Do we have any notion of process/methodology for this? What is the relationship between such a process and Business Process Methodologies? My initial thoughts are that governance (at least as far as active management to some notion of an SLA) is highly related to Business Process Management. This is because a Business Process described formally (in WS-CDL, BPEL or BPML or some such) provides a framework for policy attachments. This way we can make policy statements from a high level and iteratively down the software stack down to a granular service level.
What sort of language do we need to express policy? Is it a language in which we make statements of fact and assert the facts over the services? Is it a language in which we can make policy assertions over existing policies (perhaps specialising policies)? Is it a language that has any notion of generalised computation (something that might be needed for SLA management)? We need to be very careful as to what sort of language we need because it has an impact on what sort of environment is needed to enact such policy statements. Is WS-Policy enough? Do we need something a little better thought out (perhaps something akin to PolicyRuleML? The language that we end up with needs to reflect what we need to describe a wide variety of policies and needs to dove tail into supporting a sensible methodology. I'd be interested in any thoughts on methodology and language design for describing policy. Cheers Steve T On 22 Nov 2005, at 00:45, Anne Thomas Manes wrote: > Spot on! > > Governance is about process. If you aren't willing to rigorously > execute the process, you won't have governance. Governance tools just > help you execute the process. They can automate parts of the process, > and they can erect hurdles that make it really challenging to avoid > the process. And in that way, they are very useful. But if you don't > have strong support from above that makes it clear that the process > must be executed, kiss the whole thing goodbye. > > Anne > > On 11/21/05, Sarode, Prashant <[EMAIL PROTECTED]> wrote:So > what I am getting confirmed here is that traditional rules and > mechanics of conventional IT Architecture and Governance have not yet > changed. The recipe for success is same and so are pitfalls for > failure. >> >> >> For success you still need an Enterprise IT Architecture & Governance >> body: >> • That has a strong management muscle (or at least as strong as >> business muscle). >> • That has strategic technology vision and appetite can map to >> business goals. >> • That has strong technology people who equally understand >> business >> and can make use of tools (like those mentioned by Anne) to automate >> SOA governance process. Most importantly, people who can win the >> faith of Business that SOA can deliver $ benefits to them. >> >> >> >> So basics are same …So to make a general statement—Those organization >> which have been mildy successful with IT Architecture-Governance will >> somewhat easily adapt to SOA governance model.. >> >> >> >> >> >> Prashant Sarode >> >> >> >> >> >> >> >> >> From: [email protected] >> [mailto:[EMAIL PROTECTED] On Behalf Of >> Biske, Todd >> Sent: Monday, November 21, 2005 11:57 AM >> To: [email protected] >> Subject: RE: [service-orientated-architecture] Re: SOA Governance work >> >> >> >> >> Governance is one of my favorite topics. If someone asked me the >> thing that will influence the success of an SOA initiative the most, >> it would be governance. >> >> >> >> As someone trying to build out an SOA in a corporate IT environment, >> I agree with Anne's definition 100%. A very easy way to look at it >> is to compare it to a traditional government. A government has to >> legislate, provide infrastructure, maintain strategic plans, enforce >> laws (police force), etc. These are all activities that an IT >> organization must do to govern an SOA. In reality, these are all >> things that an IT organization should have been doing, regardless of >> whether SOA is being done or not. >> >> >> >> The same challenges that municipalities face in their strategic >> growth are faced by IT organizations. Urban centers grew through a >> very centralized approach, but have had to become more and more >> decentralized due to suburban sprawl. As rural communities have >> grown, they have had to work more and more with their neighboring >> communities, possibly sharing common infrastructure and services. >> The