Role based access control (RBAC) is attracting increasing attention as a security mechanism for both commercial and many military systems. Much of RBAC is fundamentally different from multi-level security (MLS) systems, and the properties of RBAC systems have not been explored formally to the extent that MLS system properties have. This paper explores some aspects of mutual exclusion of roles as a means of implementing separation of duty policies, including a safety property for separation of duty; relationships between different types of exclusion rules; properties of mutual exclusion for roles; constraints on the role hierarchy introduced by mutual exclusion rules; and necessary and sufficient conditions for the safety property to hold. Results have implications for implementing separation of duty controls through mutual exclusion of roles, and for comparing mutual exclusion with other means of implementing separation of duty policies.