Security is a key requirement in multi-user hypermedia systems, where the ability of different users to access and manipulate the information depend on their needs and responsibilities. If security policies are specified in terms of individual users and low-level abstractions not related to the hypermedia domain, security administration becomes complex and prone to error. This paper describes how an RBAC (Role Based Access Control) module is integrated into a web server that is treated as a hypermedia system instead of as a set of files, programs and network protocols. This implies the definition of a set of hypermedia related operations that authorised roles can execute on the system objects.