Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News SOA Governance Revisited

SOA Governance Revisited

This item in japanese


Despite increased adoption, many of the SOA projects are still failing. Things are often getting so bad - there was a recent article with a catchy name SOA or DOA, where DOA stands for "Dead on Arrival". One of the ways to improve this situation is proper proper SOA governance

Rescent Muhammed Yaseen Muriankara’ article - SOA governance framework and solution architecture defines 3 basic level of governance. Enterprise governance is

establishing chains of responsibility, authority, and communication to empower people and establishing measurement, policy and control mechanisms to enable people to carry out their roles and responsibilities

The subset of the enterprise governance is IT governance

aspects of governance that pertain to an organization's information technology processes and the way those processes support the goals of the business

Finally SOA governance is defined as

a specialization of IT governance that puts key IT governance decisions within the context of the life cycle of service components, services, and business processes. It is the effective management of this life cycle that is the key goal to SOA governance

The article presents methodology and model for adopting SOA governance from IBM which is called the SOA Governance and Management Method (SGMM). The methodology documented using IBM Rational® Method Composer and is available for download.

. SGMM is build around service lifecycle and covers the following:

Service definition

The most fundamental aspect of SOA governance is overseeing the creation of services. Services must be identified, their functionality described, their behavior scoped, and their interfaces designed.

Service testing

SOA increases the opportunity to test functionality in isolation and increases the expectation that it works as intended. However, SOA also introduces the opportunity to retest the same functionality repeatedly by each new consumer who doesn't necessarily trust that the services it uses are consistently working properly. Meanwhile, because composite applications share services, a single buggy service can adversely affect a range of seemingly unrelated applications, magnifying the consequences of those programming mistakes.

Service deployment life cycle

Services don't come into being instantaneously and then exist forever. Like any software, they need to be planned, designed, implemented, deployed, maintained, and ultimately, decommissioned. The application life cycle can be public and affect many parts of an organization, but a service's life cycle can have even greater impact because multiple applications can depend on a single service.

Service versioning

Service versioning enables users satisfied with an existing service to continue using it unchanged yet allows the service to evolve to meet the needs of users with new requirements. The current service interface and behavior is preserved as one version, while the newer service is introduced as another version.

Service ownership

An SOA should reflect its business. Usually this means changing the SOA to fit the business, but in some cases, it may be necessary to change the business to match the SOA. When this is not possible, increased levels of cooperation are needed between multiple departments to share the burden of developing common services. This cooperation can be achieved by a cross-organizational standing committee that, in effect, owns the services and manages them.

Service security

SOA creates services that are easily reusable, even by consumers who ought not to reuse them. Even among authorized users, not all users should have access to all data the service has access to. Some consumers of a service have greater needs than other consumers of the same service for data confidentiality, integrity, and nonrepudiation.

Service monitoring

A composite application, one that combines multiple services, is only as reliable as the services it depends on. Since multiple composite applications can share a service, a single service failure can affect many applications. SLAs must be defined to describe the reliability and performance consumers can depend on. Service providers must be monitored to ensure that they're meeting their defined SLAs.

An article describes not only a methodology for SOA governance, but also a set of tools (Governance platform), allowing to support and automate, at least partially, many of the governance processes.

Some of the minimum required automation capabilities for a startup project include:
  • A centralized registry and repository to find and publish the service related artifacts and metadata. This is necessary to:
    • Find the right authorized service.
    • Avoid duplication of effort.
    • Encourage reuse.
    • Identify the current state of service in the SOA life cycle.
    • Provide visibility to subscribers of the services.
    • Find related services and the impact of changing a service.
    • Communicate changes done to the service.
  • A mechanism to relate and enforce policies applicable for a service. The policies are defined by using the governance framework.
  • A customizable life cycle-aware system that triggers validations on the change of phase within the life cycle so that phase-by-phase governance validations can be automated.
  • The registry should ideally be SOA run time optimized so that the metadata stored in the registry can be used to provide enrichment via dynamic routing during run time.

The article itself and a list of references are a good read for everyone involved in SOA implementation and more specifically in the SOA governance.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • dynamic routing

    by Dan Diephouse,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    The registry should ideally be SOA run time optimized so that the metadata stored in the registry can be used to provide enrichment via dynamic routing during run time.

    "SOA run time optimized" - what does that even mean?

    Also, how many people actually do dynamic routing during runtime? Load balancing is one thing, but picking a service out of the blue is another. In most production deployments it seems like you'd want to know *exactly* what service you're using. A random service could be extremely dangerous and break your application. Are people actually using this? And how?

  • Muhammed does a nice job...

    by Andrew Dennis,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    of framing IBM's SOA Governance and Management Method. Boris, I like your "SOA or DOA" point and your highlighting the definition of SOA Governance. Should you have an interest in additional SOA Governance definitions and metaphors, take a look at this:

    SOA Governance Definitions:

    SOA Governance Metaphors:



Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p