In this model the resource owner creates an access control rule at the resource, i.e. sticky policy, that authorizes anyone having a given role to access the resource.
The ability to assign access to a role can be regulated by policies that are checked by the sticky policy interface, e.g. by consulting a PDP.
The assignment of a role to a delegatee is performed by some role authority outside control (but still accountable through TAS3 oversight) of the resource owner. The usually role assignment is performed using a special Sharing GUI that the role authority accesses (his authorativness is checked by separate access control policy verifying that he is a role authority). The role authority needs to identify the delegatee and then assign the role.
The role is stored in delegatee's role repository, which can be his Attribute Provider.
When delegatee accesses the resource, he identifies himself using the usual token passing flow, see Section 3.2, and the PDP is able to retrieve his role and match that to the sticky policy authorizing the access. The role retrieval may be through push or pull model.
In its basic form the RBAC allows any role holder access to any resource that accepts the role and the identity of the role holder is irrelevant, thus permitting use of pseudonyms or transient identifiers that improve the privacy.
However the fact that the resource is not constrained is a problem. This could be solved by having as many roles as there are resources, but this would lead to combinatorial explosion in the number of roles and quickly become unworkable. Also, the role identifier itself could become a correlation handle across the resources of a user.
A way to constrain the role is to parametrize it. Parametrized roles have a main part that specifies the role proper and then a parameter that specifies to which resource the role applies. Since parametrized role identifier has unique identifier properties, it is highly liable to become a correlation handle.
This approach adds flexibility, but still suffers from need to have exposed policy editing interface and to some degree about the problem of identifying the delegatee and resource. In parametrized variant any privacy protection is quickly lost.