Chapter 7. Web Services Policy

There is a broad set of historical work in the area of computer systems and information policy. This includes different perspectives on how technical (IT) staff and business managers maintain and manage information systems. As the underlying technology evolves, so does the ability to use meta-information about those systems to help businesses and customers do more with the systems they have.

Much of the historical policy work has concentrated on the data management, systems configuration, and security areas. A business' need to manage the information and resources under its control often drives this focus. As businesses depend more on technology, their ability to control access to resources and enforce their administrative policies become central requirements. In a dynamic distributed environment, this includes the need to manage and distribute these policies only to authorized entities. Recently, government regulations have increased businesses' responsibility to protect consumer information from being distributed to third parties without the individual's consent. This new privacy legislation adds to the existing set of business requirements and introduces access to customer data (and metadata) as part of the information that is critical to the day-to-day management of the business.

In a service-oriented environment, service policies have a fundamental impact on interoperability. It's important to communicate to potential requesters any policies that a service provider enforces when those policies impact the interaction either because they require requesters to follow a specific behavior or a protocol or because they imply service-side behavior that impacts requester requirements or expectations (such as following a particular privacy policy). Service policies become a critical part of service descriptions, augmenting the basic WSDL functional description with a statement of nonfunctional service behaviors. As such, Web service policies support the development of service applications and provide the means to perform both development time and runtime service discovery and selection based on nonfunctional capabilities. For example, a service can be selected from among a list of functionally equivalent services based on its support for a specific privacy policy or the security guarantees it provides. The descriptive capability of policies, however, cannot be confined to services alone (although that will be the main focus of this chapter), but is required to annotate resources of different kinds, such as documents or document schemas.

The first set of Web Services Policy documents [WS-Policy, WS-PolicyAttachment, and WS-PolicyAssertions] was published in 2002. An updated set of two documents [WS-Policy and WS-PolicyAttachment] was published in September 2004. The modifications that were introduced into the new set clarify the processing and attachment models, while simplifying the policy syntax and defining how service policies can be represented and attached to services or resources in the context of the Web services framework. This chapter refers to these two specifications collectively as WS-Policy.