same is true of IT organizations. The urban center can be thought >> of as the mainframe or legacy systems. Due to the web, web services, >> etc., portions of the legacy logic needs to be decentralized to meet >> the demands of the future. At the same time, silo'd application >> development represents the rural communities. These applications >> have grown, and the world of business processes is requiring them to >> work together seamlessly, rather than through inefficient handoffs >> and redundant processing. >> >> >> >> When the first tool came out claiming to provide "SOA Governance," I >> almost laughed out loud, knowing that there is no tool or technology >> that will provide SOA Governance. There are tools and technologies >> that can make governance easier, but ultimately, it will come down to >> process and communication. If the process and communication isn't >> there, the governance won't be either. At the same time, we can't >> govern by process alone. The things being enforced (i.e. the >> legislation) must be documented for all to see. Herein lies the real >> challege with regards to SOA or, more broadly, applying governance to >> IT. SOA is about looking horizontally while others are looking >> vertically. How do you document the rules associated with making >> something an enterprise service versus an application-specific >> service? Yes, we can have rules around WS-I compliance and >> naming conventions, but this often comes down to semantics and >> a strategic vision (i.e. business service blueprint). This is akin >> to a business applying for a business license in a city. There will >> be guidelines for the application that must be followed, but there >> is still a judgement that must be done by a city council as to >> whether they want the business in their city. There may be general >> guidelines in the city master plan, and the opinions of the council >> members are exposed through the political process, but largely, >> things will be handled on a case by case basis by a set of people >> given the responsibility for making those decisions. If you have the >> wrong people in place, you won't be successful. >> >> >> >> -tb >> >> >> -----Original Message----- >> From: Anne Thomas Manes [mailto:[EMAIL PROTECTED] >> Sent: Sunday, November 20, 2005 7:17 AM >> To: [email protected] >> Subject: Re: [service-orientated-architecture] Re: SOA Governance work >>> >>> I'd love to see further discussion on this topic. I'd love to hear >>> from people what governance practices they are putting into place. >>> >>> Steve -- you seem to be associating governance with autonomic >>> computing, so I feel obliged to reiterate that governance is not >>> limited in scope to runtime efforts. Governance applies to all >>> stages of service lifecycle -- design, development, testing, QA, >>> release engineering, staging, provisioning, operations, client >>> provisioning, testing, error tracking, revisions, etc. >>> >>> Certainly you want to make runtime operations run as smoothly as >>> possible and resolve hiccups as autonomically as possible, but I >>> would call that SOA management rather than SOA governance. Back to >>> Gautham's comment -- WSM products play an enforcement role in >>> governance, because they typically enforce a bunch of policies at >>> service provisioning time (configuring security for the service, >>> etc), and they enforce policies at runtime (authN, authZ, auditing, >>> etc). But SOA governance requires a lot more than just policy >>> enforcers. Enforcement is the easy part. >>> >>> Governance is actually more about putting hurdles in place to >>> verify compliance than it is about making things go smoothly. >>> Governance makes sure that developers don't circumvent the ops >>> people so that they can get their app out more quickly. Governance >>> is about making sure that apps have been thoroughly tested before >>> they get deployed. Governance is about making sure that an app has >>> the proper security protections in place. Governance is about making >>> sure that the next consumer that gets permission to use a service >>> doesn't overwhelm the system and bring down 20 other apps. >>> >>> Some parts of governance can be automated. Other parts of >>> governance can be guided using human workflow. Other parts of >>> governance are definitely manual in nature. For example, no one's >>> going to generate your corporate SOA policies for you. That takes a >>> lot of hard work and collaboration across departments and business >>> units. Defining the policies is the hard part. >>> >>> The governance tools I mentioned from Systinet and WebLayers are >>> policy management systems. They help with the policy definition >>> process by providing a database to capture and maintain the >>> policies, and they help with policy compliance testing. Policies are >>> reusable artifacts that have their own lifecycle. They are defined, >>> codified, used, and revised. A policy management system provides the >>> means to: >>> • codify and document a policy (e.g., all services must use >>> literal encoding and here's how you test for compliance), >>> • group policies (e.g., the WS-I BP policy group comprises a >>> couple hundred individual policies), >>> • attach policies/policy groups to various service >>> groups/services/service artifacts >>> • identify when artifacts should be tested for compliance (code >>> check-in, build, registration, invocation, etc) >>> • test services/service artifacts for compliance >>> • report on compliance violations >>> • provide an approval process for compliance waivers >>> >>> Anne >>> >>> On 11/19/05, Steve Ross-Talbot <[EMAIL PROTECTED]> wrote: >>> >>> I agree that the workshop was not entitled governance for SOA at all. >>> But it was very much in that direction. As you say governance is a >>> very >>> wide topic. Alas your reports are not available whereas the position >>> papers at the workshop are freely available. So at least it is a >>> start >>> and coupled with your basic thoughts perhaps we can drive forward in >>> the right direction. >>> >>> I'd be interested in any open discussion on the topic as I have >>> spend a >>> good deal of time talking to people about this in various roles >>> (vendors, users and just practitioners) and thus far it remains >>> something of a wish list rather than something that really exists in >>> product. I do know that the companies you mentioned have made >>> strides >>> in this area (including Systinet - your old company, and of course >>> Enigmatec - my old company) but we are a long way off from achieving >>> the sort of governance that is needed to achieve the IBM vision of >>> autonomic computing. >>> >>> So any ideas thoughts would be welcome and doubly so if we can make >>> it >>> an open discussion. >>> >>> Cheers >>> >>> Steve T >>> >>> On 19 Nov 2005, at 13:52, Anne Thomas Manes wrote: >>> >>> > Based on my experience working with clients, I disagree that the >>> term >>> > "governance" is scoped to the subject of the W3C workshop on >>> > constraints and capabilities. I've written a lot about governance >>> for >>> > Burton Group. Unfortunately, I can't share those reports with you >>> > because Burton Group reports are available only to subscribers. >>> > >>> > But I will share with you some basic thoughts: >>> > >>> > Governance refers to the processes that an enterprise puts in >>> place to >>> > ensure that things are done right, where "right" means in >>> accordance >>> > with best practices, architectural principles, government >>> regulations, >>> > laws, and other determining factors. SOA governance refers to the >>> > processes used to govern adoption and implementation of SOA. >>> > >>> > SOA governance involves three steps: >>> > 1 Define SOA policies >>> > 2 Deploy an SOA infrastructure that supports adoption >>> of these >>> > policies >>> > 3 Institute a set of formal processes and procedures >>> that verify >>> > compliance with these policies >>> > >>> > SOA policies relate to issues such as: >>> > • · Design principles >>> > • · Preferred design patterns >>> > • · Application-factoring rules >>> > • · Naming conventions >>> > • · Metadata requirements >>> > • · Documentation >>> > • · Preferred products >>> > • · Product selection guidelines >>> > • · Preferred domain standards >>> > • · Preferred industry standards >>> > • · Methods for dealing with regulatory requirements >>> > • · Methods for assessing security risks >>> > • Methods for implementing security based on risk >>> factor >>> > • · Methods for ensuring reliability and transaction >>> > integrity· >>> > • Service testing >>> > • New service deployment and staging >>> > • · Service registration >>> > • · Service classification >>> > • · Service provisioning >>> > • · Service configuration >>> > • · Service monitoring >>> > • · Client provisioning >>> > • · Service modification >>> > • · Service versioning >>> > • · Impact analysis >>> > • · Service level objectives (SLO) >>> > • · Service level agreement (SLA) compliance tracking >>> > • · Error tracking and resolution >>> > This list is long, but it barely scratches the surface. >>> > >>> > Products that help with SOA governance include registries, >>> > repositories, software asset management systems, workflow, testing >>> > tools, web services management. >>> > >>> > No one vendor covers the full SOA governance lifecycle. >>> > >>> > Leading players in the SOA governance software market include: >>> > • Systinet and WebLayers, who provide policy >>> management systems >>> > (repository-based system for managing the lifecycle of codified >>> > policies) as well as policy compliance testing tools and >>> integrated >>> > workflow for managing approval processes. Mindreef also does some >>> > compliance testing, but at a much smaller scope. >>> > • Systinet, Infravio, Flashline, and LogicLibrary, >>> who provide >>> > registries, repositories, and/or software asset management >>> systems, >>> > which are extremely useful for managing SOA assets and which can >>> be >>> > used as a gatekeeper for institution of governance approval >>> processes >>> > at various points in the service lifecycle (dev, testing, staging, >>> > provisioning, revisions) >>> > • AmberPoint, Actional, Layer 7, and Reactivity, who >>> provide support >>> > for governance at the service provisioning and runtime stages. >>> > Anne >>> > >>> > On 11/19/05, Gautham Kasinath <[EMAIL PROTECTED] > wrote: >>> >> >>> >> Thanks for the brief explanation. I am reading the workshop >>> materials >>> >> from W3C on the topic, following your advice. >>> >> >>> >> Thanks again. >>> >> >>> >> Cheers >>> >> Gautham Kasinath >>> >> --- In [email protected], Steve >>> >> Ross-Talbot <[EMAIL PROTECTED] ...> wrote: >>> >> > >>> >> > Gautham, >>> >> > >>> >> > Normally the term governance as applied to SOA is based on the >>> >> notion >>> >> > of static governance. >>> >> > This is the sort of thing that WS-Policy (which is not a >>> standard) >>> >> is >>> >> > all about. A recent workshop >>> >> > run by W3C looked at wider notions of governance including the >>> more >>> >> > interesting form which is >>> >> > dynamic governance. >>> >> > >>> >> > It probably makes sense to take a peek at the W3C workshop >>> papers to >>> >> > get a better understanding >>> >> > of what governance is all about. >>> >> > >>> >> > Cheers >>> >> > >>> >> > Steve T >>> >> > >>> >> > W3C Workshop on Constraints and Capabilities for Web Services >>> >> > http://www.w3.org/2004/09/ws-cc-program.html#papers >>> >> > >>> >> > >>> >> > >>> >> > On 19 Nov 2005, at 00:33, Gautham Kasinath wrote: >>> >> > >>> >> > > Hello, >>> >> > > >>> >> > >What exactly is SOA governance? Is it goverining an SOA >>> >> framework, >>> >> > >like in monitoring request-response, SLA etc? >>> >> > > >>> >> > >Cheers >>> >> > >Gautham Kasinath >>> >> > > >>> >> > >--- In [email protected], John >>> >> Crupi >>> >> > ><[EMAIL PROTECTED]> wrote: >>> >> > >> >>> >> > >> Would you like to start with the use-cases/scenarios first >>> to >>> >> help >>> >> > >> narrow the problem? >>> >> > >> >>> >> > >> jc >>> >> > >> ----------------------------------------- >>> >> > >> John Crupi >>> >> > >> CTO, Enterprise Web Services Practice >>> >> > >> Sun Distinguished Engineer >>> >> > >> AIM: JohnCrupi >>> >> > >> Blog: blogs.sun.com/crupi >>> >> > >> Cell: 301.526.7890 >>> >> > >> >>> >> > >> >>> >> > >> On Nov 18, 2005, at 12:22 AM, Tilak Mitra wrote: >>> >> > >> >>> >> > >> > I am looking for some real world implementation of SOA >>> >> > >> > Governance, starting right from a project inception >>> >> > >> > i.e. Strategy and Visioning , through Design, >>> >> > >> > Implementation and right through operational and >>> >> > >> > runtime. >>> >> > >> > Any white paper / research work or material in any >>> >> > >> > other form would be helpful. >>> >> > >> > Thanks >>> >> > >> > Regards >>> >> > >> > Tilak >>> >> > >> > >>> >> > >> > >>> >> > >> > >>> >> > >> > __________________________________ >>> >> > >> > Yahoo! FareChase: Search multiple travel sites in one >>> click. >>> >> > >> > http://farechase.yahoo.com >>> >> > >> > >>> >> > >> > >>> >> > >> > >>> >> > >> > YAHOO! GROUPS LINKS >>> >> > >> > >>> >> > >> >ÂVisit your group "service-orientated-architecture" on the >>> >> web. >>> >> > >> > >>> >> > >> >ÂTo