At this juncture we move from modeling of policies to enforcement of constraints in a database system. Note that there are several ancillary issues across the policy lifecycle that we have not yet addressed directly. Conflict detection and resolution are examples of problems that can either be addressed during the policy modeling phase or left for the execution engine as a run-time enforcement issue. More often than not, one of the funda- mental objectives of having a logical policy model in the first place is to detect (or prevent) as many conflicts as possible before implementation. The role of the implementation en- gine in such cases is to cater to the exceptional situations where the model is not able to provide conclusive answers.
A more concrete example is that of a file on disk for which an operating system is managing permissions. A user and group based policy model may allow the group called “Administrators” access to an object and deny access to a particular user “John” for the same object. A trivial conflict could occur if John ever becomes part of the Administrators group, and consequently a logical policy model often comes with resolution mechanisms, such as giving preference to negative authorizations. We will examine several such issues throughout this thesis (conflict detection specifically in Chapter 5). In this section we present a broader examination of logics behind policy modelling, constraints, and method of enforcement in database systems.
Active Database Systems
An active database system is a DBMS with support for event detection (monitoring) com- bined with the facility to execute transactions autonomously [119]. Such a system is fundamental to the continuous monitoring of business rules and their enforcement. Dur- ing the 1990s, active databases received significant attention from the database research community, and many prototypes such as Ariel [73], Starburst [171], SAMOS [68], HiPAC [47] and ODE [98] were used to demonstrate the applicability and practicality of triggers as a means for offering event-driven transaction processing. As a result of that research, most modern relational database systems today support the notion of triggers. A trigger
is a pre-programmed transaction that can be invoked when a particular condition in the database is met. User programmed triggers can also be executed based on temporal and periodic conditions as well as when certain failure conditions are met. Research related to trigger termination and confluence that emerged during the 90s forms the basis of reason- ing over a set of event-condition-access (ECA) rules in a database. Since the solidification of the SQL3/SQL:1999 standard, triggers have become the de-facto means of supporting user programmed ECA rules within a database system [30].
Automatic generation of triggers to enforce rules in a database system is not a novel concept. Many of the fundamental constraints pertaining to data integrity, such as primary key, foreign key, uniqueness, and domain constraints, are, in fact, no different than triggers on top of relational tables [38]. Even if not explicitly employed by users, triggers are often transparently defined by a database system to monitor integrity constraints [31] and for the incremental maintenance of materialized views [72]. The use of triggers as a means to implement business level policies has also seen widespread adoption [30, 144, 95], and today most commercial database system have extensive support for user programmable triggers. In addition to supporting business rule enforcement, the most common uses of database triggers include alerting, replication (copying modified data to other locations), auditing (keeping a secure history of updates), and even logging access control events [30]. Although the research in this thesis does not directly concern itself with implementation of an active database system, it relies heavily on the fundamental framework for event- condition-action based rule checking provided by database systems. We believe that for a policy modeling framework to be useful, it must in some way have a direct (and prefer- ably fully automatable) implementation path to be written as enforceable rules (triggers) within a database system. Furthermore we will rely on prior literature to propose opti- mizations with business policy, discover conflicts, and propagate knowledge about policies (as manifested as triggers/rules) back up to the business level modeling layer.
Since the proposed policy modeling language of choice in this thesis is first order tem- poral logic of the past and its metric extensions, the work of Chomicki [33] and Toman and Chomicki [154, 34] is of significant importance, as it lays down the foundations of efficiently implementing first order linear temporal integrity constraints within relational database systems. It is worth acknowledging that the aforementioned works still remain state of the
art in describing the limits of the types of database level constraints that can be efficiently enforced and the compromise between auxiliary space and efficiency that needs to be made during implementation. The performance results presented in this thesis (Chapter 4) serve as yet another practical validation of the above works.
