responsive to receiving a request for data from an application, identifying at least one domain pair in the request, wherein a domain differentiates usage of data according to business rules for a column in the request, wherein each column in the request is defined as being in a specific domain, wherein each domain pair comprises two specific domains of two columns in the request, and wherein each domain pair is associated with an operator in the request that operates on the two columns;

determining if operators for each of the at least one domain pair identified in the request are authorized, wherein each of the at least one domain pair is associated with permissible operators, and wherein the step of determining if operators for each of the at least one domain pair identified in the request are authorized further comprises comparing the operators for each of the at least one domain pair identified in the request with the permissible operators;

determining if functions in the request are authorized, wherein the functions in the request are associated with specific domains of columns in the request; and

responsive to determinations that the operators and functions are authorized, rewriting the request to include a casting formula for each domain pair operation to form a rewritten request;

wherein the step of determining if operators for each of the at least one domain pair identified in the request are authorized is performed by checking a first table in order to locate an entry containing a permissible operator for each of the at least one domain pair;

wherein the step of determining if functions in the request are authorized is performed by checking a second table to identify if the specific domains of the columns in the request associated with the functions are allowed to inherit functions specified in the request from a parent domain, and by checking a third table to identify exceptions to the inherited functions identified using the second table.