Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, an administrator may still intend to restrict access to privileged data. We present a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy, and for inferring whether an operation-based RBAC policy is equivalent to any data-based policy. Furthermore, we introduce a theoretical model to describe the flows of authorization information in RBAC systems, and present a static analysis to identify role requirements, inconsistencies caused by principal delegation, redundant or insufficient roles, and vulnerabilities resulting from intra-component accesses, in which authorization is typically not enforced. The algorithms presented have been implemented and have been used to identify security problems in production-level code.