I think access control should move beyond RBAC and be based on a combination of the following:
a) User/Subject
b) User Attributes
c) Roles
d) Action
e) Environment (Including IP Address, Subnet, DateTime)
Ideally, it should be a Rules based framework. The policies/rules should not be embedded within code but should externalize.