IMI...IMI is Content-agnostic data content is decoupled workflows data structure and manipulation is modelled according to business needs via a meta-data management tool - MDMT Internal

Internal market, Industry,

Entrepreneurship and SMEs

IMI Internal Market Information System

EDPB IT Board meeting

Brussels, 4th May 2017 DG GROW R.4 – Single Market Service Centre



2

Content

IMI fundamentals

IMI architecture

IMI security

IMI Implementation model

Demo



IMI Fundamentals



4

IMI concept

Fundamentals on IMI

IMI is a PaaS (Platform-as-a-Service)

no SW development for implementing new business modules

IMI is Generic:

functional reusability via configurable workflows

trade-off reusability/customisability



5

IMI concept

Fundamentals on IMI:

IMI is Workflow-driven

data is processed through structured workflows according to status-related views and actions, and to granted permissions

IMI is Content-agnostic

data content is decoupled workflows

data structure and manipulation is modelled according to business needs via a meta-data management tool - MDMT



IMI Architecture



7

IMI Architecture

Main characteristics

Service Oriented

N-Tier



8

IMI Architecture

Technology

Database: Oracle

Application server: Oracle Weblogic

Back-end development: JEE and Spring (Security, Integration, Web Service)

Front-end development: ExtJS (MVC, UI components)



9

Deployment view



10

Deployment view

Multiple

environments

Dev

Test

Training

Production

Multiple

sub-systems

Back-office

Scheduler

Connect

Integration

Front-office

Configurations

Fault-tolerance

Single-node



11

Back office



12

Back-office

Core services

Authentication and authorisation services

Authorities and users management

Workflow engine: status machine

Multilingual support:

Label translations

Integration with Machine Translation @EC



13

Back-office

Modules

Specific configurations of available workflows within a legal area or domain

MDMT definitions: data structure and validation, screens, reports, searches

Workflows

Standard: Request, Alert, Notification, Notification-driven repository, Directly managed repository

Special: SOLVIT, EPC



14

Back-office

Repository services

MDMT

Dynamic screen generation

Dynamic reports generation

Entries access control

Import/Export: interoperability via REST-ful web-services



15

Scheduler



16

Scheduler

Execution of system's automatic actions

Automatic email notifications and reminders

Workflow timers and automatic actions



17

EPC Front office



18

EPC Front-office Core services

User authentication and authorisation

Simplified workflow engine (no handling of MDMT definitions)

Report generation

Multi-lingual support

Main functionality

Professional's profile management

EPC applications management

Documents management



19

Connect and Integration server



20

Connect and Integration

Connect

Interconnection with external systems

Supports multiple communication channels: Java Message Service (JMS), web-services

Integration

Communication between sub-systems

Queues of messages



IMI Security



22

IMI Security

Security governance

Security plan in compliance with COM decision 3602 and implementing rules and approved by HR.DS

Data protection rules under EDPS scrutiny

Access and authorisation management delegated to officially appointed Member States IMI Coordinators

MoU and SLA with DIGIT for hosting



23

IMI Security

Hosting security

System hosted in the EC Data Centre in Luxemburg

DC physically secured and mirrored in a remote site for disaster recovery

System deployed over virtual environments in a server farm

No remote root or administrator access allowed (only on local console)

24/7 incident handling and reporting procedures in place



24

IMI Security

Application security

Spring Security framework

Access to the system only allowed to authenticated users

Authorisation mechanism based on logical data partitioning (modules, workflows, sections, etc.) and user roles

Data validation to prevent injection or scripting attacks



25

IMI Security

Application security

HTTPS protocol for end-to-end connection encryption

Auditing and logging:

Application and database level: accesses and actions

Reverse proxy level: identification of incoming traffic based on IP addresses

Penetration testing and code review of main releases

Continuous improvement of coding practices



26

IMI Security

Back-office User Authentication

Username + password + 12 digits security code

Strong password policy (structure, duration, reuse, etc.)

PBKDF2 hashing of stored user credentials

Front-office User Authentication

ECAS



27

IMI Security

Authorisation and access control

Data organised in structured units called "workflow items" (e.g. a Request)

Access to data in individual workflow items and execution of available actions in every status are checked against actor's permissions

Permissions are managed at:

Authority level: granted access to a module and authority's role

User level: available roles within the granted access



IMI implementation model



29

Adding a new module in IMI

Legal aspects:

IMI Regulation annex and/or relevant policy legislation (co-decision proc.)

OR via an Implementing act (e.g. launching a pilot, replacing an

existing system)

Users input:

Legislator / Policy unit expresses the needs

IMI team maps needs to existing technical solution

Workflow content defined in cooperation with Member States experts

Support:

Training sessions for IMI users, Helpdesk support



30

Existing workflow done directly by DG GROW, NO development required

1.Select an existing workflow

2. Define the content

3. Define the visual display

to users

Policy-specific configurations: - Centralised / decentralised

processing of information - EC involvement in the

procedures - Active or passive involvement

of recipients (e.g. alerts)

Multiple layouts are available: - User Interface - Search (criteria, results, preview) - Reports - Email fields - External web-services

> 35 types of fields (date, text, lists, documents, tabs, …)

- Control behaviour throughout workflow

- Content is and will always remain policy specific




31

New workflow required

Implementation is fast (3-4 weeks) and highly qualitative due to semi-automated development:

Workflow specified in XML

Auto-generation of all configuration data for the IMI workflow engine (wf statuses, actions, transitions, permissions, …) - ready to be inserted in the database

Auto-generation of templates for Java classes

The development team can focus exclusively on the implementation of the business logic

Further available for all IMI users




32

Example – new workflow for PQ Alert



33

Workflow described in XML format

Emails to be sent when this action is taken

Definition of one workflow action

Definition of who can take this action

Definition of the status resulting from this action

Status in which the action is available

How to log this action in the history

3

3



34

Workflow described in XML format

Users with access to the entry with personal data

Definition of view permissions for one status

Users with access to the entry without personal data

Users with access to the preview only

Status



35

Configuring a PQ Alert via MDMT



36

MDMT step 1. Select an existing workflow



37

MDMT step 2. define the content (fields)



38

MDMT step 3. Drag & drop fields to define

visual display, Search, Reports, …



39

MDMT step 3 (cont.) - Search



40

MDMT end result: user's detail view



IMI Demo



42

IMI demo

Content

Article 56 Repository of cases

Article 60 Notifications

Article 61 Request for mutual assistance



Contact: [email protected]

IMI website: http://ec.europa.eu/imi-net/

?