There is not specific whitepaper that call this out specifically. However most of this is in the documentation 

http://help.k2.com/en/K2blackpearlGettingStarted4.6.aspx?page=After_K2_Environment_Security.html

Things you dont find in there please let us know and we can work to make sure we call the out specifically.  

That doesn't give me a whole lot..

I found some more explaination here : http://help.k2.com/helppages/k2blackpearlUserGuide4.6/Reference-WS_MCon-Workflow-Processes_ProcessRights.html 

But I don't understand why I have to grant server admin rights to someone who will be a process admin.

"The user requires Server Admin and Export rights in order to have Process Admin rights"

Is there a best practice document on security? Surely you don't expect me to grant everyone "server admin" rights if I want them to be able to create SharePoint designer processes...

Maybe I'm attacking my question from the wrong angle..

What rights are needed for the following:

1) Create processes in SharePoint Designer

2) Create a Process Portal

3) Change a Process Portal (settings... to select which processes are in the portal)

4) Create processes in K2 Studio

5) Create Smart Objects (does this affect #1 above?)