An application subsystem can use role-based access control to control user capabilities by roles defined using Role-Based Access Control. An application subsystem (or REALM) is defined through the Security Center Applications Roles Management node, and is populated with application-specific roles and permissions. A permission defines a capability specific to the application subsystem. A role defines a collection of permissions (a permission may be assigned to more than one role). A role is populated with users. If a user has been added to a role, a user or process running under a usercode can be assigned to the role. An application can inquire whether a process has a specific permission. Realms, roles, and permissions are application-defined identifiers.

For more information on role-based access control, refer to the Security Software Developers Kit (SDK), which contains sample programs, and the Security Center Help, which describes the Security Center administration interface.