An approach to capture authorisation requirements in business processes

Business process modelling focuses on the modelling of functional behaviour. In this article, we propose an extension for the business process modelling notation to express non-functional authorisations requirements in a process model to enable the collaboration between security experts and business analysts. To capture multi-level, role-based and Separation of Duty authorisation requirements, new model element attributes and authorisation artefacts are introduced. To enhance the usability of this approach, simple visual decorators are specified to ease the communication of requirements between various stakeholders. To provide an early validation of these authorisation requirements during the definition of a process model, formal semantics are applied to the process model and model-checking techniques are used to provide feedback. As a pragmatic proof-of-concepts, a first prototype implementation is briefly discussed.