Constraint is an essential aspect of role‐based access control (RBAC) and is sometimes argued to be the principle motivation for RBAC. However, most of role mining algorithms do not consider the constraint. Furthermore, they just compare the least cost of the authorization process but do not consider how to assess the accuracy of the derived role state, thus, providing the motivation for this work. In this paper, we first define a wide variety of constraints, especially the permission cardinality constraint and user cardinality constraint. We further propose a role mining algorithm to generate roles based on these two kinds of cardinality constraints that consider the similarity between roles in the process of merging roles in order to improve the accuracy of the role state at the same time. Finally, we carry out the experiments to evaluate our approach. The experimental results demonstrate the effectiveness of our proposed algorithm. Copyright © 2014 John Wiley & Sons, Ltd.