This document provides an overview of role-based access control (RBAC) and discusses some of its key concepts and challenges. It begins by defining what a role is, noting that a role primarily has business meaning and refers to a job or function with associated authority and responsibility. The document then covers several important RBAC topics, including role engineering, separation of duties, permission drift over time, and metrics for evaluating an RBAC system's efficiency and ability to detect unauthorized access. It emphasizes that RBAC implementation requires an iterative process and references many additional aspects and standards related to RBAC.