Papers
Topics
Authors
Recent
Search
2000 character limit reached

Compliance in Databases: A Study of Structural Policies and Query Optimization

Published 17 Apr 2026 in cs.DB | (2604.15861v1)

Abstract: Growing privacy regulations and internal governance mandates are driving demand for fine-grained, context-sensitive access control in data management systems. Among competing approaches, content-based access control -- where access decisions depend on the data values referenced by a query -- is becoming particularly prominent, and is supported directly in modern database engines. While simple content-based predicates often incur negligible overhead, increasingly rich policies can interact in subtle ways with query optimization, leading to significant and poorly understood performance variability. This paper investigates this gap by introducing a structural framework and expressive policy grammar for modelling content-based compliance policies and analysing their impact on query planning and execution in database systems. Building on this framework, we augment an analytical benchmark with structured policy workloads, enabling controlled evaluation of enforcement mechanisms and optimization strategies under combined query - policy workloads. Our experimental results show that policy structure has a decisive impact on optimizer behaviour and end-to-end performance, underscoring the need for policy-aware database and optimizer design.

Summary

  • The paper introduces a formal framework that categorizes atomic policies and defines a compositional grammar for database compliance.
  • It empirically evaluates multiple enforcement mechanisms, comparing white-box and black-box strategies in query optimization.
  • Results indicate that policy structure critically impacts query planning and execution efficiency, informing next-generation optimizer designs.

Structural Policy Complexity and Query Optimization for Database Compliance

Introduction

Regulatory demands for privacy—driven by standards such as GDPR, HIPAA, and CCPA—necessitate sophisticated, contextually nuanced access control in relational database systems. The classical mechanisms of static privileges are insufficient. Instead, fine-grained, content-dependent access rules dictate tuple-level visibility based on complex combinations of user identity, data values, and context attributes. The native support for such policies, e.g., Row-Level Security (RLS) in PostgreSQL, raises fundamental new challenges: the optimizer must plan and execute queries whose logical and physical structure is deeply interwoven with compliance policy enforcement.

This paper introduces a formal framework for the structural analysis of content-based policies and their ramifications for query optimization. It categorizes atomic policy types, offers a compositional grammar for their synthesis, and empirically dissects enforcement strategies in modern DBMSs, highlighting the decisive role policy structure plays in both correctness and performance. Figure 1

Figure 1: The interaction between users, policies, and databases—demonstrating policy definition, enforcement, and end-user transparency.

Structural Modeling of Compliance Policies

Atomic Policy Taxonomy

The framework formalizes atomic policies using a relational model, where a policy is captured as a tuple ⟨R,Q,σ,π,μ⟩\langle R, Q, \sigma, \pi, \mu \rangle. Here, RR is the guarded relation, QQ is a policy predicate, σ\sigma is a selection, π\pi is a projection, and μ\mu is a masking operator controlling attribute-level visibility.

The taxonomy covers:

  • Attribute Predicates: Simple, attribute-based filters capturing static or contextual attribute constraints.
  • Existential Predicates: Semi-join constructs enforcing access upon presence of qualifying related tuples.
  • Universal Predicates: Anti-join constructs requiring absence of violations in dependent data.
  • Aggregated/Group Predicates: Policies predicated on group-level analytics (e.g., COUNT, HAVING).
  • Statistical Predicates: More advanced structures involving correlated aggregates and statistical constraints.

Through this abstraction, the policy model supports both classical and complex multi-table, correlated access scenarios that arise in real regulatory requirements.

Grammar for Policy Composition

The expressiveness of structural policies is magnified by the use of a formal grammar enabling compositionality: atomic policies can be logically combined (AND, OR, NOT) or conditionalized ("if–then–else"). The formal grammar ensures all composed policies are analyzable, supporting systematic detection of compositional depth, cyclic references, and conflict regions.

The compositional semantics admit construction of policy Abstract Syntax Trees (AST), furnishing the optimizer with structural cues necessary for advanced rewrites, predicate pushdown, and transparency in enforcement.

Policy Enforcement Mechanisms

The enforcement landscape is characterized by the degree of optimizer visibility (white-box vs. black-box) and the structure of policy–query interleaving. The paper evaluates the following strategies:

  • Pure/PostgreSQL RLS: Base-table predicate injection; white-box when policies are acyclic, black-box otherwise.
  • Views and Security Barrier Views: Policies embedded as logical views, with or without security barriers controlling optimization boundary.
  • Query Rewriting: Direct inlining of policy predicates using query rewrite frameworks (e.g., LITHE), exposing maximal structure to the optimizer.
  • User-Defined Functions (UDFs): Opaque, non-optimizable enforcement typically required for cyclic or highly sensitive policies.

Key trade-offs arise:

  • White-box mechanisms enable predicate-level and cross-policy query–plan co-optimization but may incur increased attack surface.
  • Black-box mechanisms provide strong isolation but degrade optimizer effectiveness due to loss of semantic information.

Experimental Analysis

Benchmark and Policy Workload Construction

The experimental benchmark is an augmentation of TPC-H, where scale and policy complexity can be independently controlled. Policies are generated using prompt-driven NL2SQL (GPT-5), validating both syntax and business semantics via an enforced compositional grammar.

  • Acyclic policies: Enable maximal white-box optimization.
  • Cyclic policies: Simulate real-world cross-table dependencies requiring black-box enforcement.

Cross Query–Policy Optimization: Costs and Benefits

Figure 2

Figure 2: Comparative execution and optimization time for RLS, Views, and Query Rewrite on acyclic policy workloads.

Pure RLS offers minimal planning overhead but suffers execution penalties in complex joins or deeply nested policies. Query rewriting (via LITHE) robustly outperforms RLS in execution time, particularly when cross-predicate optimization is critical. Views strike a middle ground, providing improved execution in many cases but with mixed planning overhead. Query complexity increases planning time non-trivially, often by 2×2\times–4×4\times compared to RLS.

Notably, deeply tiered policies can produce rewrites that the planner fails to optimize efficiently, occasionally causing timeouts—indicating limits of current query planner architecture.

Enforcement at Scale

Figure 3

Figure 3: Comparative enforcement strategy execution with increased TPC-H scale factor (SF=10).

The relative effectiveness of enforcement methods is independent of the underlying data scale, reaffirming that policy structure, not sheer data volume, is the dominant complexity source for query planners in compliance enforcement contexts.

Black-box Enforcement and Indexing

Figure 4

Figure 4: Impact of policy-aware indexing on black-box RLS enforcement in cyclic policy contexts.

For black-box enforcement (notably, cyclic policies), policy-aware indexing becomes crucial. Pure RLS under black-box constraints demonstrates significant execution slowdowns, including timeouts on multi-policy queries. Indexing on policy columns not only delivers average latency reductions but, critically, enables completion of previously intractable queries. Planning overhead is variable but does not systematically trend with index application.

Method Comparison on Cyclic Policies

Figure 5

Figure 5: Execution and planning overhead of black-box RLS vs. Security Barrier Views for cyclic policies.

When cyclic dependencies require black-box treatment, RLS outperforms Security Barrier Views in planning efficiency and overall execution stability. However, both mechanisms remain substantially less performant than the corresponding white-box implementations on structurally simpler policy sets.

Logical Contradiction and Predicate Order

The paper empirically demonstrates that visibility of predicates to the optimizer is critical. Logical contradictions (e.g., p∧¬pp \wedge \neg p) in black-box enforcement yield worst-case runtimes due to tuple-by-tuple evaluation, whereas white-box implementations are able to short-circuit through join-based plan reordering. Predicate ordering in composite policies impacts access path selection and execution time, especially when combined with aggressive indexing.

Implications and Future Directions

This study identifies policy structure as the principal determinant of enforcement cost. It also exposes the optimizer’s inability to uniformly manage deep, compositional, or cyclic policy workloads with current abstraction models.

Immediate system engineering opportunities include:

  • Policy-aware selectivity estimation and plan enumeration—making policy predicates first-class optimization objects.
  • Adaptive, policy-targeted index recommendation and automatic index management.
  • Mechanisms permitting selective relaxing of security barriers for well-typed predicates.
  • Detection of optimal enforcement boundary (white-box vs. black-box) per-policy, per-query.

At the formal level, further extension is needed to support overlapping, conflicting, or prioritized policies, requiring richer conflict-resolution semantics.

On the theoretical side, query-rewriting techniques that are robust under complex compositional semantics, especially in the presence of masking and value transformation, remain an open avenue of research.

Conclusion

This work systematically formalizes the combinatorial space of content-based compliance policy enforcement in relational databases. By decomposing and composing policies using a structural grammar and empirically benchmarking enforcement strategies, it demonstrates the criticality of policy structure to optimizer behavior and enforcement cost. The results motivate a new generation of policy-aware optimizers and transparent, scalable enforcement mechanisms, advancing the state-of-the-art in compliance-centric database system design.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.