Dynamic Generation of Policy Enforcement Rules and Actions from Policy Attachment Semantics

1. A method, comprising: by a processor operating at a policy enforcement point (PEP): obtaining at least one defined service level policy to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement; parsing the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement.

2. The method of claim 1 , where transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into the at least one runtime-executable processing rule that each comprises the at least one PEP processing action that each represents the atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement comprises: generating at least one local intermediate proxy policy object that represents and encapsulates the at least one assertion that each specifies the respective policy enforcement constraint of the at least one defined service level policy being transformed; and transforming the generated at least one local intermediate proxy policy object into the at least one PEP processing action that implements the at least one runtime-executable processing rule.

3. The method of claim 1 , where transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into the at least one runtime-executable processing rule that each comprises the at least one PEP processing action that each represents the atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement comprises creating, for each identified set of enforceable policy provisions, at least one PEP processing action to be executed in response to a match of the policy subject, the policy domain, and the at least one assertion within a runtime object.

4. The method of claim 1 , further comprising by the processor operating at the PEP: receiving a runtime object in a policy framework; identifying a defined policy enforcement rule that comprises the at least one runtime-executable processing rule applicable to enforce the at least one defined service level policy against the runtime object during the runtime; and enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime.

5. The method of claim 4 , where enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises: determining a first service level agreement (SLA) runtime-executable processing rule associated with a first user credential and a second SLA runtime-executable processing rule associated with a second user credential; and dynamically adjusting the at least one PEP processing action of the at least one runtime-executable processing rule according to the first SLA runtime-executable processing rule of the first user credential and according to the second SLA runtime-executable processing rule for the second user credential.

6. The method of claim 4 , where: the at least one defined service level policy comprises a service level agreement (SLA); the at least one runtime-executable processing rule comprises at least one SLA runtime-executable processing rule; and enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises: performing an SLA check action on the runtime object; determining whether the SLA check action has identified any matching SLA runtime-executable processing rules to be enforced against the runtime object; and for each matching SLA runtime-executable processing rule, processing the runtime object using the matching SLA runtime-executable processing rule.

7. The method of claim 6 , where: the at least one defined service level policy further comprises a service level definition (SLD); the at least one runtime-executable processing rule comprises at least one SLD runtime-executable processing rule; and enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises: processing the at least one SLD runtime-executable processing rule last on the runtime object after processing each matching SLA runtime-executable processing rule on the runtime object.

8. The method of claim 4 , where the runtime object is selected from a group consisting of a transaction, a web request, a database request, a representational state transfer (REST) service, a web application, and a message.