My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Tuesday, January 2, 2007
« Happy New Year | Main | SOA Magazine January 2007 Issue »

I am a member of the OASIS SOA Reference Architecture Subcommittee which is part of the SOA-RM (Reference Model) Technical Committee. We had a F2F meeting before the holidays and one of the items that came up during our discussion was the need to engage the wider community to make sure that the work we are doing is relevant and applicable to implementers, and to solicit feedback for incorporation into this ongoing work. So I asked our chair if I could blog about this work and he said sure (Thanks Frank!), provided that I mention that this is a work in progress.

So, this is a work in progress :-)

On a serious note, comments/corrections/additions/pointers/hints/smoke signals are very welcome and I or any other member of the TC can act as your conduit and make sure that it is presented to the TC at large. Please feel free to leave comments on this blog entry or contact me directly. Needless to say, if your organization is part of OASIS, we are a friendly bunch of folks doing some interesting and complex work, and would very much welcome your direct participation!

On to the topic at hand. A particular interest of mine in the SOA-RA is the area of governance and we had a discussion on this topic that I wanted to share.


The starting point of the discussion was the definition of SOA as defined in the SOA-RM which states that "Service Oriented Architecture (SOA) is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains."

But when we speak of traditional IT governance, it usually means governance applied within the Enterprise; within a single ownership domain if you will. But in the case of a SOA implementation it needs to be applied across ownership domains, across Enterprises. And that requires a different set of carrots and sticks, perhaps something much more contractual in nature rather than something direct. And that in turn brings to light the fact that what one organization considers governance will be completely different from what another organization considers governance.

At this point, I proposed a definition of governance that is consistent with the above and has resonated very well with me. Requiring no original thought on my part, I quoted Anne Thomas Manes of the Burton Group who has said “Governance refers to the processes that an enterprise puts in place to ensure that things are done right, where "right" means in accordance with best practices, architectural principles, government regulations, laws, and other determining factors. SOA governance refers to the processes used to govern adoption and implementation of SOA.” With the exception of adoption bit, the committee members agreed that this was a good working definition. This also tied in very nicely with an earlier comment by a colleague, Ken Laskey of MITRE, that "Governance for SOA [...] is likely to parallel governance for traditional commerce", and that "There will be a range of governance depending on the perceived needs of the participants."

One of the items on my to-do list is to research the governance practices of large enterprises, especially ones in which the business units have a great deal of autonomy, to distill some lessons on what works and what does not work. At this point in time, I personally have not seen examples of SOA implementations that span Enterprises. Or rather Enterprises that are equivalent in authority/power/influence. Any examples you can share would be very appreciated.

As we progressed along this path, one of the items that became much clearer is that governance by its very nature implies the authority to govern. That authority can be formal or informal and could be codified in an explicit manner or implied. But in all cases, there is the concept of authority. Given this, implementing SOA governance requires:

  1. Formulation of polices that are appropriate to the domain
  2. The ability to enforce the policies
  3. The ability to obtain metrics on what is working and what is not
  4. Implementing feedback [and adjudication] processes that can adjust the existing policies as needed

<aniltj - personal comments>

Speaking for myself, and not for the committee at large, one of the items that we need to keep in mind regarding governance is that it should not just be the big hammer. It should also be the mechanism for providing motivators to moving to and doing the right things in a SOA. Not just the de-motivators. And the reality as regards to SOA governance is that it should be an extension of your existing IT governance where you add the SOA specific bits. I think the challenge here will be figuring out what that amorphous line is. It does not make sense in the SOA RA to document IT governance components, but there is definitely overlap and mutual support. Just as with EA and SOA. 

Above all, I think we need to realize that when we speak of formulating SOA polices, we are dealing with people and behavior and culture and not just technology. Which means it is messy and imprecise. As the old saying goes "Technology is easy, People? That's Hard!".

</aniltj - personal comments>

Again, a work in progress. Input and comments are solicited and welcome.

UPDATE: 1/3/07 - incorporation of off-line comments.

UPDATE: 1/4/07 - I just noticed that OASIS also has a public SOA-RM Comment Listserv, which folks can use to provide feedback as well. Please use whichever mechanism works for you.

1/2/2007 10:32 PM Eastern Standard Time  |  Comments [7]  |  Disclaimer  |  Permalink   
Friday, January 5, 2007 9:37:22 AM (Eastern Standard Time, UTC-05:00)
I would like to offer my experience to help development of SOA-RA. My interests are in SOA positioning as business-centric technology agnostic solution for IT, in particular, I am interested in Service Contracts and Security.

At a glance, Service Contract is one of the “IT governance components”, and it is not clear to me how SOA RM may not document such component. To me, a Service Contract is a container and subject of SOA Governance. In more details, I suppose, may be mistakenly, a Service Contract contains all Policies applied to the service and to the service consumer, all service interfaces exposed to particular consumer (this does not mean that other interfaces are hidden in a way, simply the service provider gets not responsible for the results if a consumer uses non-contracted interface), versioning and all additional obligation agreed between the service provider and consumer.

Since a Service Contract includes Policies, it is up to the nature of Policies to become “the big hammer” or not. The set of policies for particular service and the Policy contents are definite subjects of Governance, actually run-time governance.

