Figure 1. Typical SOA This diagram shows how security requirements are mapped to a typical SOA. It shows Web services deployed at the consumer and access layers (through Web portals where end users interface indirectly with Web services and in application-to-application communication where no end user is involved) and at the services layer (across an XML message bus or other type of orchestration engine). At the systems layer, business applications have security profiles that must be mapped to the end users or Web service client applications.