In enterprise databases, access control policy specification and enforcement are often decoupled, leading to cumbersome, non-systematic manual auditing. To address this, we propose Intent-Based Access Control for Databases (IBAC-DB), a novel model supporting semantic policy modeling and bidirectional traceability between policies and their implementations. We introduce IBACBench—the first benchmark tailored for database access control—and DePLOI, an LLM-based system featuring a task-decomposition paradigm for NL2SQL translation. DePLOI integrates domain-customized NL2SQL, role-hierarchy-aware modeling, and hybrid synthetic data generation for evaluation. Experiments on IBACBench demonstrate that DePLOI achieves significantly higher synthesis accuracy and auditing F1-score (+10 F1) than state-of-the-art baselines, validating the feasibility and robustness of automating secure access control policy deployment.

In every enterprise database, administrators must define an access control policy that specifies which users have access to which tables. Access control straddles two worlds: policy (organization-level principles that define who should have access) and process (database-level primitives that actually implement the policy). Assessing and enforcing process compliance with a policy is a manual and ad-hoc task. This paper introduces a new access control model called Intent-Based Access Control for Databases (IBAC-DB). In IBAC-DB, access control policies are expressed using abstractions that scale to high numbers of database objects, and are traceable with respect to implementations. This paper proposes DePLOI (Deployment Policy Linter for Organization Intents), a LLM-backed system leveraging access control-specific task decompositions to accurately synthesize and audit access control implementation from IBAC-DB abstractions. As DePLOI is the first system of its kind to our knowledge, this paper further proposes IBACBench, the first benchmark for evaluating the synthesis and auditing capabilities of DePLOI. IBACBench leverages a combination of current NL2SQL benchmarks, real-world role hierarchies and access control policies, and LLM-generated data. We find that DePLOI achieves high synthesis accuracies and auditing F1 scores overall, and greatly outperforms other LLM prompting strategies (e.g., by 10 F1 points).