unsubscribe from this group, send an email to: >>> >> > >> >>> >[EMAIL PROTECTED] >>> >> > >> > >>> >> > >> >ÂYour use of Yahoo! Groups is subject to the Yahoo! Terms >>> of >>> >> > > Service. >>> >> > >> > >>> >> > >> > >>> >> > >> >>> >> > > >>> >> > > >>> >> > > >>> >> > > >>> >> > > >>> >> > > >>> >> > > >>> >> > > >>> >> > > SPONSORED LINKS >>> >> > > Service-oriented architecture >>> >> > > Computer monitoring software >>> >> > > Computer and internet software >>> >> > > Free computer monitoring software >>> >> > > >>> >> > > YAHOO! GROUPS LINKS >>> >> > > >>> >> > > â–ª  Visit your group "service-orientated-architecture" >>> >> on the web. >>> >> > >  >>> >> > > â–ª  To unsubscribe from this group, send an email to: >>> >> > >  [EMAIL PROTECTED] >>> >> > >  >>> >> > > â–ª  Your use of Yahoo! Groups is subject to the Yahoo! >>> >> Terms of >>> >> > > Service. >>> >> > > >>> >> > > >>> >> > >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------ Yahoo! Groups Sponsor >>> >> --------------------~--> >>> >> Get fast access to your favorite Yahoo! Groups. Make Yahoo! your >>> home >>> >> page >>> >> http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM >>> >> >>> -------------------------------------------------------------------- >>> >> ~-> >>> >> >>> >> >>> >> Yahoo! Groups Links >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> > >>> > >>> > >>> > SPONSORED LINKS >>> > Service-oriented architecture >>> > Computer monitoring software >>> > Computer and internet software >>> > Free computer monitoring software >>> > >>> > YAHOO! GROUPS LINKS >>> > >>> > ▪ Visit your group "service-orientated-architecture" >>> on the web. >>> > >>> > ▪ To unsubscribe from this group, send an email to: >>> > [EMAIL PROTECTED] >>> > >>> > ▪ Your use of Yahoo! Groups is subject to the Yahoo! >>> Terms of >>> > Service. >>> > >>> > >>> >>> >>> >>> >>> >>> ------------------------ Yahoo! Groups Sponsor >>> --------------------~--> >>> Get fast access to your favorite Yahoo! Groups. Make Yahoo! your >>> home page >>> http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM >>> >>> -------------------------------------------------------------------- >>> ~-> >>> >>> >>> Yahoo! Groups Links >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> ---------------- >>> A.G. Edwards & Sons' outgoing and incoming e-mails are >>> electronically >>> archived and subject to review and/or disclosure to someone other >>> than the recipient. >>> >>> >>> --------------------------------------------------------------------- >>> ---------------- >>> >>> >>> >>> >>> ********************************************************************* >>> ***** >>> This message and any attached documents contain information >>> which may be confidential, subject to privilege or exempt from >>> disclosure under applicable law. These materials are solely for >>> the use of the intended recipient. If you are not the intended >>> recipient of this transmission, you are hereby notified that any >>> distribution, disclosure, printing, copying, storage, modification >>> or the taking of any action in reliance upon this transmission is >>> strictly prohibited. Delivery of this message to any person other >>> than the intended recipient shall not compromise or waive >>> such confidentiality, privilege or exemption from disclosure as >>> to this communication. >>> >>> If you have received this communication in error, please notify >>> the sender immediately and delete this message from your system. >>> >>> ********************************************************************* >>> ******** >>> >>> YAHOO! GROUPS LINKS >>> >>> ▪ Visit your group "service-orientated-architecture " on the web. >>> >>> >>> ▪ To unsubscribe from this group, send an email to: >>> [EMAIL PROTECTED] >>> >>> >>> ▪ Your use of Yahoo! Groups is subject to the Yahoo! Terms of >>> Service. >>> >>> > > > YAHOO! GROUPS LINKS > > ▪ Visit your group "service-orientated-architecture" on the web. > > ▪ To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] > > ▪ Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service. > > ------------------------ Yahoo! Groups Sponsor --------------------~--> 1.2 million kids a year are victims of human trafficking. Stop slavery. http://us.click.yahoo.com/WpTY2A/izNLAA/yQLSAA/NhFolB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/service-orientated-architecture/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
