The standard introduction to an article defining anything is to say that there are as many definitions as there are people doing the defining. But in the case of SOA governance, that does not appear to be true. The thought leaders contributing to this article, while taking different looks at the topic, are all pretty much in agreement about the nature of governance and how to implement it.
Jason Bloomberg, Senior Analyst, ZapThink LLC
Enterprise or corporate governance is the ability for executive management to create policies that apply to their organizations, communicate those policies, provide employees with the tools they need to comply with those policies, enforce those policies, obtain visibility into levels of compliance and mitigate any deviations from corporate policy.
SOA governance has two related, but different definitions: first, how to provide for governance of SOA initiatives within the context of IT and second, how the transition to service-oriented approaches affects the broader area of corporate IT governance. IT governance describes how people entrusted with the authority over some aspect of the business will consider IT in their supervision, monitoring, control and direction of that business entity. IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
As the IT resources business users require become more flexible and generally better able to meet an increasingly broad range of business needs, IT becomes inextricably intertwined in the daily operations of the business. In such a situation, enterprise architecture becomes a critical enabler of governance, and as companies adopt SOA as enterprise architecture, SOA governance becomes the primary way that companies can establish principles for the control of their organizations.
SOA governance, in addition to the more traditional human-based SDLC checkpoints and role-based review signoffs, focuses on the creation, communication and enforcement of service policies. Service policies are metadata that consist of a set of constraints and capabilities that govern how services and their consumers interact. Simple policies typically include rules describing who can access a service and what credentials they need, how messages should be routed to the service and what service-level agreements (SLAs) apply to the service.
SOA governance requires that organizations take business policies, typically in written form, and transform them into metadata-based rules that can help automate the process of validating and enforcing compliance with those policies in both design time and runtime environments. Companies must then manage policies through their entire lifecycle. In general, policy lifecycle management within SOA focuses on ensuring the quality, performance and applicability of available services, enabling service consumers to discover and reuse services as well as other artifacts, managing service versions, handling the security of services and other SOA artifacts, and assessing and managing the impact of change across all service consumers. Managing policies also includes providing visibility into whether people are following policies, as well as handling policy infractions. Such policy management tasks are also an inherent aspect of IT governance.Building on the OASIS SOA Reference Model
Miko Matsumura, Vice President of Product Marketing, SOA, webMethods, Inc., and founder of SOA Link, the governance and interoperability industry group
Governance: is the art and discipline of managing outcomes through structured relationships, procedures and policies.
Now to be absolutely clear and fair, this definition is a wide ranging one that could be applied to running an SOA, a nation or a candy store. If you wanted to be a bit more fair, here is my definition of SOA Governance, which borrows significantly from the definition of SOA from the OASIS Standards SOA Reference Model:
"Service-oriented architecture is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains. It provides a uniform means to offer, discover, interact with and use capabilities to produce desired effects consistent with measurable preconditions and expectations."
Now there are a lot of lovely and subtle points to this definition. First of all, the OASIS definition of SOA expressly suggests that the "distributed capabilities" may be under the control of different ownership domains. The OASIS definition of SOA also holds that the purpose is "to produce desired effects consistent with measurable preconditions and expectations."
What I find lovely and wonderful about this particular definition of SOA is that the "shadow" of SOA Governance appears within the very definition used by the OASIS TC.
If you combine my definition of "governance" with the OASIS definition of SOA -- you get a nice meshing whereby SOA governance comes to mean:
SOA Governance: the art and discipline of managing outcomes consistent with measurable preconditions and expectations through structured relationships, procedures and policies applied to the organization and utilization of distributed capabilities that may be under the control of different ownership domains.
This definition has intentional ambiguity along the lines of the phrase "distributed capabilities." If you read "distributed capabilities" as "services," then you have a potentially federated governance scenario with possibly different ownership domains all working together to produce outcomes. But if you read "distributed capabilities" as the capabilities of distributed groups of people, then you have a more lifecycle scenario. This ambiguity of the phrase "distributed capability" is not implicit in the SOA RM definition, however, the ambiguity enables this definition of SOA Governance to be elegantly brief, but inclusive of multiple valid interpretations. To eliminate the ambiguity, you may choose a phrase such as "SOA Governance and Lifecycle Management," which then allows you to break lifecycle management out as a separate orthogonal issue.
Now, worth noting here as well is that the management of outcomes involves marshalling resources and that policies philosophically speaking are the lynchpin of the whole shebang. Because relationships are "structured" as a function of the organizational policy, and any procedure used to manage outcomes is likely to stem from a set of policies. So really, policy is the "high order bit." That said, structured relationships, procedures and policies are all explicitly called out in this definition in order for general readers to understand that there are human as well as machine-enforced policies and that SOA has as much to do with marshalling human organizational resources as well as machines.A decision rights and accountability framework
Ian Goldsmith, Vice President of Product Marketing for SOA Software Inc.
SOA Governance can be thought of as a decision rights and accountability framework specifying a set of domain-specific extensions to commonly utilized IT Governance methodologies, such as ITIL (IT Infrastructure Library), COBIT (Control Objectives for Information and related Technology), etc., combined with the effective operationalization of processes and supporting systems required to encourage the desirable behavior of participating constituents in the use of IT-enabled capabilities in a service-oriented enterprise environment.
In short, we can describe SOA Governance as:
- The structures we use to create balance between constituent needs typically satisfied by an SOA CoE (Center-of-Excellence)
- The mechanisms utilized to achieve visibility and control typically satisfied by a comprehensive SOA infrastructure suite
- The key decisions we make, record and then digitally execute in support of the guiding principles for an IT organization in the form of design time, change time and runtime policies
Alan Himler, CEO, LogicLibrary Inc.
Effective governance enables standardized definition and delivery of assets, services, reusable knowledge and executable software assets, by providing configurable and automated governance processes over the production and consumption of those assets.
Key elements that must be in place to enable governance include:
- Configurable asset metadata assembly validation, and review
- Passive and active distribution modes
- Metadata validation and enforcement points per asset type
- Automatic creation of audit trails for review activities
- Configurable (manual or automatic) asset publication/consumption scenarios
- Automated search notifications for asset creation/update