Role-based access control (RBAC) has become the well-known and widely used access control model. However, role engineering is an important process to go through before using RBAC. Role engineering is the process of defining roles and related information as they pertain to the user’s functional use. Role engineering is a critical success factor in implementing RBAC. This study proposes event-driven-based role engineering. An event is a routine task, and activities are triggered by events. Roles are created by many overlapping events. Among the roles, events and activities form many to many relationships. Our approach adopts the relationships to define the roles and assign permissions to them. Furthermore, we integrate the grey relational analysis (GRA) into the proposed model to refine the access control model. The proposed approach is suitable for organizations attempting to achieve refined role-permission planning, no matter whether or not they are using RBAC.