The main advantages of role-based access control (RBAC) are able to support the well-known security principles and roles inheritance. But for there remains a lack of specific definition and the necessary formalization for RBAC, it is hard to realize RBAC in practical work. Our contribution here is to formalize the main relations of RBAC and take first step to propose concepts of action closure and data closure of a role, based on which we got the specification and algorithm for the least privileges of a role. We propose that roles inheritance should consist of inheritance of actions and inheritance of data, and then we got the inheritance of privileges among roles, which can also be supported by existing exploit tools.