m365
Solution Design Document
Project: OpenText Documentum Content Management for
Microsoft 365
Version: 2.0 (Final)
Target Architecture: Intranet / Split-Tunnel (No Inbound Public
Access)
1.0 Executive Summary
This solution integrates OpenText Documentum (the
System of Record) with the Microsoft 365 ecosystem. The
architecture utilizes a "Portal" approach where the Documentum user
interface (SmartView) is embedded within Microsoft containers (Teams Tabs or
SharePoint Pages) to provide seamless access to secure repository content.
Key Architectural Principles:
- Data
Sovereignty: Documentum remains the single source of truth.
Microsoft SharePoint is utilized strictly as a transient/temporary
cache for co-authoring sessions. Data is purged from the cloud
immediately upon check-in.
- Zero
Trust Security: No user credentials are processed by the
integration server. Authentication relies entirely on OIDC/OAuth2
federation between Microsoft Entra ID and OpenText Directory
Services (OTDS).
- Intranet
Deployment: The integration server resides on the internal
corporate network. It does not require inbound internet access. It
utilizes outbound-only HTTPS connections to Microsoft
Graph API to facilitate data transfers.
2.0 Solution Scenarios (Scope Selection)
Select the scenario relevant to your implementation. The
architecture supports implementing Scenario B without the overhead of Scenario
A.
Scenario A: Microsoft Teams Collaboration (Full
Integration)
- Use
Case: Collaborative editing inside Teams Channels, Chat
integration, dynamic Team-based security mapping.
- Behavior: Maps
a specific Microsoft Team Channel to a Documentum Folder. Syncs Team
Members to Documentum Groups automatically.
- Dependency: Requires
the Notification Service and a dedicated Database.
Scenario B: SharePoint Page Portal (Lightweight
Integration)
- Use
Case: Publishing content, Dashboards, and standard Document
Library access via SharePoint Intranet sites.
- Behavior: Embeds
the Documentum SmartView UI as a "Web Part" on a SharePoint Site
Page.
- Dependency: Does NOT require
the Notification Service or extra Database. Identity management relies on
standard Enterprise (LDAP/AD) synchronization.
3.0 High-Level Architecture
The following diagram illustrates the Split-Traffic model.
The User connects internally, but the Server communicates with the Cloud via a
secure Gateway (Graph API).
3.1 Architectural Diagram (PlantUML)
ARCHDGM
3.2 Architecture Design Logic
- User
Access (Split Traffic): The User is on the Intranet.
They access the SmartViewM365 application directly over the
internal network (Arrow 1). However, their browser also connects
to Microsoft (Arrows 2 & 3) to authenticate and load the
Teams/SharePoint wrapper frame.
- Integration
Server (The Bridge): The Tomcat server initiates Outbound connections
to graph.microsoft.com (Arrow 5). This allows it to push/pull
files without exposing the server to the public internet (No Ingress).
- Data
Sovereignty: Files are moved to SharePoint only when
necessary for editing. Viewing is handled entirely internally via CTS,
ensuring sensitive data does not leave the firewall for read-only
operations.
4.0 Component Requirements (Modular)
4.1 Common Core (Required for BOTH SharePoint &
Teams)
You must install these even if you are only doing
the SharePoint Page integration.
|
Component |
Installation Package |
Location |
Justification for SharePoint Use |
|
SmartViewM365 |
SmartViewM365.war |
Tomcat |
This is the portal engine. SharePoint acts as an IFrame
container for this application. |
|
Client REST API |
D2-REST |
Tomcat |
The generic API gateway used by the UI to talk to the
backend. |
|
Graph Plugin |
d2sv-msgrpgh_plugin.jar |
Tomcat |
Critical: This enables the API to perform the
"Copy/Move" operations from SharePoint Libraries. |
|
Configuration |
Teams-config.zip |
D2-Config |
Critical: Despite the name, this installs
the "Import from M365" dialogs and Action Bar
buttons used in the SharePoint view. |
|
Repository Objects |
xECMUsersProject.dar |
Content Server |
Defines the data model to link Documentum IDs to Microsoft
IDs (Tenant/Site IDs). |
4.2 Module A: Microsoft Teams Collaboration (Optional)
These components are ONLY required if
you implement the "Teams Tab" integration with member
synchronization.
|
Component |
Installation Package |
Location |
Role |
|
Notification Service |
NotificationService.zip |
Windows Svc |
Syncs Team Members to Groups. Not needed for
SharePoint (relies on AD Sync). |
|
Sync Database |
(Manual Creation) |
Database Svr |
Stores the sync state. Not needed for SharePoint. |
|
SmartView Cache |
TeamsSmartviewCache.dar |
Content Server |
Optimizes caching specifically for the Teams Client IFrame
behavior. |
5.0 Data Flows & Process Logic
5.1 Ingress Flow (Importing from Cloud)
- Browse: User
clicks "Import from M365". SmartView asks Graph API to
list files in the SharePoint Library.
- Selection: User
selects a file and chooses "Move" or "Copy".
- Metadata: User
fills in business metadata (via Creation Profile screens).
- Transfer: Tomcat
streams the file binary from Graph API
D2-REST
Repository.
