This work serves as an introduction to a large and important area of ongoing research. In this section we point at some interesting avenues for further work and research.
We believe that the object-oriented framework architecture we have
presented has several interesting properties. However, the framework
needs further elaboration. The design of the centralized context
manager object in particular needs careful consideration as any
vulnerability here would have far reaching consequences.
Issues such as safeguards and interfaces must be addressed, as
must 
also performance and real-time properties.
RBAC is intuitively appealing and certainly has an important future. There already exists the means for introducing RBAC into distributed systems. In fact, as RBAC is mainly a way of expressing access control policies, enforcing mechanisms remain about the same regardless of whether RBAC is used in a system or not.
There are, however, many other aspects of RBAC that we believe are important and that are not yet fully understood. We see that more work needs to be done on the representation of roles and role-based access control policies. This, for instance, involves issues such as hierarchies and inheritance. We also envision the need for a formal description framework inside which it is possible to model authorizations as well as various constraints. Ideally, it should be possible to use such a representation to verify a model instance, for instance to assure that it is free from conflicting rules. Another interesting application would be to be able to study the ramifications of proposed changes before they are carried out.
Another area of research that is important for the future spread and proliferation of RBAC is how RBAC can be efficiently deployed. For instance, we see the need for a number of efficient RBAC administrative tools for creating and managing the role structure itself, as well as for managing assignment of users and privileges to roles.
Here research is needed to see if it is possible to some extent to automatize the process of translating high-level access control policies into tangible rules expressed in terms of roles and resources.