Requirements-based Access Control Analysis and Policy Specification (ReCAPS)

Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) are security requirements that define how access is managed and the high-level rules of who, under what conditions, can access what information. Traditionally, access control policies are often specified after a system is designed and deployed. Because ACP specification is typically isolated from requirements analysis, it may result in policies that are not in compliance with system requirements. We present a R equirements-based acc ess Control Analysis and Policy S pecification (ReCAPS) approach for deriving ACPs from various information sources. It provides prescriptive guidance for how to specify both function-level and database-level ACPs. This approach helps clarify ambiguities, resolve conflicts, and it provides traceability support, ensuring consistency among software artifacts. We employ examples from three projects to present the ACP specification process and associated heuristics.