- Cleanup: If
"Move" was selected, Tomcat sends a DELETE command
to Graph API.
5.2 Egress Flow (Checkout to Cloud)
- Trigger: User
clicks "Checkout to Teams" (or SharePoint).
- Locking: Repository
locks the file (r_lock_owner).
- Transfer: Tomcat
downloads the file and uploads it to SharePoint via Graph API.
- Edit: User
edits in Office Online (Traffic = User
Microsoft). OpenText has no visibility here.
- Check-in: User
returns to SmartView Portal
Clicks "Check-in".
- Tomcat
pulls the file from SharePoint.
- Tomcat
versions the file in Repository.
- Tomcat deletes the
temporary file from SharePoint.
6.0 Security Architecture & Permissions (Split)
6.1 Strict Requirements for SharePoint Page Integration
(Scenario B)
These permissions are the minimum required
to allow users to view, edit, and import files via the SharePoint Page Portal.
A. Microsoft Graph - Delegated Permissions
(Run in the context of the logged-in user)
|
Scope |
Description |
Justification |
|
User.Read |
Sign in / Profile. |
Required for SSO/Auth. |
|
Files.Read.All |
Read all files. |
Ingress: Required to list/download files for
Import. |
|
Files.ReadWrite.All |
Read/Write all files. |
Egress: Required to upload files for
Checkout/Edit. |
|
Sites.Read.All |
Read sites. |
Browsing SharePoint libraries to map folders. |
|
offline_access |
Refresh Token. |
Keeps the session alive without re-login. |
B. SharePoint - Delegated Permissions
(Specific to SharePoint Site navigation)
|
Scope |
Description |
Justification |
|
AllSites.Read |
Read items in all sites. |
Browsing libraries for Import. |
|
AllSites.Write |
Read/Write items. |
Uploading temporary files for editing. |
|
MyFiles.Read / Write |
Read/Write user files. |
OneDrive Personal integration. |
6.2 Extended Requirements for Teams Integration (Scenario
A)
These permissions are ONLY required if
you implement the Teams Module with the Notification Service. If doing
SharePoint only, DO NOT grant these.
A. Microsoft Graph - Application Permissions
(Run in the context of the Background Service - High
Privilege)
|
Scope |
Description |
Justification (Teams Only) |
|
Directory.Read.All |
Read directory data. |
Syncing user details for mapping. |
|
GroupMember.Read.All |
Read group memberships. |
Critical: Syncing Team Members to Documentum
Groups. |
|
TeamMember.Read.All |
Read team members. |
Detecting membership changes in Teams. |
|
User.Read.All |
Read all profiles. |
Mapping Azure UPN to Documentum User Name. |
B. Microsoft Graph - Delegated Permissions (Additional)
|
Scope |
Description |
Justification (Teams Only) |
|
TeamMember.Read.All |
Read user's teams. |
Determining user context within the Teams Client. |
6.3 Security Controls & Compliance
- HTTPS
Enforcement: All traffic between User, Microsoft, and Tomcat is
encrypted via TLS 1.2+.
- Secret
Management: Database passwords for the Notification Service are
stored in DSIS Vault, not plain text.
- Purview
Awareness: The system respects Microsoft Sensitivity Labels.
Sensitive content is excluded from Search Indexing and Unsecured
Renditions to prevent leakage.
- CORS/CSRF: rest-api-runtime.properties is
hardened to allow requests only from the specific
Teams/SharePoint domains (rest.cors.allowed.origins).
7.0 Infrastructure Prerequisites
7.1 Integration Server (Tomcat Host)
- Hardware: 4
CPU, 8GB-16GB RAM (High memory required for file buffering).
- OS: RHEL
8/9 or Windows Server 2022.
- Software:
- JDK
21 (Certified) or JDK 17.
- Apache
Tomcat 10.1.x.
- Network:
- Internal: Accessible
by Client Workstations on Port 443.
- External: Outbound
access to graph.microsoft.com:443 (via Proxy if needed).
7.2 Database (Scenario A - Teams Only)
- Type: PostgreSQL
(16.x - 17.x) OR Oracle (19c, 21c, 23ai).
- Storage: 10GB
(Small footprint, transactional data only).
- Note: Can
be a schema on an existing DB server, but logically separate.
8.0 Deployment & Configuration Strategy
8.1 Deployment Order
- Identity: Configure
OTDS to sync with Azure AD.
- Database: Provision
PostgreSQL DB for Notification Service (if using Teams).
- Repository: Install xECMUsersProject.dar (and TeamsSmartviewCache.dar if
Teams).
- Tomcat:
- Install SmartViewM365.war and D2-REST.war.
- Critical: Copy d2sv-msgrpgh_plugin.jar to D2-REST/lib.
- Configure msgraph.properties (Proxy/API
details).
- Configure rest-api-runtime.properties (CORS/Security).
- Service: Install
and Start Notification Service (if using Teams).
- Config
App: Import Teams-config.zip into D2-Config to build
the UI (Required for BOTH).
- Microsoft: Upload
App Manifest (.zip) to Teams/SharePoint Admin Center.
Comments
Post a Comment