Skip to Main Content
This paper presents the KAOS2RBAC approach for Security Requirements Engineering. Starting from functional requirements, linked to a data model, the approach first identifies high level security goals. It then refines these security goals into security requirements linked to the functional model. Finally, these security requirements lead to the design of access control rules. An informal verification step checks that the rules give enough permission to enable all functional requirements. The approach takes benefit of the KAOS notations to link functional and non-functional goals, agents, data, and access control rules in a single requirements model. This enables traceability between security goals and the resulting access control rules. The approach is illustrated by a case study: an information system for medical urgency, taken from a real project.