This paper proposes a model for access control within object-oriented systems. The model is based on RBAC (role-based access control) and is called DRBAC (dynamic RBAC). Although RBAC is powerful in access control, the original design of RBAC required that user-role assignments and role-permission assignments should be handled statically (i.e., the assignments should be handled by human beings). Nevertheless, the following dynamic features are necessary in access control within a software system: (a) managing dynamic role switching, (b) avoiding Trojan horses, (c) managing role associations, and (d) handling dynamic role creation and deletion. DRBAC offers the dynamic features. This paper proposes DRBAC.