Object-based programming is becoming more and more popular and is currently conquering the world of distributed programming models. In object-based systems access control is often based on capabilities, despite the difficulty to keep track of their distribution. Access control lists are used only rarely, as information about the principal on whose behalf an operation is to be executed is needed and it is difficult to determine which principal information to use for a specific method invocation. Current object-based systems use domain-based or thread-based principals. Domains or threads are associated with principals. If a specific object or a specific thread invokes a method, the invocation is always executed on that principalŐs behalf. Both policies suffer from the reference proxy problem: A low privileged object can pass references to a highly privileged object and may animate it to call methods with its high privileges via these obtained references (Unix S-bit problem). As there are no formal models for such systems, we cannot decide if such a situation actually occurs. On the other hand, most mandatory access control policies (where we have formal models) are too restrictive for many applications. In this paper, we introduce role-based principals. An object domain may act in different roles to different other parties. Each object reference to objects of other domains is associated with a specific role, which determines trust, authentication (i.e., which principal information to use) and allowed data flow via the reference. Exchanged references automatically inherit the role. By initially defining such roles, we can establish a security policy on a very high abstraction level. We provide a formal model and present two examples, where we show that we can prove that accidental propagation of references and unintentional use of privileges are prevented.