A Framework for Modeling Privacy Requirements in Role Engineering

Privacy protection is important in many industries, such as healthcare and finance. Capturing and modeling privacy requirements in the early stages of system development is essential to provide high assurance of privacy protection to both stakeholders and consumers. This paper presents a framework for modeling privacy requirements in the role engineering process. Role engineering entails defining roles and permissions as well as assigning the permissions to the roles. Role engineering is the first step to implement a Role-Based Access Control (RBAC) system and essentially a Requirements Engineering (RE) process. The framework includes a data model and a goal-driven role engineering process. It seeks to bridge the gap between high-level privacy requirements and low-level access control policies by modeling privacy requirements as the contexts and obligations of RBAC entities and relationships. A healthcare example is illustrated with the framework. 1