OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

soa-rm-ra message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [soa-rm-ra] Policy Types

Looking at the constraint:

> A company has a policy that states; if the order flow is greater than 
> some number, orders MUST go to warehouse B else they MUST go to 
> warehouse A.

The following is an example yes/no policy constraint to point out the
difference between a grant/deny and the order flow example:

If a participant is authenticated and has a role of admin, then they
have access to administrative functions.
Where the orders must go is a statement about the future which fits into
the definition of an obligation for the RA.  There could be two
interpretations about how to handle the obligation in Figure 48.  The
obligation could be handled by the Enforcement Point or the Measurement
Point.  I would argue that the programming logic to handle the order
flow example would be classified as part of the Enforcement Point rather
than Measurement Point because the order policy statement is more about
enforcing the obligation than about measuring and monitoring the

If I were to implement the order flow example, the programming logic
would have to be coded such that a change in policy could determine
which warehouse the order goes to.  As a programmer, if I am going to
allow a policy to determine the destination warehouse then I would
program a call to the decision point where order number is a variable
for the decision point.  I would then have to program something to
handle the behavior based on what could be returned as an obligation. 
As a policy writer, I could list obligations for warehouse A and
warehouse B based on order number.  The ability to do this is dependent
on the expression of the policy language.

In the implementation of a system with policy guided behavior, the
software developers and policy writers have to make discretionary
decisions about what business logic will be handled by the developers
and what business logic will be handled in policy.  


-------- Original Message --------
Subject: [soa-rm-ra] Policy Types
From: Don Flinn <flinn@alum.mit.edu>
Date: Sun, June 01, 2008 4:22 am
To: soa-rm-ra <soa-rm-ra@lists.oasis-open.org>

As defined in Fig 46 pp 74 - Policy is either a permission or an

I believe that certain business policies do not fit within either policy

class. There are machine readable policies that mandate that a computer 
follow a specific course of action depending on the state of the 
ecosystem. While there may be an obligation on the policy writer to 
write a policy to follow certain criteria, the policy writen for the 
machine has no such abiguity. An obligation is the act of binding 
oneself (in the service case, itself) to follow a particular course of 
action, which the service may or may not do. Given a particular state 
of the ecosystem the machine MUST follow the course of action dictated 
by the policy.

For example:
A company has a policy that states; if the order flow is greater than 
some number, orders MUST go to warehouse B else they MUST go to 
warehouse A. This is not a permission and I have a hard time conceiving 
this as an obligation. In my example the service has no choice but to 
use the given address / endpoint depending on the state of the 
ecosystem. So it seems to me that the positive & negative policy 
constraints are aggregates of permissions, obligations and what I'll 
tentively call - instructions.

One of the purposes of SOA is to facilitate the replacement of humans by

machines. In order to do this, the machines must be made more 
"intelligent", i.e. they must be able to autonomously handle variations 
in the ecosystem, as far as possible. Properly written business 
policies support this.

I believe that the number of business policies giving direction and 
instructions to the machines to cope with varying circumstances will be 
in the majority. 


Don Flinn
Mansurus LLC
e-mail: flinn@alum.mit.edu
Tel: 781-856-7230

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]