Crook, Robert; Ince, Darrel and Nuseibeh, Bashar
Modelling access policies using roles in requirements engineering.
Information and Software Technology, 45(14) pp. 979–991.
Pressures are increasing on organisations to take an early and more systematic approach to security. A key to enforcing security is to restrict access to valuable assets. We regard access policies as security requirements that specify such restrictions. Current requirements engineering methods are generally inadequate for
eliciting and analysing these types of requirements, because they do not allow complex organisational structures
and procedures that underlie policies to be represented adequately.
This paper discusses roles and why they are important in the analysis of security. The paper relates roles to
organisational theory and how they could be employed to define access policies. A framework is presented, based on these concepts, for analysing access policies.
Actions (login may be required)