3. SOA in the conventional enterprise
ERP HR
(SAP) (PeopleSoft)
Legacy Billing system
(IBM Mainframe) Internal Customers
ESB
Manual
External Customers
Firewall
New Business Process
CRM Sales Force Client OnBoarding
(Seibel) (Custom) Symbol steps Description
Corporate Policy 1 Sales Force
2 HR
3 CRM
4 Billing
3
4. Evolution after one year – without Governance
Custom App
ERP (v2) HR
(SAP) (PeopleSoft)
Internal Customers
Legacy Billing system
Compliance Policy (IBM Mainframe)
ESB External Customers
Manual
Firewall
New Business Process Business Partners
Sales Force(v1.2) Client OnBoarding
CRM(v2) (Custom)
(Seibel) Symbol steps Description
Corporate Policy 1 Sales Force
2 HR
PLM 3 CRM
SCM
4 Billing
5 Custom app
Compliance Policy
Development QA Deployment Operation
4
15. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
15
16. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Role of the Governance Council
Domain-B
owner
3
• Framework for Decision Making
• Allocates Responsibility across organization
Domain-A
owner
Processes and Procedures
• Processes involving decision making
• Metrics for monitoring effectiveness Common SOA Infrastructure
16
17. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Policy Management Recipe
Domain-B
owner
3
• Definition of Policies
• Creation of Policies
Domain-A
owner
Processes and Procedures
• Storage of Policies
• Communication of Policies Common SOA Infrastructure
• Feedback of Policies
17
18. Governance Model
What is a Domain ?
1
• A domain contains set of services that relate to same
business area/context
SOA Governance Council
2 Roles Policy
Define Roles and Responsibilites Establish Governance Process
And Policies
– Billing, Purchase, Client Services
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
18
19. Governance Model
What is a Domain ?
1
• Each domain owns and manages these services
SOA Governance Council
– Service availability / Data and Message Format / Business
2 Roles Policy
Define Roles and Responsibilites Establish Governance Process
Logic Encapsulation And Policies
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
19
28. Authorized User
Publishes
Governance Process Workflow
A new Web service
Service
(appears in registry)
Delivery is
monitored and
recorded
ESB
Potential 1. Consumer Requests Use of
Consumer Service
discovers the 2. Consumer agrees on Terms of
Web service delivery
3. Consumer is Authorized
4. Service is provisioned
28
29. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
What is a internal
control requirements? SOA Infrastructure
Ref :404 of Sarbanes
Oxley Act (SOX)
Warehouse Application
(Mainframe –COBOL/CICS)
Inventory Shipping/
Check Receiving
29
30. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
What is a internal
control requirements? SOA Infrastructure
Ref :404 of Sarbanes
Oxley Act (SOX) Control Objective Risk Control Practice
Accurate Recording Missing Documents Invoice amounts are
Warehouse Application of invoices for all or incorrect properly recorded to
(Mainframe –COBOL/CICS) authorized shipments information account, amount,
period
Inventory Shipping/
Check Receiving
30
31. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
Many Ways to
What is a internal implement…
control requirements? SOA Infrastructure Schema Validation,
Ref :404 of Sarbanes Cross Referencing
Oxley Act (SOX) Control Objective Risk Control Practice
Accurate Recording Missing Documents Invoice amounts are
Warehouse Application of invoices for all or incorrect properly recorded to
(Mainframe –COBOL/CICS) authorized shipments information account, amount,
period
Inventory Shipping/
Check Receiving
31
35. Identity Management
Purpose:
To Establish Rights and
Responsibilities in the
registry/repository
Measuring the Service
usage/Logging
Enforcing Approval Requirements
Enforcing Role/Individual based
Governance
Features:
LDAP based, SSO
Digital Identity
35
36. Entitlements
Purpose:
To grant fine grained access to registry/repository assets
Features:
Ability to secure assets
Ability to Classify assets and provide access
Ability to classify Policies and Assign Roles
36
37. Notification and Approval
Purpose:
To Trigger events in response
to Create, Update, Read and
Delete activities
Features:
Must be applied before and/or
after interaction
Support for different Notification models
(Message based, Email)
37
38. Content Validation
Purpose:
To scan and validate contents
in Registry/Repository as per
type and pre-configured
compliance checks
Features:
WSDL validation
Schema Validation
Validation related to Interoperability
38
39. Audit Trail
Purpose:
To establish accountability
To track interaction among
participants and registry/
repository
Establish Usage pattern
Features:
Format /Verbosity Requirements
Archival Policy
39
40. Run Time Governance (some or all)
Service
Virtualization ESB
End Point
Management Message
Transport
Runtime
Custom Policy
Management Provisioning
Version
Management
40
41. Service Virtualization
Purpose:
To compose task-specific
“virtual” services from existing
services.
