A method and system for registration, authorization, and control of access rights in a computer system. Access rights of subjects on objects in a computer system are controlled using parameterized role types that can be instantiated into role instances equivalent to roles or groups. The required parameters are provided by the subject of the computer system, e.g. by a person, a job position, or an organization unit. Furthermore, relative resource sets are instantiated into concrete resource sets and individual resources by using the same parameter values as for instantiating the role types. Authorization and control of access rights include capability lists providing the access rights of the subjects on the objects of a computer system on a per subject basis. Furthermore, access control lists are derived from capability lists, so that access rights of the subjects on the respective objects are provided.