This paper focuses on problems of access control for business processes. The subject of the paper is a specification of the Contextsensitive access control model for business processes (COBAC). In order to efficiently define and enforce access control for different business processes, the COBAC model is based on the RBAC (Role-based Access Control) model which is extended with the following entities: context, business process, activity and resource category. By using a context-sensitive access control it is possible to define more complex access control policies whose implementation by existing access control models for business processes is not possible or is very complicated. The COBAC’s context model can describe rich context information and can be easily extended for specific cases. The introduction of business process and activity entities has facilitated the definition of access control policies for business processes. The categorization of resources enables the definition of access control policies for whole resource categories, and thus, potentially, reduces the number of policies which need to be defined. The COBAC model is applicable in different business information systems, and supports the definition of access control policies for both simple and complex business processes. The model is verified by a case study on a real business process.