Controlling access to data is important in any data processing environment. For example, some data may be accessible only to users and/or applications with specific attributes or identifiers. According to another example, some data may be available to a certain group of users or applications during a defined period but not thereafter. In some cases only a portion of a dataset may be visible to one user whereas a different portion of the same dataset may be visible to another user. Data processing environments generally attempt to control access to restricted data via a rule that is enforced only when certain conditions are satisfied. Such rules are often implemented in a part of the data processing environment that does not store the data directly.
In this regard, many database-driven application programs contain three layers of programming—a user interface layer, an application layer, and a database layer. The application layer is generally responsible for selecting a set of data from the database layer, assembling the set of data and providing it for viewing and user interaction in the user interface layer. Therefore rules for controlling access to restricted data are generally implemented in the application layer. For example, in one common configuration, the data access rules are created, managed, and administered by a data access manager application. An application calls the data access manager application to receive a data access rule applicable to the data that is being requested in a query. The application then receives and applies the data access rule to the requested data.