The Light World vs. the Dark World ~ Business Rules for Authorization

Ronald G.  Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal and Co-Chair, Building Business Capability (BBC) Read Author Bio       || Read All Articles by Ronald G. Ross

What do legal contracts and computer security specifications have in common?  You might not think too much, but actually both are often based on a common assumption -- namely, that rights must be specified explicitly.  In other words, nothing is permitted unless explicitly authorized.  This assumption is just the opposite of the one usually assumed for business rules -- namely, that nothing is prohibited unless explicitly forbidden.

The world of legal contracts assumes the possibility of malfeasance, breach of trust, non-performance, etc. -- in other words, the worst possible outcomes.  Similarly, the world of computer security specifications assumes the possibility of hacking, identity theft, sabotage, etc. -- also worst-case scenarios.  In both cases, the underlying assumption is a bleak one.  Let's call this the dark world.  In a dark world, everything that is not permitted is forbidden.

The world of business, in contrast, generally assumes success, whether in financial terms or otherwise -- in other words, the best possible outcome.  Only in certain cases might business goals conflict, or levels of risk be unacceptable.  In these and only these cases do we need protection -- i.e., business rules of the 'normal' sort.  Let's call this the light world.  In a light world, everything that is not forbidden is permitted.

With this in mind, let's revisit the business rule mantra:  Rules build on facts, and facts build on terms.  Normally in the business rule approach we start off assuming that all facts are unconstrained.  In other words, there is no rule unless we say there is a rule.  In a dark world, just the opposite is true -- there is no permission unless we say there is permission.  In other words, we start off assuming that all facts are constrained, then any authorization we might specify un-constrains them (some).

Now for the bottom-line question:  Should authorizations be considered business rules?  The answer should be obvious -- of course.  They simply come from a different world.

# # #

Standard citation for this article:

citations icon
Ronald G. Ross, "The Light World vs. the Dark World ~ Business Rules for Authorization" Business Rules Journal, Vol. 5, No. 8, (Aug. 2004)

About our Contributor:

Ronald  G. Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal and Co-Chair, Building Business Capability (BBC)

Ronald G. Ross is Principal and Co-Founder of Business Rule Solutions, LLC, where he actively develops and applies the BRS Methodology including RuleSpeak®, DecisionSpeak and TableSpeak.

Ron is recognized internationally as the "father of business rules." He is the author of ten professional books including the groundbreaking first book on business rules The Business Rule Book in 1994. His newest are:

Ron serves as Executive Editor of and its flagship publication, Business Rules Journal. He is a sought-after speaker at conferences world-wide. More than 50,000 people have heard him speak; many more have attended his seminars and read his books.

Ron has served as Chair of the annual International Business Rules & Decisions Forum conference since 1997, now part of the Building Business Capability (BBC) conference where he serves as Co-Chair. He was a charter member of the Business Rules Group (BRG) in the 1980s, and an editor of its Business Motivation Model (BMM) standard and the Business Rules Manifesto. He is active in OMG standards development, with core involvement in SBVR.

Ron holds a BA from Rice University and an MS in information science from Illinois Institute of Technology. Find Ron's blog on For more information about Ron visit Tweets: @Ronald_G_Ross

Read All Articles by Ronald G. Ross
Subscribe to the eBRJ Newsletter
The Two Fundamental Kinds of Rules
What Rules Are
What Rules Do for Us
Improving the Quality of Public Health Guidance: A Business Rules Approach
Parking Consternations: Rules, Rules, Rules
In The Spotlight
 Silvie  Spreeuwenberg
 Jim  Sinur
The BRSolutions Professional Training Suite

BRSolutions Professional Training Suite

All About Concepts, Policies, Rules, Decisions & Requirements
We want to share some insights with you that will positively rock your world. They will absolutely change the way you think and go about your work. We would like to give you high-leverage opportunities to add value to your initiatives, and give you innovative new techniques for developing great business solutions.