Policy Types

[Don Flinn <flinn@alum.mit.edu>]

As defined in Fig 46 pp 74  - Policy is either a permission or an obligation

I believe that certain business policies do not fit within either policy 
class.  There are machine readable policies that mandate that a computer 
follow a specific course of action depending on the state of the 
ecosystem.  While there may be an obligation on the policy writer to 
write a policy to follow certain criteria, the policy writen for the 
machine has no such abiguity.   An obligation is the act of binding 
oneself (in the service case, itself) to follow a particular course of 
action, which the service may or may not do.  Given a particular state 
of the ecosystem the machine MUST follow the course of action dictated 
by the policy.

For example:
A company has a policy that states; if the order flow is greater than 
some number, orders MUST go to warehouse B else they MUST go to 
warehouse A. This is not a permission and I have a hard time conceiving 
this as an obligation.   In my example the service has no choice but to 
use the given address / endpoint depending on the state of the 
ecosystem.  So it seems to me that the positive & negative policy 
constraints are aggregates of permissions, obligations and what I'll 
tentively call - instructions.

One of the purposes of SOA is to facilitate the replacement of humans by 
machines.  In order to do this, the machines must be made more 
"intelligent", i.e. they must be able to autonomously handle variations 
in the ecosystem, as far as possible.  Properly written business 
policies support this.

I believe that the number of business policies giving direction and 
instructions to the machines to cope with varying circumstances will be 
in the majority. 

Don

-- 
Don Flinn
President
Mansurus LLC
e-mail: flinn@alum.mit.edu
Tel: 781-856-7230
http://mansurus.com