Abstract: Current access control methods of business process can not meet the practical requirements of business process management(BPM).In order to solve this problem,disadvantages of the access control methods including role-based access control(RBAC) and task-based access control(TBAC) are analyzed.Then,an organization and role semantic based access control(OR-SBAC) model and method are proposed,its model along with the formal description of its components is presented,and an application example is given.The OR-SBAC method provides further classification of the roles and the controlled subjects,utilizes organizational structure to describe the relationship between user and role,fulfills authorization through role adapter by illation based on role semantics,and considers contexts of time and space.The strong description ability and high authorization efficiency of the OR-SBAC method meets the requirements of complexity,variety and flexibility in BPM.