework of SharePoint Server 2007 to support the more comprehensive DoD 5015 standards, allowing records managers to: