Security policy enforcement is instrumental in preventing the unauthorized disclosure of sensitive data, protecting the integrity of vital data, mitigating the likelihood of fraud, and ultimately enabling the secure sharing of information. In accessing a given resource, policy may dictate, for example that a user has a need-to-know, is appropriately cleared, is competent, has not already performed a different operation on the same resource, the resource was previously accessed by a different user, is incapable of accessing other enterprise resources, or is capable of accessing an object or any copy of the object while performing a specific task. Currently, there exist a rich set of formal security models that can translate organizational policies. A small sample of well documented policies include, avors of Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), ORCON, Chinese wall, and History-Based Separation of Duty. Enterprise policies that are designed to protect resources are also ad-hoc in nature.

As a major component of any operating system or application, access control mechanisms come in a wide variety of forms, each with their individual method for authentication, access control data constructs for specifying and managing policy, and functions for making access control decisions and enforcement of policies. Of the numerous recognized access control policies, today's OSs rigidly limit enforcement to a small subset of known policies. Policies are also routinely accommodated through the implementation of access control mechanisms within applications. Prominent among these applications are database management systems, but these applications can also include a number of smaller applications such as enterprise calendars, time and attendance, and workflow management. Essentially, any application that requires a user's authentication, typically also affords an independent access control service. Not only do these applications further aggravate identity and privilege management problems, applications can also undermine policy enforcement objectives. For instance, although a file management system may narrowly restrict user access to a specific file, chances are the content of that file can be copied to an attachment or a message and mailed to anyone in the organization, or for that matter, the world.

In consideration of these issues an important question is raised - does a Meta model exist that can serve as a unifying framework for specifying and comprehensively enforcing any access control policy? Some may argue that convergence towards a Meta model is already underway. For example, RBAC, and XACML have been shown effective in their specification and enforcement of access control policies and have been applied in providing interoperable protection.