: Various types of security goals, such as authentication or confidentiality, can be defined as policies for process-aware information systems, typically in a manual fashion. Therefore, we foster a model-driven transformation approach from modelled security goals in the context of process models to concrete security implementations. We argue that specific types of security goals may be expressed in a graphical fashion at the business process modelling level which in turn can be transformed into corresponding access control and security policies for process-aware information systems, for instance based on service-oriented architectures. In this paper we present security policy and policy constraint models. These models are projected onto general enterprise models and enterprise business processes in particular. We further discuss the suitability of this approach based on an example process and outline future work in order to derive security policy implementations out of the process mode...