- Business Rules Governance and Management – Part I
- Business Rules Governance and Management – Part II – Definitions
- Business Rules Governance and Management – Part III – First Steps
- Business Rules Governance and Management – Part IV – Stakeholders
- Business Rules Governance and Management – Part V – Roles
- Business Rules Governance and management – Part VI – Rule Life Cycle
- Business Rules Governance and Management – Part VII – Management Processes
- Business Rules Governance and Management – Part VIII – Access Control
- Business Rules Governance and Management – Part IX – Center of Excellence
- Business Rules Governance and Management – Part X – Best Practices
This post is part of a series on Business Rules Governance and Management for which the main article can be found here.
In the previous article of the series, we discussed some of the more important management processes that are required for good business rules management. One of the topics that was touched on in previous articles relates to who can do what, when and the related approval processes.
Security and Access Control can end up playing a vital role in the management processes relating to business rules. There are many ways that your organization may need to control access and security but I will discuss 2 ways which should fit most organizations.
Controlling Access by Role
The list of roles created in previous steps, the life cycle of rules (states and transitions) and the processes might require that only people with specific roles are allowed to perform only specific operations.
For example, it might be unwise to let anyone push rules to production. Was the rule tested? Is it giving the right results?, etc. Similarly you may not want to let a Rule Administrator create or modify rules (their knowledge of the business and the rules might be insufficient).
Each organization will have different requirements for controlling these accesses. Each organisation will also have a very different environment in which these controls need to be implemented (from a technical point of view). It is therefore important that these topics be discussed so that appropriate control mechanisms can be put in place.
Controlling Access by Subject Area
In your organization there may be a need to limit access to specific Subject Areas or groups of rules or rulesets.
For example, all users might have the right to read all the rules, but only users from the marketing and sales area can change the business rules related to marketing and sales. Or if you have multiple product lines, you may want to limit access by product line. You may even want to break it down by rulesets within an subject area. It all depends on your organizations needs, the size of the team you are dealing with, how you are organizing work related to business rules, etc.
The Business Rules Management System (BRMS) that your organization is using should hopefully provide you with the tools or components required to fulfill your security requirements.
In the next post of the series, we will go back to a higher level view and discuss the next steps for implementation of business rules governance and management.