I have a need for allowing business rules to be defined in a commercial, shipping product with respect to data authorization rules. The rules need to be customizable in the field, and the customizations need to survive updates of the application. The system is C#/ASP.NET.
I've considered using a DSL for this, but it seemed like a lot of very difficult work that is easy to do wrong. Ayende has some hints on this on his blog and his DSL book.
After thinking through it further, and reviewing what's out there (e. g. http://stackoverflow.com/questions/1610639/customised-business-rules-per-customer-asp-net-mvc references a blog post that talks about mixing static and dynamic in one application), it seems that using an ORM that will let us create rules statically as extensions to the ORM, then using a dynamic language for the custom rules in the field would be a reasonable combination.
Does that sound like a reasonable answer? I'm open to creating a DSL if it is the right answer, and I'm open to exploring other languages. I'm also okay with field compiling code because that is something that is easy to hide in .NET. However, shipping the full set of source for the data layer is very likely not going to be acceptable.
Have I already answered my question? Does anyone have real-world experience with this kind of scenario?