Deriving Access Control Policies from Requirements Specifications and Database Designs

Access control is a mechanism for achieving confidentiality and integrity in software systems. Specifying access control policies (ACPs) is a complex process that can benefit from requirements engineering techniques. In this paper, we present a method for deriving access control policies from software requirements specifications (SRS) and database designs. The approach provides prescriptive guidance for how to derive and specify ACPs. It also improves the quality of requirements specifications and the database designs by clarifying ambiguities and resolving conflicts across both artifacts. The approach provides traceability support between requirements, access control policies and design decisions, ensuring consistency among these artifacts. Examples from two projects are employed to demonstrate how the approach helps bridge the gap between requirements and design.