diff --git a/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php
new file mode 100644
index 0000000..9180dd2
--- /dev/null
+++ b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\user\Access\RoleAccessCheck.
+ */
+
+namespace Drupal\user\Access;
+
+use Drupal\Core\Access\AccessCheckInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Route;
+
+/**
+ * Determines access to routes based on roles defined via hook_permission().
+ */
+class RoleAccessCheck implements AccessCheckInterface {
+
+  /**
+   * Implements AccessCheckInterface::applies().
+   */
+  public function applies(Route $route) {
+    return array_key_exists('_role', $route->getRequirements());
+  }
+
+  /**
+   * Implements AccessCheckInterface::access().
+   */
+  public function access(Route $route, Request $request) {
+    // Requirements just allow strings, so this might be a comma separated list.
+    $rid_string = $route->getRequirement('_role');
+    $rids = array_map('trim', explode(',', $rid_string));
+    // @todo Replace the role check with a correctly injected and session-using
+    //   alternative.
+    $account = $GLOBALS['user'];
+    $roles = array_keys($account->roles);
+
+    $diff = array_diff(array_filter($rids), $roles);
+    if (empty($diff)) {
+      return TRUE;
+    }
+    else {
+      return NULL;
+    }
+  }
+
+}
diff --git a/core/modules/user/lib/Drupal/user/UserBundle.php b/core/modules/user/lib/Drupal/user/UserBundle.php
index f7c4a88..689a20c 100644
--- a/core/modules/user/lib/Drupal/user/UserBundle.php
+++ b/core/modules/user/lib/Drupal/user/UserBundle.php
@@ -24,6 +24,8 @@ public function build(ContainerBuilder $container) {
       ->addTag('access_check');
     $container->register('access_check.user.register', 'Drupal\user\Access\RegisterAccessCheck')
       ->addTag('access_check');
+    $container->register('access_check.user.role', 'Drupal\user\Access\RoleAccessCheck')
+      ->addTag('access_check');
     $container
       ->register('user.data', 'Drupal\user\UserData')
       ->addArgument(new Reference('database'));
diff --git a/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php b/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php
new file mode 100644
index 0000000..8b67ec8
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php
@@ -0,0 +1,167 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\Tests\Core\Route\RouterRoleTest.
+ */
+
+namespace Drupal\Tests\Core\Route;
+
+use Drupal\Core\DependencyInjection\ContainerBuilder;
+use Drupal\Tests\UnitTestCase;
+use Drupal\user\Access\RoleAccessCheck;
+use Drupal\user\Plugin\Core\Entity\User;
+use Symfony\Component\DependencyInjection\Container;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Routing\Route;
+use Symfony\Component\Routing\RouteCollection;
+
+// Needed because the Entity class calls it.
+if (!defined('LANGUAGE_NOT_SPECIFIED')) {
+  define('LANGUAGE_NOT_SPECIFIED', 'und');
+}
+
+/**
+ * Defines tests for role based access in routes.
+ */
+class RouterRoleTest extends UnitTestCase {
+
+  /**
+   * Stores a list of user objects used in this test.
+   *
+   * @var array
+   */
+  public $accounts = array();
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Router Role tests',
+      'description' => 'Function Tests for the routing role system.',
+      'group' => 'Routing',
+    );
+  }
+
+  /**
+   * Generates the test route collection.
+   *
+   * @return \Symfony\Component\Routing\RouteCollection
+   *   Returns the test route collection.
+   */
+  protected function getTestRouteCollection() {
+    $route_collection = new RouteCollection();
+    $route_collection->add('role_test_1', new Route('/role_test_1',
+      array(
+        '_controller' => '\Drupal\router_test\TestControllers::test1'
+      ),
+      array(
+        '_role' => 'role_test_1',
+      )
+    ));
+    $route_collection->add('role_test_2', new Route('/role_test_2',
+      array(
+        '_controller' => '\Drupal\router_test\TestControllers::test1'
+      ),
+      array(
+        '_role' => 'role_test_2',
+      )
+    ));
+    $route_collection->add('role_test_3', new Route('/role_test_3',
+      array(
+        '_controller' => '\Drupal\router_test\TestControllers::test1'
+      ),
+      array(
+        '_role' => 'role_test_1, role_test_2',
+      )
+    ));
+
+    return $route_collection;
+  }
+
+  /**
+   * Provides data for the role access test.
+   */
+  public function testRoleAccessProvider() {
+    // Setup two different roles used in the test.
+    $rid_1 = 'role_test_1';
+    $rid_2 = 'role_test_2';
+
+    // Setup one user with the first role, one with the second, one with both
+    // and one final without any of these two roles.
+    $this->accounts = array();
+
+    $account_1 = new User(array('uid' => 1), 'user');
+    $account_1->roles[$rid_1] = $rid_1;
+    $this->accounts[] = $account_1;
+
+    $account_2 = new User(array('uid' => 2), 'user');
+    $account_2->roles[$rid_2] = $rid_2;
+    $this->accounts[] = $account_2;
+
+    $account_12 = new User(array('uid' => 3), 'user');
+    $account_12->roles[$rid_1] = $rid_1;
+    $account_12->roles[$rid_2] = $rid_2;
+    $this->accounts[] = $account_12;
+
+    $account_none = new User(array('uid' => 4), 'user');
+    $this->accounts[] = $account_none;
+
+    // Setup expected values; so which path can be access by which user.
+    return array(
+      array('role_test_1', array($account_1, $account_12)),
+      array('role_test_2', array($account_2, $account_12)),
+      array('role_test_3', array($account_12)),
+    );
+  }
+
+  /**
+   * Returns accounts filtered by the passed in accounts.
+   *
+   * @param array $grant_users
+   *   A list of users which should not be part of the result list.
+   *
+   * @return array
+   *   All users which are not granted.
+   */
+  public function accountsToDeny($grant_users) {
+//    return array_diff_assoc($this->accounts, $grant_users);
+    return array_filter($this->accounts, function($account) use ($grant_users) {
+      foreach ($grant_users as $grant_user) {
+        if ($account == $grant_user) {
+          return FALSE;
+        }
+      }
+      return TRUE;
+    });
+  }
+
+  /**
+   * Tests role requirements on routes.
+   *
+   * @dataProvider testRoleAccessProvider
+   */
+  public function testRoleAccess($path, $grant_accounts) {
+    $role_access_check = new RoleAccessCheck();
+    $collection = $this->getTestRouteCollection();
+
+    foreach ($grant_accounts as $account) {
+      // @todo Replace the global user with a properly injection session.
+      $GLOBALS['user'] = $account;
+
+      $subrequest = Request::create($path, 'GET');
+      $message = sprintf('Access granted for user with the roles %s on path: %s', implode(', ', $account->roles), $path);
+      $this->assertTrue($role_access_check->access($collection->get($path), $subrequest), $message);
+    }
+
+    // Check all users which don't have access.
+    foreach ($this->accountsToDeny($grant_accounts) as $account) {
+      $GLOBALS['user'] = $account;
+
+      $subrequest = Request::create($path, 'GET');
+      $message = sprintf('Access denied for user %s with the roles %s on path: %s', $account->id(), implode(', ', $account->roles), $path);
+      $has_access = $role_access_check->access($collection->get($path), $subrequest);
+      $this->assertEmpty($has_access , $message);
+    }
+  }
+
+}