Business policy modeling and enforcement in databases

Abstract

Database systems are the central information repositories for businesses and are subject to a wide array of policies, rules and requirements. The spectrum of business level constraints implemented within database systems has expanded from classical access control to include auditing, usage control, privacy management, and records retention. The lack of a systematic mechanism of integrating and reasoning about such a diverse set of policies manifested as database level constraints makes corporate policy management a chaotic process. In this paper we propose a general purpose policy modeling and constraint management framework that can integrate numerous aspects of business level requirements within database systems. Our proposed solution relies on a finite state modeling language for business level policies, in which users can declaratively express rules related to the normal workflow of a business process as well as specifying any undesirable states of business objects contained in a database system. The proposed system is then able to translate these policies into low level temporal integrity constraints that prevent policy violations and ensure that business objects and artifacts follow their mandated lifecycles. A formal layer for reasoning allows policy makers to discover unenforceable and conflicting policies, providing the basis to guarantee compliance for a wide array of rules that may need to be enforced on complex business objects stored in relational database systems.