Transforming Reporting Efficiency with Report Generator (SaaS): A Technical Guide

Contents

• Executive Summary
• Introduction
• Benefits of Transition
• Technical Overview
  • Typical Topology
  • Tenant Permission and Claims
• Migration Strategy
• Security and Compliance
  • Authentication and Authorisation
  • Data Protection and Encryption
  • Secure and Resilient Hosting Environment
  • Data Access and Querying
  • Compliance and Auditing
• Training and Support
• Contact Information

Executive Summary

Report Generator enables hospital administrators to create, run and schedule reports on patients, bookings, financial information and more. This white paper explores the benefits of migrating from an on-premises/Streets Heaver-hosted Report Generator implementation to Streets Heaver's Azure-hosted Report Generator "Software as a Service" (SaaS). It also provides technical information about the application's network topology, migration strategy and security.

Introduction

The legacy Report Generator was implemented in two ways: within a client’s infrastructure or in Streets Heaver’s data centre. It was deployed as a desktop application using Remote Desktop Protocol (RDP) or Citrix.

When deployed on-premises, clients had to allocate local resources to provision and maintain the infrastructure, which adds overhead for updates. When hosted in Streets Heaver’s data centre, updates were automated but limited by the need for named user registration, creating administrative bottlenecks.

The main challenges lie in staying up to date with updates and managing disaster recovery—whether on-premises or in Streets Heaver’s data centre. While clients seek to strengthen their disaster recovery strategies, the data centre setup cannot provide geo-redundancy.

Moving to a Microsoft Azure–hosted, Streets Heaver-managed solution addresses these issues. By leveraging Azure services and Microsoft Entra ID authentication, the new platform delivers an up-to-date, secure, and scalable foundation for the future of Streets Heaver’s solutions.

This latest version of Report Generator combines the reporting power of the original application with the reliability and security of Azure and Entra ID.

Benefits of Transition

This section details some of the benefits of transitioning to the SaaS version of Report Generator.

Enhanced Security

Report Generator (SaaS) is secured with Microsoft Entra and Compucare Authentication Services. Connections to the Compucare database are established with a read-only SQL login to ensure access is granted only to authorised users.

Streamlined User Access

User management is simplified with single sign-on and multi-factor authentication through Microsoft Entra ID. Once users are created within the Microsoft Entra ID tenant, they can be managed within the limits of the licence.

Continuous Deployment

The latest updates and features are deployed as they are made available.

Reduced Maintenance

All updates, backups and optimisations are centrally managed, reducing the burden on IT resources.

Resilience

Applications and data remain available during regional outages through geo-replication and distributed hosting.

Disaster Recovery

Data can be quickly restored in the event of failure through active replication and point-in-time backups.

Technical Overview

The Report Generator exists within the Streets Heaver Azure Hosting Environment. If a Compucare database is hosted on-premises, it will use an Azure Hybrid Connection to connect to the Report Generator. If the database is hosted in Azure, no hybrid connection is required. Instead, Report Generator Azure Services connects to the Azure SQL Server using a private endpoint.

Typical Topology

The diagram below shows how the Report Generator connects to an on-premises Compucare database.

The diagram below shows how the Report Generator connects to an Azure-hosted Compucare database.

Tenant Permission and Claims

Report Generator (SaaS) uses Microsoft Graph permissions to manage user access and functionality. Delegated permissions (applies to logged-in users) include:

• People.Read
• Presence.ReadWrite (for presence indicator)
• User.Read
• User.ReadBasic.All

Application permissions (used for non-interactive applications) include User.Read.All, which retrieves the user's name from the authentication token. Internal scopes, such as RepGen.User are also applied.

Migration Strategy

This section provides an example of a typical migration process.

Assessing Your Current Implementation

Streets Heaver would perform a full survey of your existing setup, along with any connected services and build an implementation plan. If you are already a Streets Heaver Datacentre client, the transition is much simpler.

