Towards an Analytical Role Modelling Framework for Security Requirements

Pressures are increasing on organisations to take a more systematic approach to incorporating security into their software development process. The key to this is analysing security requirements early on, rather than treating security as an add-on, as is often the case. An important component of security requirements is access control, and roles have been found to provide an effective basis for defining access restrictions. Current requirements engineering methods are generally inadequate for eliciting and analysing these types of requirements, because they do not allow the complex organisational structures and procedures that form the basis of role-based security policy to be represented adequately. In this paper, we outline the concepts that underpin role-based access control, and relate these to organisational theory, to give a basis for defining roles. We then propose an analytical role modelling framework that enables us to model and analyse access restrictions based on these concepts. The framework is illustrated by a detailed example taken from the healthcare domain.