Role-based security architecture that facilitates delegated role assignments where role functionality is monotonically decreasing. In furtherance thereof decreasing monotonicity roles are arranged in a hierarchy. Moreover, delegated roles can be obtained by creating a derived role (from a parent role) and removing entries from the derived role to decrease the permissions for the derived role. Delegated role assignments are scoped (bounded), which automatically applies a given scope to the assignment created by the user receiving the delegation.