CMDBuild Newsletter nr. 99

The CMDBuild Development Team started working a couple of months ago on the CMDBuild 3.4.3 version, which, together with a further minor 3.4.4 version -expected for mid-next year-, will lead us to the new 4.0 version.

The planned innovations include:

• improvements to the view configuration function;
• restoration of the possibility of managing hierarchical BIM projects (IFC format);
• extension of “autovalue” management (automatic field valorizations), at form level as well as individual attributes;
• possibility to automatically add all the class attributes in the import / export templates;
• improvements to the service management page in the Administration Module (possibility of starting internal services);
• module to analyze CSV files in waterWAY;
• persistence of notifications on the mobile APP;
• compatibility with PostgreSQL 15;
• other minor improvements;
• bug fixes.

The release will take place by the end of this year.

In parallel we are working on the first phase of analysis and design of the new CMDBuild 4.0 project, about which we have broadly defined the main work areas.
For some of them we are already proceeding, in successive steps, with the definition of the macro-objectives, the analysis of risks and impacts, the definition of the detailed specifications and the writing of the technical design documents.

We will provide you with a first overview of the new project in the webinar announced later in this newsletter.

Security has always been a fundamental criterion that guided us in the development of the different versions of CMDBuild.
The increasingly frequent compliance checks carried out by users of our applications, with increasingly advanced tools and with generally positive results, demonstrate the goodness of the choices made by the CMDBuild Development Team.

In order to ensure a further leap in quality, the inspiring principle of the new 4.0 version will be that of “Security by design”, with a proactive approach to the topic of security (availability, confidentiality and integrity of data) which must arise already in the first design phase.

To guarantee the security of a software application, an adequate initial design of the architecture is not sufficient, but it is also necessary to adopt constantly updated security strategies and models throughout the entire subsequent software development cycle, in order to maintain its permanence over time.

The OWASP framework will be adopted to support the design of CMDBuild 4.0, an open-source project that has now become a “de facto” standard, which provides guidelines, tools and methodologies to improve application security.
OWASP provides 360-degree help, from identification of the most critical risks with indications of the design criteria useful for avoiding them, to suggestions on the most effective control methods, to practical guides on writing code in different languages, to test frameworks, to suggestions on development processes and organizational management methods.

Other sources of help in the design of CMDBuild 4.0 according to the “Security by design” criteria will be the ISO 27000 standard and, in Italy, the government recommendations for ICT security in Public Administrations.

To increase its diffusion, let's take a look at some case histories of the last CMDBuild Day.
Here below there is a summary of the Maximus case history, you can find here the complete intervention.

Barry Leibson is an IT Lead Engineer, working on a Team called Performance Engineering, at Maximus. Maximus is contracted by government agencies to support their programs, primarily in the areas of health and human resources. For example, Maximus was contracted by the U.S. Government during the Covid-19 pandemic. It operated call-centers and provided self-service web-based solutions. It also operated several informational websites.

Maximus is a very large company, with thousands of employees and dozens of offices spread around the U.S. Maximus maintains offices in nearly all the state capitals and a headquarters in Washington, DC. Maximus also has operations is several other countries including Canada, the UK, Italy, Saudi Arabia, providing services to those governments.

The Performance Engineering (PE) Team is part of Maximus IT, a very large organization within Maximus. PE collects IT data and works to make it actionable, both for troubleshooting current issues or planning for future. The software packages PE uses to collect and display data include Splunk, SolarWinds, AppDynamics and CMDBuild READY2USE.

OMDB is an acronym for Operations Management Data Base (name invented by Barry’s old boss's boss), is a subset of a traditional CMDB, and it was designed to replace an earlier home-grown system, which collected data mainly on behalf of application administrators about servers and what applications they were running and for what project.

When there was the need to replace this home-grown system, since OMDB is a subset of a CMDB, CMDB solutions were explored. Critical aspects for Maximus in the evaluation were the following:

• The solution had to be customizable. They couldn't start designing from scratch and needed to duplicate functionalities built into the previous system.
• The solution had to allow for easy data exchange. They expected to use automated process to import and export data from other systems on a regular basis.
• The solution had to provide a good user interface and sophisticated access-control. People with different roles within the Organization needed to add data and form relationships among those data.
• The solution had to come in within a modest budget.

CMDBuild easily met all these criteria, and they also liked the Tecnoteca people they met during the evaluation phase.

Maximus’s use of CMDBuild might be a bit atypical compared to other implementations: the majority of the data arrives via automated processes and many custom classes have been implemented (“implementation of classes is just wonderful and easy to extend”, the inheritance feature has been used a lot and the class hierarchy system is considered “fabulous”), the standard CMDBuild READY2USE workflows actually are not used, the Field Services Team has built a web-based app that basically treats OMDB as its data-store (pushing and pulling data out and in).

A CMDBuild function that has been heavily exploited is the Import/Export mechanism (using API and then CSV files), at the moment the CMDBuild Task Manager has about 75 scheduled imports, which mostly run once-a-night and such scripts pull data from several systems (for example, data from about 5.000 AWS EC2 and 800 RDS are refreshed every night, sometimes in merging mode, sometimes in synchronizing mode).

A final consideration and suggestion: at the beginning of the project implementation, it is always worth to “step back” and really think about the data-model, a good initial analysis is very important and usually saves a lot of time afterwards.

We have scheduled a webinar, dedicated to providing some initial general information on the new CMDBuild 4.0 project, for Thursday 16th November at 4.00 pm CET: main news, expected timing, current situation.
The recordings of the webinars already held remain available to interested people; here you will find the links to access.