A-priori access control techniques allow granting access to a set of predefined agents. In some processes, we cannot define in advance the set of authorized agents because the characteristics of the process instance determine activity assignment. A-posteriori access control allows access to many agents who claim being authorized. It implements an audit process permitting to check the behavior of
... [Show full abstract] the different agents in the system. In this paper, we introduce the concept of a-posteriori access control and we provide an approach allowing modeling an auditable process by using Business Process Management Notation (BPMN). We express audit requirements through text annotations. Finally, we provide an example from the banking context to illustrate an auditable process.