Role Based Access Control (RBAC) [6] is a popular approach to specify and enforce security policies in organizations. In RBAC, users are not directly assigned permission but with the use of roles as the intermediary. Role activation is one important component in RBAC. A user may activate a subset of his/her assigned roles to exercise the associated permission. This paper proposes a number of ways in which the role activation constraints can be specified and enforced in the enterprise environment. Also, an access control model and an authorization process are proposed to support the specification and enforcement of dynamic separation of duty constraints in a decentralized manner. © Springer-Verlag Berlin Heidelberg 2005.