Temporal Logic and Policy Models
Research pertaining to the use of temporal logics in computer science has spanned a pe- riod of over five decades. However among the various fragments, the linear propositional fragment of temporal logic (LTL) has received significantly more attention than others. The popularity of LTL is attributable not only to the fact that computer aided verification and model checking have their theoretical underpinnings in LTL, but also perhaps to the simplicity and elegance of LTL. The decidability of propositional LTL was first shown to be P-SPACE complete by Sistla and Clarke [147]. Recent results have identified several broader classes of first order metric monodic variants of temporal logic as being decidable [118, 79]. This thesis directly uses these results to make claims about several problems, such as conflict detection within a constraint system. A reader who appreciates topics such as satisfiability and decidability of logics will consequently appreciate the reduction of several problems in constraint management to these well studied problems. A large body of work in the area of policy specification using temporal logic, including this thesis, is motivated by the classical work of Lamport (Temporal Logic of Actions [97]) and by the seminal work of Pnueli [123, 122].
Using LTL as a policy level tool for specifying temporal access control restrictions [88] and determining regulatory compliance using historical audit logs [57] have received varying degrees of attention from researchers. More recently, there has been a push to use metric first order temporal logic as a unifying layer of policy that is able to support obligation modeling, Chinese Wall policies, and even data retention policies [19]. However, to the best of our knowledge, no prior approaches have looked at the problem of integrating data models and process models to enforce process centric temporal integrity constraints within database systems. As we shall see in subsequent chapters, there are many challenges faced when porting a logical policy model into its implementation, which prior works have failed
to address.
Several researchers have examined the stark resemblance between the problems of model checking, satisfiability, and variants of the constraint satisfaction problem (CSP) [24, 169, 62]. The types of constraints examined in the work of Demri and D’Souza [50] are very similar to those that we examine in our work and that we expect to encounter in business situations. Their primary result shows that solving constraints specified in linear temporal logic over certain decidable SMT theories (more specifically the constraint sys- tems (N, <, =) and (Z, <, =)) is equivalent in computational complexity to that of classic LTL satisfiability. The link between several problems in database systems and the con- straint satisfaction problem is also well known to researchers. Many classical problems, such as containment for conjunctive queries and query answering using views, can be di- rectly reduced to that of constraint satisfaction [166, 94]. Once again, we will rely on these classical results to answer several important questions about what class of process-centric constraints can be accommodated in our proposed model.
If we step further back, we can see that there is also a significant link between busi- ness process modeling techniques, such as workflows, and state machine oriented analytical techniques such as Markov Modeling and Petri-Nets. Pesic and van der Aalst have exam- ined this very resemblance between finite state machines and business process models [121]. However, because of its sheer complexity, these automata-theoretic models have had little or no impact on the process modeling community. With that being said, analysis of state oriented systems does relate directly to several problems in policy verification and must be considered when proposing and analyzing policy models.
Finally, in the context of our own work, we note that the notion of modeling a business situation as a state machine and then expressing (and checking) path constraints is very closely associated with formal verification and model checking [36, 22]. There is, in fact, a direct correspondence between traditional model checking of software systems (specifying invariants in linear temporal logic, checking for liveness and safety, etc.) and our proposed model for ensuring business process integrity. In the context of formal verification, the objective is to verify properties of a system over all possible runs. Although in our work the lines between a model and its properties (constraints) are blurred, there is a significant overlap in the context of identifying potential conflicts in the business lifecycle where a
Chapter 3
Policy Modelling for Relational
Objects
3.1
Outline
In this chapter we propose a novel way of bringing together business processes and database constraints using first order temporal logic. In Section 3.2 we discuss the assumptions we are making about the business situations and databases that must hold for our policy modeling framework to function. In Sections 3.3 and 3.4 we present a formal description of our policy model and relate it to integrity constraints specified in linear temporal logic (LTL) over the history of business objects contained in a database.
Section 3.5 introduces our proposed state-oriented, graphical policy/process modeling technique for relational database systems (which we call the database constraint modelling language, or DCML). It is shown that the language is able to represnt constraints specified in the past-only fragment of linear first order temporal logic. Section 3.6 discusses several novel aspects of the language and demonstrates, using micro-examples, that a broad class of process-oriented description of business processes can be easily translated into DCML models. In Section 3.7 we revisit prior research that is most closely related to the language presented in this chapter and contrast its features with those of prior approaches. Finally,
Figure 3.1: A database is a reflection of the complete picture of a business
Section 3.8 concludes this chapter by summarizing its contents and discussing the next logical step of converting constraint models into actual implementable constraints.