This study--prepared for the NIST Program Office by RTI International--is a retrospective economic impact analysis of role-based access control (RBAC), one of the principal approaches for managing users' access to information technology resources. RBAC is arguably the most important innovation in identity and access management since discretionary and mandatory access control. It is the principle of controlling access entirely through "roles" created in the system that align to job functions (such as bank teller), assigning permissions to those roles, and then assigning those roles to employees, rather than using access control lists (ACLs) that assign permissions directly to users on an as-needed basis. A 2002 study completed by RTI International forecasted that RBAC could save U.S. organizations hundreds of millions of dollars per year.