A rule that either uses data validation or imposes a constraint on the access to business data of a protected business object via an authorization token.