Information security is an essential subject for commercial and government organizations, and its deployment should be supported by software tools, both at design time (when authorization business rules are planned and designed) and at run time (when authorization business rules are applied and monitored). An authorization business rule (or authorization rules, for short) is a rule that states which operations may be executed on each data item by each user. Therefore, information security supporting tools should include features for editing, managing, and assuring the application and monitoring of authorization rules. These features may be structured in a framework composed by rule management and rule execution components. In real scenarios, evaluating and selecting tools to support organization business processes is typically handled by prospecting activities that are conducted in an ad-hoc way, and therefore are very time-consuming and hard to track. However, the rapid evolution of business scenarios, the increasing demand for traceability in business-IT alignment and the great number of IT solutions available for being evaluated require prospecting activities to be more systematic, traceable and quickly adapted to different scenarios. This work proposes a set of criteria and a systematic method for evaluating tools for management and execution of authorization rules. We have applied our approach in a real scenario. The results demonstrated that BRMS (Business Rule Management Systems) tools can be used for authorization rule management, and Oracle DBMS is the most suitable tool for authorization rules storage and execution.

business rules; authorization rules; business rule management systems; IT enterprise architecture; tool evaluation.