I agree with your definition of Governance and, following some other ideas expressed by Anne Thomas Manes, SOA requires development time Governance as well. The latter may also be expressed in the form of Policies but I prefer expression in the form of procedures with guidelines and check-points.
I think that run-time governance policies (rules) have to be automatically derived from the Service Contract. This means, we have to have a formalized way of describing the content of the Service Contract similarly to WSDL. If it require another language or something else, I do not know yet. However, I believe that SOA RA has clearly define minimal list of topics specified for the Contract (to preserve business orientation defined in SOA RM) and criteria of which service may go live without a Contract (assuming, all others have to have Contracts). For example, such a simple and well-known service as logging service requires a Contract because the service behavior depends on the nature of data it logs information about and, moreover, may be regulated by such industry policy as SOX. At the same time, a Event Notification service operating at the lower level APIs might not need anything mother than its API.

Finally, I, please, contact me directly if you have particular tasks (especially related to financial industry) I could help you with.

- Michael Poulin

Friday, January 5, 2007 10:18:02 PM (Eastern Standard Time, UTC-05:00)
Michael, you may want to look at the SOA-RA wiki at for information on the work to date (Please note that the Governance section has not been updated with the above material as of yet - On my TODO list). You may want to check out the section, the section and any other sections given your interests.

Are you or your organization a member of OASIS? If so, please know that the SOA-RA holds weekly Telcons on Wed and you are more than welcome to directly participate. I will ping you directly as well, so we can chat a bit. Appreciate your thoughtful response. - Anil
Anil John
Saturday, January 6, 2007 10:43:47 AM (Eastern Standard Time, UTC-05:00)
Anil, thank you for the links. Actually, this info caused a question: what is the process I and others like me have to follow? In other words, would it be better if we discuss topics/questions/issues in this blog and only then modify/edit the Wiki documents or you have another way in mind?

For example, I started to read Wiki material ServiceView/PoliciesAndContracts and found that I have a few questions and proposals. How I may articulate them?

BTW, I have found the word "contract" mentioned once in the SOA Governance section. Would you agree with my previous statement that Service Contract is THE important element of the Governace and this BLOG is the right place for related discusstions?

- Michael
Michael Poulin
Saturday, January 6, 2007 7:58:13 PM (Eastern Standard Time, UTC-05:00)
>what is the process I and others like me have to follow?
>In other words, would it be better if we discuss topics/questions/issues
>in this blog and only then modify/edit the Wiki documents or you have another way in mind

In a lot of ways that depends if you are an OASIS member or not. If you or your organization is a member, you can join the TC and participate, which is the most direct and effective way to provide input (Note that OASIS has individual memberships as well as organizational members). As I noted above, I recently realized that there seems to be SOA-RM Comment Listserv for public input. What I need to verify with the TC chair is if that listserv can serve as a place to get feedback for the RA work (Will do that when I back at work this week and will ping you back directly on the results and blog about it as well). The advantage to both of the above options are that that you get to engage directly with the full TC and you have the ability to contribute to the wiki which is open to editing only for OASIS members.

One other point is that different members of the TC sometimes focus on different aspects of the RA work. For example, while I am interested in the overall work, I tend to focus and invest a bit more of my time in the areas of Governance and Security. Others in the TC do the same to a greater or lesser extent depending on their background, expertise and interest. So there are folks on the TC who have a great deal of interest in the Policies and Contracts and on Service as a Business View who will better be able to articulate the thinking behind those sections.

Governance is a particularly difficult area to pin down in a SOA, so my intent with this blog was to make sure to engage with folks who are dealing with it on a daily basis and to hopefully pull in their experiences and lessons learned into the RA work in whatever way shape or form I could. I really am not interested in doing Architecture Astronaut work, but in making sure that the work that we do has direct relevance to the community. To that end, what I am trying to do is actively solicit opinions and input rather than sitting back and waiting for folks to maybe participate.

To answer your last question, I consider this blog to be a secondary channel for input into the process for those who are not able to or don't have the bandwidth to take advantage of the primary modes of input into the RA work. In short, I will make sure that what is provided as input here makes it to the TC for discussion but I cannot guarantee that the TC members are going to provide directly provide feedback back to you on this blog. But I most certainly will make sure that I respond in the areas that I am focused on.

As to your question about the Service Contract, I would say that it is an important piece in that some of the policies that are appropriate to a domain will be codified in the contract. But a service contract does not define all that is need for governance in a SOA. Also, in the current state of the industry there is a tendency to conflate Governance and SOA Management so it becomes rather important to clearly differentiate between the two and what mechanisms need to be put into place to do both.
Anil John
Sunday, January 7, 2007 7:25:12 AM (Eastern Standard Time, UTC-05:00)
Thank you, Anil. Your intentions are more clear to me now. Just in case, I would be obliged if you refer me to those people who work primarily with Contracts and Policies.

- Michael
Michael Poulin
Tuesday, January 9, 2007 5:29:17 AM (Eastern Standard Time, UTC-05:00)
Anil, may I ask you for a favor to connect me with an editor of TheArchitecture/ServiceView section with code adsl-69-224-22-33 ?
Thank you,
- Michael
Tuesday, January 9, 2007 6:51:10 AM (Eastern Standard Time, UTC-05:00)
Michael, I will find out how best folks can engage with the rest of the TC and pass on that info. Regards - Anil
Anil John
Comments are closed.