Normally rules for a particular category change very infrequently. Rules are easily understood by security officers to allow complete control of the system’s behavior without having to involve information technology professionals. Each rule can be audited to check that the correct people are being allowed or dis-allowed based on their compliance with the rule specifications. This capability helps ensure that the rules are specified properly. When created, rules are initially inactive to permit the security officer to develop the rule and check its action before enabling the rule and having it apply access restrictions to the class. Rules can be deleted. Doing so can expose information that should be protected unless an equivalent rules has been added as a substitute. If the deletion is to make the class more accessible, then no harm will result. | ||||||||||