Supporting Agile Development of Authorization Rules for SME Applications Steffen Bartsch, Karsten Sohr, and Carsten Bormann Technologie-Zentrum Informatik TZI, Universit¨at Bremen, Bibliothekstr. 1, 28359 Bremen, Germany {sbartsch,sohr,cabo}@tzi.org Abstract. Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employ- ing Agile methodologies. Security engineering is still difficult with Agile development, though: heavy-weight processes put the improvements of Agile development at risk. We propose Agile security engineering and in- creased end-user involvement to improve Agile development with respect to authorization policy development. To support the authorization pol- icy development, we introduce a simple and readable authorization rules language implemented in a Ruby on Rails authorization plugin that is employed in a real-world SME collaboration and workflow application. Also, we report on early findings of the language’s use in authorization policy development with domain experts. Key words: Authorization Policy, Agile Security Engineering, End- User Development, DSL, SME Applications 1 Introduction When Small and Medium Enterprises (SME) deploy collaboration and workflow applications, the applications need to measure up to the established workflows in terms of efficiency and flexibility. SMEs are often incapable of investing the required resources into tailoring commercial off-the-shelf software to match the established workflows. This is further backed by the observation that it is often the unique selling point of SMEs to implement unconventional processes when compared to competing larger companies. With the advent of recent technolog- ical developments in the Web sector, small and focussed custom applications have become affordable for implementing SMEs’ specific needs in collaboration and workflow management in SME applications. One aspect of the development of custom SME applications is implementing authorization. A large amount of research has been invested into the authoriza- tion realm resulting e.g. in Role-based Access Control (RBAC, [9, 15, 2]). Specific solutions have been proposed for collaboration and workflow [4, 14, 18, 16] as well as high flexibility [19]. Still, with respect to SME applications, the established approaches are not easily implemented in practice. Typically, SMEs are organisations of limited complexity, but may still de- pend on task management and collaboration software. When developing custom