So, you have your off the shelf application driving some important business process, maybe it doesn't quite do everything you need so you think about altering the application through plugins, changing source code or otherwise. Some of these changes may drive you further away from that off the shelf's product road map, making upgrading later difficult and expensive. Perhaps you don't intend to alter the code, but you may think that later on there may be a better off the shelf product that suites the needs of the business and that changing solutions is the best thing to do.
Depending on how these tools are used really drives the way these tools should be deployed and designed into a business process. If you only have one client talking to this application, you probably don't need to think too hard about how to solve this problem. However, if you have multiple clients wanting to talk to this application, you may want to give it some thought. If you have multiple clients, accessing the application in multiple different ways, then you definitely want to think about this problem.
I'm not an advocate of big design up front, but what I'm proposing isn't that exactly. What I'm suggesting is capturing the data model and contract of interactions early and use this as a way of driving an abstraction layer between the off the shelf product and the clients using that product. By doing this, you've isolated the application, meaning you can upgrade easier even if there are breaking changes, and you can introduce additional application logic all behind the safely of a contract and data model. After you've done this, anyone who uses your abstraction layer, need not know what you're using underneath. The way it should be really. This also defines a contract for working against, meaning that applications who talk to the abstraction layer can be tested easier against known behaviours.
We can start to push the boat out a little here and start thinking about roles and policy for access. There maybe different types of clients and users who wish to use the abstraction layer, and they may have different permissions and access to different resources, so how can you control access and protect your resources? You may be able to control that at the application layer, but what if you've added plug ins or additional application logic layers? And what if you change the application which manages permissions, and how do you bind them to the resources at the abstraction layer? It may be better to think in terms of the abstraction layer and data model rather than what's behind the lines of the abstraction. This way, binding to resources will be easier to control. While we're dealing with authorisation, authenticaion doesn't stray far, you'll want a way to authenticate the clients and users attempting to use the abstraction layer, and you may want that authentication to come from multiple sources, say a database user store, or an internal directory service. This will make it easier for those users to gain access to the systems, and easier to administer access through roles and policies of clients and users.
What we now have is a platform. An off the shelf application with or without additional application logic, wrapped with an abstracted and understood data model which must be accessed via an authenticaion and authorisation mechanism. Put a bow on it, you're done.
Depending on your network security preferences, you could now expand this in two ways. For every off the shelf product you employ for different business processes, you could put an abstraction layer on it with an understood data model and give access to that abstraction via the same authentication and authorisation layer you've created for the first platform, or you could replicate the authenticaion and authorisation layer and have lots of self contained, secured platforms. It doesn't particularly matter which is employed, but what should fall out of this is a common data model across several platforms, with a uniform authentication and authorisation layer.
It does raise the question of why you'd want to be doing this in the first place, you are after all creating more work than strictly necessary. There is a temptation to say "if we're building this abstraction layer, we may as well replace the off the shelf component itself". Well, let's not get ahead of ourselves. We have to remember where the business value comes from, and that's generally in products and services, not business support and operational support systems themselves. However, by abstracting the applications used and exposing the data, the cost of integration, migration and maintenance is lowered. This model can be applied to internal exposures and for exposing data on the web.
I just want to close with what I believe is the most important aspect here, and this is the business case. There is a business case for abstraction, but it does come at a cost. What it brings is contractual interactions and can lead to common, agreed upon resource based exposure.