Abstract
Role-based access control (RBAC) is widely accepted and used as an access control model. However, an access control model for a business process environment requires particular capabilities that RBAC does not satisfy, such as active access control and separation of duty that can be dynamically enforced at the level of a business process execution instance. This creates the need for an access control model that is specifically designed to work in a business process environment. This paper identifies the required characteristics for a business process access control model. The researchers used real life case studies as well as the literature to identify these characteristics. The paper shows that for an access control mode to work in a business process centric environment it should support the identified characteristics.