On Jan 30, 2007, at 2:42 AM, Steve Jones wrote: > On 29/01/07, Anne Thomas Manes <[EMAIL PROTECTED]> wrote: >> >> Let's say for example that the government just passed a mandate >> that financial companies must now implement 2-factor >> authentication for certain types of transactions. (and it did) >> There is now a business requirement to support 2-factor >> authentication. Hence security is a business service. > > I'd still say its a support service, for the reason that this is a > non-functional requirement on the business requirement rather than > being a direct business requirement.
This is one of those areas that I feel confuses the masses about SOA. They get hung up in this all or none view, rather than understanding the consumer/provider relationship. A consumer of a trading service wants to execute a trade, not find out if they are authorized to make a trade (although in some cases, they may want to do this). From the perspective of the consumer, authentication is not a service. They do know that there is a policy requiring identity information to be transmitted, but they are not making an explicit authentication request. The trading service provider, on the other hand, has to authenticate the user before performing the trade. The provider (or security intermediary) will make an explicit request for authentication to an authentication service. The trading service provider is the authentication service consumer (at least in this example). I don't get hung up in whether we classify this as a business service or a support service. Classifications of the service type are done for many reasons, and depending on what your goals are, it will be classified differently. If my classification is intended to point to a particular technology platform, will business service or support service make a difference? Probably not. If the classification is meant to point to a particular organization for ownership, then it might (although it's too coarse grained as it stands). Unfortunately, when the whole ESB rage started, infrastructure capabilities like security were frequently used in examples, and it got many people thinking that explicit calls to security would be required, when in reality, security should be an implied capability of business service invocations handled by the infrastructure. -tb
