Representing Access Control Policies in Use Cases

Security requirements of a software product need to receive attention throughout its development lifecycle. This paper proposes the required notation and format to represent security requirements, especially access control policies in use case diagram and use case description. Such enhancements offer simple representation for positive and negative authorization; grouping sensitive use cases that form a critical business task; separation of duties – both static and dynamic; least privilege; inheritance of authorizations; and security state or label for data inputted, stored or outputted. Validating information flow requirements at an early stage prevents costly fixes that are mandated during later stages of the development life cycle.