The Light World vs. the Dark World ~ Business Rules for Authorization

Ronald G.  Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal , and Co-Chair, Building Business Capability (BBC) Read Author Bio       || Read All Articles by Ronald G. Ross

What do legal contracts and computer security specifications have in common?  You might not think too much, but actually both are often based on a common assumption -- namely, that rights must be specified explicitly.  In other words, nothing is permitted unless explicitly authorized.  This assumption is just the opposite of the one usually assumed for business rules -- namely, that nothing is prohibited unless explicitly forbidden.

The world of legal contracts assumes the possibility of malfeasance, breach of trust, non-performance, etc. -- in other words, the worst possible outcomes.  Similarly, the world of computer security specifications assumes the possibility of hacking, identity theft, sabotage, etc. -- also worst-case scenarios.  In both cases, the underlying assumption is a bleak one.  Let's call this the dark world.  In a dark world, everything that is not permitted is forbidden.

The world of business, in contrast, generally assumes success, whether in financial terms or otherwise -- in other words, the best possible outcome.  Only in certain cases might business goals conflict, or levels of risk be unacceptable.  In these and only these cases do we need protection -- i.e., business rules of the 'normal' sort.  Let's call this the light world.  In a light world, everything that is not forbidden is permitted.

With this in mind, let's revisit the business rule mantra:  Rules build on facts, and facts build on terms.  Normally in the business rule approach we start off assuming that all facts are unconstrained.  In other words, there is no rule unless we say there is a rule.  In a dark world, just the opposite is true -- there is no permission unless we say there is permission.  In other words, we start off assuming that all facts are constrained, then any authorization we might specify un-constrains them (some).

Now for the bottom-line question:  Should authorizations be considered business rules?  The answer should be obvious -- of course.  They simply come from a different world.

# # #

Standard citation for this article:


citations icon
Ronald G. Ross , "The Light World vs. the Dark World ~ Business Rules for Authorization" Business Rules Journal Vol. 5, No. 8, (Aug. 2004)
URL: http://www.brcommunity.com/a2004/b201.html

About our Contributor:


Ronald  G. Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal , and Co-Chair, Building Business Capability (BBC)

Ronald G. Ross is Principal and Co-Founder of Business Rule Solutions, LLC, where he actively develops and applies the IPSpeak methodology including RuleSpeak®, DecisionSpeak and TableSpeak.

Ron is recognized internationally as the "father of business rules." He is the author of ten professional books including the groundbreaking first book on business rules The Business Rule Book in 1994. His newest are:


Ron serves as Executive Editor of BRCommunity.com and its flagship publication, Business Rules Journal. He is a sought-after speaker at conferences world-wide. More than 50,000 people have heard him speak; many more have attended his seminars and read his books.

Ron has served as Chair of the annual International Business Rules & Decisions Forum conference since 1997., now part of the Building Business Capability (BBC) conference where he serves as Co-Chair. He was a charter member of the Business Rules Group (BRG) in the 1980s, and an editor of its Business Motivation Model (BMM) standard and the Business Rules Manifesto. He is active in OMG standards development, with core involvement in SBVR.

Ron holds a BA from Rice University and an MS in information science from Illinois Institute of Technology. Find Ron's blog on http://www.brsolutions.com/category/blog/. For more information about Ron visit www.RonRoss.info. Tweets: @Ronald_G_Ross

Read All Articles by Ronald G. Ross

Online Interactive Training Series

In response to a great many requests, Business Rule Solutions now offers at-a-distance learning options. No travel, no backlogs, no hassles. Same great instructors, but with schedules, content and pricing designed to meet the special needs of busy professionals.