Role Based Access Control - This reduces the complexity and cost of security administration in large networked applications by grouping accesses into functional roles. A Role is a common purpose of a group of users. Within an organization, roles are created for various job functions, usually based on attributes (static job role or dynamic functional role) that are the by-product of normal business. For example; a role such as a Bank Teller or a Manager. The permission to perform certain operations are assigned to specific roles. Management of individual user rights becomes a simple matter of assigning the appropriate roles to the user. Identities are assigned particular roles, and thus acquire the permissions to perform particular application functions. An identity can have multiple roles; a role can have multiple identities; a role can have many permissions; a permission can be assigned to many roles. RBAC reduces the complexity and cost of security administration by grouping accesses into separable functional roles and discretionary rights. ANSI/INCITS 359-2004 is the fundamental RBAC standard and XACML is the access-control mark-up language standard.

Roles are actually pre-packaged resources and services. If the role names (or descriptions) are based on one or more attributes directly related to the roles of an identity (e.g. a position title, location, function) it will enable dynamic role provisioning as a by-product of existing business processes - for example day-1 provisioning of a new employee. If a role is not based on identity attributes it is a static role that is provisioned on a discretionary basis (i.e. an identity must request them on day-2).