Users of the contract document management application, branch administrators, will have a sheaf of contract documents on their desks and a salesperson in their office, and will want to record that they are giving the documents to the salesperson. So, they enter the salesperson’s name or employee number into the application. At that point, the application, which, we remember, runs within the branch administration boundary of trust, will go to the employee service on the boundary of trust encapsulating the human resource management system, and say, “if you trust me, then take this name or employee number that I am offering to you, see if you recognize the employee the name or number refers to, and return the data for the one or more employees that match those identifying criteria.” The employee service will confirm that the request originates from a source that it trusts, and reply with the requested employee data. Back inside the contract document management application, the branch administrator picks the right salesperson from among the one or more for which the employee service provided data, enters the serial numbers of the documents being issued to the salesperson, and asks the application to record that to whom the documents have been issued. And that is where things get interesting.
What exactly is our application to record? The document serial numbers, obviously, and the date and time of their having been issued, but what should it use to remember which employee received the documents? Well—and this crucial—what it should record would depend on the service agreement between the branch administrators, who own the contract document data, and the human resource managers, who own the employee data. If that agreement says that the human resource managers promise that employee numbers will always uniquely identify the data for the same employee, then we can record the employee number as if it was a foreign key into an employee table within our own application. The agreement might be more complex, though. It might state that employee numbers will uniquely identify the data for a given employee, but provide no guarantee that an employee number will always be valid, allowing for the possibility of the data for an employee being deleted. An even more elaborate agreement might be that the human resource management system will undertake to notify the contract document management system if an employee number is about to be invalidated; it might even promise to refrain from invalidating the employee number if is in use in contract document management system.