Role-based access control is the state-of-the-art mechanism for restricting access to resources. Today, digital content is distributed via CD-ROMS and the Internet with little or no protection. Using widely available public key cryptography, we propose to extend the paradigm of role-based access control to digital content by encapsulating it into secure document containers. Certification authorities can certify that a specific user belongs to certain group and can thus be granted access to systems (i.e. document containers) that do not know who the user actually is. Online distribution of one-time keys can be used to avoid various attacks like replays.