Features:
Ability to Consolidate one or more operations from
different services into one
Create Skeleton services from WSDL
Auto generation of WSDL for new virtual service
41
42. Message Brokering
Purpose:
To deliver service based on
business or compliance
criteria
Features:
Routing rules based on
Content/Context
Transform Inbound request / Outbound response
Logging ,Monitoring, Alerting
SLA Management
Mediate across different transport protocols (HTTP-to-
JMS, JMS-to-HTTP or custom)
42
43. Policy provisioning
Purpose:
Provisioning of Operational,
Compliance policy
Features:
Auto Enforcement of policies
on new Services
Auto adaptation of Client to
new Policy Requirements
Auto Provisioning of policy
based upon Change in
service profile
43
44. Version Management
Purpose:
To allow smooth evolution of production systems
Features:
Publication of multiple versions of the same service
simultaneously
Transparent Rolling upgrades to published service
Back-ward compatibility
Version based routing
44
45. Custom Management
Purpose:
Template based approach to Policy Management
Features:
Custom policy libraries for specific management needs
Content, context or custom instrumentation based
approach to any domain- or application-specific policy
Reuse of custom policies across multiple applications or
SOA projects
45
46. End Point Management
Purpose:
Fine grain control of the service deployed in each of the
container
Features:
Managed endpoints for each service
Special purpose end points based on type of usage
secured/unsecured)
Load Balancing/Fail Over for Highly available End points
46
47. Upgrade Time Considerations
¬ Understand Inter-Service
relationship and dependencies
¬ Analyze the Impact of changing
a Web Service in a runtime
environment
¬ Complexity in Roll outing Service
in Runtime Environment
¬ Service Custody Transfer
¬ Changes to existing SLA and Policies 47
48. Automating Governance
Design Time
Code analysis
Content Validation
Run Time
WS-I compliance
Usage of Predefined schema
Usages of Specific Transport
Automated policy Discovery
/provisioning
Change Time
Monitoring and Measurement of SLA metrics
(response time, availability, or throughput of service)
48
50. Role of ESB in Governance
¬ Security
- Ensure Privacy, Authenticity, Authorization and
Auditing of all Message exchanged
¬ Mediation
- Policy based mediation (protocol/invocation)
¬ Management
- Holistic view of Transactions that passes through
- Intercept Service call
50
52. Service Registry
SOA Registry
Universal Description Discovery and Integration
UDDI API sets UDDI Schema
(Web service Access) (Meta Data Standard)
SOA MetaData
Business Policy
Policies
Taxonomy Association
Dependencies Configurations Subscription
Service Provider
Information Information
52
53. Service Repository
SOA Repository
Common Features
Design Time Policy
WSDL Libraries
Libraries
Message Logs
Run Time Policy
Performance Info
Libraries
Extensions
Run Time Event
Reports Dashboards
Notification
Blogs Wikis
53
56. SOA Governance Checklist ‐1
¬ Registry/Repository:
Service Meta‐Data setup
and Validation
Service Relationship and
Dependency Management
¬ Access to Service:
Workflow based Request
Process
User Configurable
Policies
56
57. SOA Governance Checklist ‐2
¬ Publishing Service
Workflow based Notification
WSDL validation and
Conformance Reporting
Wizards for Publication
¬ Delivery of Service
Provider/Consumer
Binding
SLA enforcement,
Versioning, Deployment
Centralized monitoring
57
59. SOA Governance Checklist ‐4
¬ Replication strategy
Selective synchronization
/promo.
Master/Slave based
¬ Enforcement of
Security
Role based
ACL
Fixed and Configurable Roles
Support for LDAP
¬ Interoperability
Handling any URI data types
Java Rule Engine API
59
60. Analysts Comments:
• “The governance of objects and components is relatively
straightforward: We create the gadget
and put into a repository and fix it when we
need to.”
Carl Lentz ‐ Panelist ‐ The Role of Objects in a Services‐obsessed
World ‐ ACM, 10/2007
• "Enterprise governance models, early adopters are implementing
organizations whose focus is to advance
SOA adoption."
Rajeev Mahajan ‐ Practice Manager ‐ The Service Integration Maturity Model: Achieving
Flexibility in the Transformation to
SOA ‐ IEEE, 9/2006
60
63. Challenges of SOA Governance
¬ Enforcing compliance:
‐ How to make sure that policies and procedures are being
followed at design time as well as runtime?
‐ What are the incentives for compliance?
¬ Seems counterintuitive:
‐ If SOA foundation lies in loose coupling and flexibility, why
do we need centralized control?
63