Simplified Migration Example

This is an example of the process required to migrate from the legacy Report Generator to Report Generator (SaaS). This would be achieved with the help of your Streets Heaver Project Manager.

Prerequisites: Compucare 7 clients must be migrated to Compucare 8 and the legacy Report Generator.

1. Register Tenant ID with Streets Heaver for Report Generator (SaaS).
2. For on-premises installations of Report Generator, set up a Hybrid Connection.
3. Set up data sources for each Compucare database.
4. Convert existing legacy Report Generator reports.
5. Sign off.

Testing and Validation

There will be a degree of professional services expected to align expectations and timescales in collaboration between Streets Heaver implementation teams.

Once signed off, the legacy Report Generator will be uninstalled and the database will be removed.

Security and Compliance

Authentication and Authorisation

• All authentication takes place outside of the Report Generator itself and is handled by Microsoft Entra and Compucare Authentication Services.
• Compucare Authentication Services ensures users can only access groups and data sources for which they have explicit permissions.

Data Protection and Encryption

• Encryption at Rest: The application's data stored in Azure CosmosDB is encrypted at rest.
• MS Entra ID (formerly Azure AD) Authentication: Access to the application is restricted to authenticated users via MS Entra ID.
  • MFA is enforced via the client's tenant configuration within MS Entra ID (formerly Azure AD).
  • The enterprise application will need to be approved. Assigned Access can be enabled, and then the users and groups are restricted to the application.
• Azure Front Door: All web applications are fronted by Azure Front Door, which serves as a secure entry point for web traffic, offering several security benefits.<

Secure and Resilient Hosting Environment

• Static Web Apps: Globally distributed Azure Static Web Apps for our application's front end.
• Geo-Replicated and Load Balanced APIs: Report Generator benefits from redundancy and failover capabilities. Architecture is replicated in the UK South and UK West regions to provide load balancing and resilience.

Data Access and Querying

The application queries Compucare databases, either Azure SQL Databases or on-premises SQL databases via Azure Hybrid Connections.

• Azure SQL Databases: Queries to Azure SQL Compucare databases use secure connection protocols TLS 1.2 to ensure that data in transit is encrypted.
• On-Premises SQL Databases via Azure Hybrid Connections: The application's interaction with on-premises SQL databases is facilitated through Azure Hybrid Connections. This allows the application to access on-premises resources without exposing the internal network to the public internet.

Compliance and Auditing

• Data Storage and Handling: All data, including but not limited to report configuration and stored reports, is stored within UK-only regions in Azure Cosmos DB, and has built-in 90-day retention policies for clearing up stored reports.
• Logging and Monitoring: The application's activities are logged and monitored to identify and respond to potential security incidents. This allows all report executions and run queries to be audited.
• Regular Security Audits: The application undergoes annual external CREST-approved penetration testing, as well as regular vulnerability audits to assess its security posture and identify vulnerabilities. Any findings are promptly addressed to maintain a robust security posture. Internal and external reports are available upon request.

Training and Support

To help users familiarise themselves with the Report Generator (SaaS), Streets Heaver provides personalised training via remote sessions, which is usually included in the project costs of the system setup.

Further guidance can also be found through quarterly release webinars and detailed product "lunchtime webinars" available via the Streets Heaver YouTube channel.

Additionally, the Streets Heaver Knowledge Base is regularly updated with tutorials and how-to guides. Visit the Report Generator section of the Knowledge Base (login required) for the latest updates and support materials.

Streets Heaver can provide support in Report Generator in the following ways:

1. Guest Users:
   • The client invites the Streets Heaver Support team into their Azure tenant as guest users.
   • These users are then added via the Client Console.
2. Shared Credentials:
   • The client sets up one (or multiple) Streets Heaver users in their tenant and shares the credentials with Streets Heaver.
   • These users are then added to Report Generator via the Client Console.
3. Remote Support:
   • Our support teams provide remote assistance through calling and screen sharing.

Contact Information

Please contact the Streets Heaver Commercials team at marketing@streets-heaver.com.