One of the main design challenges of any Web-based Emergency Management Information System (WEMIS) is the diversity of users and responsibilities to be considered. Modelling the access capabilities of different communities of users is a most relevant concern for which the RBAC (Role-Based Access Control) paradigm provides flexible and powerful constructs. In this paper we describe how we used an RBAC model-based approach to specify at different levels of abstraction the access policy of a specific WEMIS called ARCE (�Aplicaci�n en Red para Casos de Emergencia�). This approach made possible to face access modelling at earlier development stages, so that stakeholders got involved in analytical and empirical evaluations to test the correctness and completeness of the access policy. Moreover, since the RBAC meta-model is embedded into a web engineering method, we put in practice a holistic process addressing different design perspectives in an integrated way.