Self-reporting via Excel power pivot in highly deferred execution mode.
Introduction
In the enterprise world, reporting is a world on his own. Enterprises have often very sophisticated reporting systems which either exists in isolation and are called from application which have the actual “ownership” on the data for which is report is generated. Ok, this needs some clarification. I’ll address this in a first paragraph. I’ll explore as well how we can easily introduce in the context of LightSwitch the notion of “self-reporting” and I’ll explain why this approach can be from an application security point of view, the best reporting solution. In a last paragraph, I’ll introduce kind of experimental or visionary reporting approach where I promise to explain what I mean with the title of this article.
What’s the problem with reporting systems external to the application?
Enterprises care about security. There are plenty of guidelines which can improve the eventual security level of an application.
For example, authentication is ideally not handled by the application itself, meaning that an application database should better not store passwords or password hashes. Enterprises often have dedicated authentication systems. In a windows environment, using Kerberos based security (windows authentication) is probably the best choice. By doing so, active directory takes care of the authentication and by means of a very intelligent ticketing mechanisms, “authorizations” are passed between systems in a highly secure manner. Also outside your domain, so in a federated context, ADFS (active directory federation services) can elegantly complement this. Proven technology !
Authorization is an other story. It’s about the users role and corresponding permissions for a specific application. Inside the server side application logic, this leads, among others, to row level security both in the retrieve and save pipeline of the business operations that can be performed with the application. A canonical example from the CRM sphere: “the user of the CRM app, the relationship manager, may see his own customers, but not those of other relationship managers. A very simple example which I’ll use in what comes next.
When it comes to reporting, this can become problematic from an application security perspective. Dedicated reporting systems often make a direct connection to the application database. In LightSwitch, implementing the above row level security example is quite trivial. But when my external reporting system makes direct database connections, the rule can easily be bypassed. Obviously, the reporting system can easily implement that same rule as well but that means we are less D.R.Y. (don’t repeat yourself) and worse, when the rule one day changes, we might forgot to implement it in the reporting system. In short, such an external reporting system can be a source of many application security issues !
What’s the solution:
Reporting systems should connect to the application service layer
A LightSwitch app exposes its internal odata service. As a result, when our reporting solution connects to the same service for retrieving the data on which the report is built, we never run in the kind of security trouble described above. When I can see in the application only the customers which are related to me as a relationship manager, the reporting system connecting to the same odata feed, will never make it possible to report on the customers of the other relationship managers.
How does power pivot becomes mega power pivot when used in combination with LightSwitch?
Excel power pivot is such a self-reporting solution which can simply connect to an odata stream of an application. When using windows authentication from the excel application combined with an https-based data connection we can say that this is the most secure reporting solution.
How can we make self-reporting more user friendly.
Obviously, the most classic approach of reporting is the one where the report is generated by the application itself (server side) and the report is “streamed” to the client. So, this is not the self-reporting scenario. Of course, this “internal reporting solution”, is when it comes to row-level-security completely ok. There are quite some solutions described for applying this approach with LightSwitch. It’s clear that such a scenario, puts some extra load on the server side processing and causes also the data traffic of streaming the report to the client. The load on the server is about the data retrieval, the querying, the report formatting and so on. In the power-pivot scenario part of this is dispatched to the client and furthermore, the user has full degrees-of-freedom when it comes to report formatting, which is great… when he needs this.
As IT guys, we are happy with what excel is offering us when it comes to establishing odata connections to application data feeds. Indeed, simply provide the https address of your data service (in lightswitch, this is the famous ApplicationData.svc) and .. you are all set.
Nonetheless, not every user will be happy with this approach, simply because it’s too technical.
So, I’m currently wondering, but don’t expect over here a full sample with a working solution, if we can not combine the comfort of a report generated by the application with the flexibility of the power pivot approach.
The approach I have in mind boils down to the following:
The user sends from the client side an request to the server for a specific report on a specific (set of) entities. The server will this time not generate a report but streams an excel file to the client side which contains no data at all, but contains the material necessary for simply executing the Odata query, so with everything in place (connection strings, user credentials, …) in such a way that one press on the refresh button generates the report. So, the user gets a self-containing excel without odata setup trouble. So, this approach would drastically reduce the load on the server and since there are no data sent over the wire, the response (the excel file) will be delivered in milliseconds to the client.
This explains the second part in the title of this article: the highly deferred execution mode. In Linq terminology, deferred execution means that a Linq query statement is nothing more than the declaration of “an intention”. The formulation of a Linq query will, a such, never trigger database access. The actual database access is “deferred” until the data is really needed. (e.g. by applying a “ToList()” to the entity collection). Linq-beginners often misunderstand these concepts.
The above reporting approach would potentially go one step further and defer the query execution until the user opens the data-less excel file and presses the refresh button. Furthermore, when he opens the same excel the day after, he’ll get the latest data…
Just an idea…
I’m not in the habit of writing LightSwitch related articles without code. This is probably my first code-free post 
I’m not sure if the above makes sense and I’m even more wondering if an actual implementation would be feasible.
So, please try it, write an LightSwitch extension for it, take patents, commercialize it, and give me a free licence. Thanks in advance.
Hi Paul,
This article covers a similar scenario to what you’re trying to do, no?
http://blogs.msdn.com/b/sharepointdev/archive/2012/02/09/how-to-programmatically-update-an-odc-file-shubh-raj-singh.aspx
Hi Chris,
Wow, you are very fast
Thanks, that’s a great reference. It makes for me the whole idea already less “experimental”.
[...] Self-reporting via Excel power pivot in highly deferred execution mode. [...]
[...] Self-reporting via Excel power pivot in highly deferred execution mode. [...]
[...] Self-reporting via Excel power pivot in highly deferred execution mode. [...]
Excellent post, and since I’m coming from a Business Intelligence/PowerPivot background rather than a dev background it’s one I can provide some useful feedback on I hope.
You are 100% correct that users would prefer to have pre-generated reports, and this is not something that’s easy to provide today. There are third party products that allow you to programmatically generate customised Excel documents, for example http://www.officewriter.com/, and that approach would give you exactly what you want but at a cost in terms of money and development time.
However, an easier approach would be to push the parameterisation back to Excel, rather than have it done in LightSwitch. With Excel 2013 you can now change the connection strings that PowerPivot uses with VBA (see http://cwebbbi.wordpress.com/2013/01/06/parameterising-powerpivot-connection-strings-in-excel-2013/); and with the new Data Explorer Excel addin from Microsoft it’s very easy to create parameterised calls to an OData service (or indeed any web service) and take the parameter values direct from an Excel spreadsheet (see http://cwebbbi.wordpress.com/2013/03/04/calling-a-web-service-from-data-explorer-part-1/ and http://cwebbbi.wordpress.com/2013/03/04/calling-a-web-service-from-data-explorer-part-2/). Yes, the user still has to chose a parameter before they get the data, but those parameters can be prepopulated from your OData service and the user has the flexibility of a single report that can work on any data they need, instead of having to keep going back to the LightSwitch app every time they need a new slice of data. And of course this Excel report can be stored in Excel Services or on a file share, and linked to from the LightSwitch app; and you still get all the benefits you talk about with using the LightSwitch app as the data source.
Thanks for this great info !
[...] and LightSwitch of course does this out of the box with its OData feeds. I came across a great post by Paul van Bladel the other day that sums up these arguments much better than I ever could, so I suggest you check it [...]
[...] and LightSwitch of course does this out of the box with its OData feeds. I came across a great post by Paul van Bladel the other day that sums up these arguments much better than I ever could, so I suggest you check it [...]