Business process management is designed to make business activity coordination easier and more cost effective. WS-BPEL and BPEL4People extension together coordinate the web services and human activities within business process. However, the increasing business integration and legal requirements raise the need for secure business processes. The openness and distribution nature of inter-organisational business processes may result in more security breaches. Existing standards does not provide any support for business process security protection even if the participating organisations already have a working security policy. To address this problem, we extend traditional RBAC model to access control capability into business process environment. And an extension for WS-BPEL is also developed to represent the authorisation information in a formal manner.