core/lib/Drupal/Core/Access/AccessManager.php      | 42 ++++++-----------
 core/lib/Drupal/Core/Access/CsrfAccessCheck.php    | 13 ++++--
 core/lib/Drupal/Core/Access/CustomAccessCheck.php  | 16 +++++--
 core/lib/Drupal/Core/Access/DefaultAccessCheck.php | 15 +++++--
 .../Core/Cache/CacheabilityAffectorInterface.php   | 52 ++++++++++++++++++++++
 core/lib/Drupal/Core/Entity/EntityAccessCheck.php  | 16 +++++--
 .../Drupal/Core/Entity/EntityCreateAccessCheck.php | 15 +++++--
 core/lib/Drupal/Core/Routing/Access/AccessBase.php | 52 ++++++++++++++++++++++
 .../Drupal/Core/Routing/Access/AccessInterface.php | 18 +++-----
 core/lib/Drupal/Core/Theme/ThemeAccessCheck.php    | 15 +++++--
 .../src/Access/BookNodeIsRemovableAccessCheck.php  | 16 +++++--
 .../src/Access/ConfigTranslationFormAccess.php     | 12 ++++-
 .../src/Access/ConfigTranslationOverviewAccess.php | 16 +++++--
 .../contact/src/Access/ContactPageAccess.php       | 16 +++++--
 .../Access/ContentTranslationManageAccessCheck.php | 16 +++++--
 .../Access/ContentTranslationOverviewAccess.php    | 16 +++++--
 .../field_ui/src/Access/FormModeAccessCheck.php    | 15 +++++--
 .../field_ui/src/Access/ViewModeAccessCheck.php    | 19 ++++++--
 core/modules/menu_link/src/MenuTree.php            | 23 +++++++---
 .../modules/node/src/Access/NodeAddAccessCheck.php | 15 +++++--
 .../node/src/Access/NodeRevisionAccessCheck.php    | 16 +++++--
 .../quickedit/src/Access/EditEntityAccessCheck.php | 16 +++++--
 .../src/Access/EditEntityFieldAccessCheck.php      | 16 +++++--
 core/modules/rest/src/Access/CSRFAccessCheck.php   | 13 ++++--
 .../src/Access/ShortcutSetSwitchAccessCheck.php    | 15 +++++--
 core/modules/system/src/Access/CronAccessCheck.php | 16 +++++--
 .../src/Access/DefinedTestAccessCheck.php          | 20 ++++++++-
 .../src/Access/TestAccessCheck.php                 | 21 ++++++++-
 .../src/Access/ViewOwnTrackerAccessCheck.php       | 15 +++++--
 .../update/src/Access/UpdateManagerAccessCheck.php | 16 +++++--
 core/modules/user/src/Access/LoginStatusCheck.php  | 13 ++++--
 .../user/src/Access/PermissionAccessCheck.php      | 13 ++++--
 .../user/src/Access/RegisterAccessCheck.php        | 13 ++++--
 core/modules/user/src/Access/RoleAccessCheck.php   | 13 ++++--
 core/modules/views/src/ViewsAccessCheck.php        | 12 ++++-
 35 files changed, 508 insertions(+), 138 deletions(-)

diff --git a/core/lib/Drupal/Core/Access/AccessManager.php b/core/lib/Drupal/Core/Access/AccessManager.php
index e5e4c44..74c87b8 100644
--- a/core/lib/Drupal/Core/Access/AccessManager.php
+++ b/core/lib/Drupal/Core/Access/AccessManager.php
@@ -236,44 +236,28 @@ public function checkNamedRoute($route_name, array $parameters = array(), Accoun
     }
   }
 
-  public function getRoleCacheableAccessChecks() {
-    $role_cacheable_checks = array();
+  /**
+   * Returns all available access checks that are cacheable.
+   *
+   * @return array
+   *   An array with the keys being the cacheable access check service IDs and
+   *   the values being the corresponding cache contexts that they must be
+   *   varied by.
+   */
+  public function getCacheableAccessChecks() {
+    $cacheable_checks = array();
 
     foreach ($this->checkIds as $service_id) {
       if (empty($this->checks[$service_id])) {
         $this->loadCheck($service_id);
       }
 
-      if ($this->checks[$service_id]->isCacheablePerRole()) {
-        $role_cacheable_checks[] = $service_id;
+      if ($this->checks[$service_id]->isCacheable()) {
+        $cacheable_checks[$service_id] = $this->checks[$service_id]->getCacheContexts();
       }
     }
 
-    return $role_cacheable_checks;
-  }
-
-  public function getAccessCacheability($route_name, array $parameters = array()) {
-    try {
-      $route = $this->routeProvider->getRouteByName($route_name, $parameters);
-      $checks = $route->getOption('_access_checks') ?: array();
-
-      foreach ($checks as $service_id) {
-        if (empty($this->checks[$service_id])) {
-          $this->loadCheck($service_id);
-        }
-
-        $check = $this->checks[$service_id];
-        if (!$check->isCacheable()) {
-          return FALSE;
-        }
-        else {
-
-        }
-      }
-    }
-    catch (RouteNotFoundException $e) {
-      return FALSE;
-    }
+    return $cacheable_checks;
   }
 
   /**
diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
index 14f30dc..0b8e13f 100644
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -7,7 +7,7 @@
 
 namespace Drupal\Core\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface as RoutingAccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -18,7 +18,7 @@
  * a token generated by \Drupal::csrfToken()->get() using the same value as the
  * "_csrf_token" parameter in the route.
  */
-class CsrfAccessCheck implements RoutingAccessInterface {
+class CsrfAccessCheck extends AccessBase {
 
   /**
    * The CSRF token generator.
@@ -71,8 +71,15 @@ public function access(Route $route, Request $request) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/lib/Drupal/Core/Access/CustomAccessCheck.php b/core/lib/Drupal/Core/Access/CustomAccessCheck.php
index 269e0d9..55542f7 100644
--- a/core/lib/Drupal/Core/Access/CustomAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CustomAccessCheck.php
@@ -8,7 +8,7 @@
 namespace Drupal\Core\Access;
 
 use Drupal\Core\Controller\ControllerResolverInterface;
-use Drupal\Core\Routing\Access\AccessInterface as RoutingAccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Route;
@@ -23,7 +23,7 @@
  * cannot reuse any stored property of your actual controller instance used
  * to generate the output.
  */
-class CustomAccessCheck implements RoutingAccessInterface {
+class CustomAccessCheck extends AccessBase {
 
   /**
    * The controller resolver.
@@ -73,9 +73,19 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo consider removing this access check, because it's impossible to
+   *       collect cache tags and contexts for.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/lib/Drupal/Core/Access/DefaultAccessCheck.php b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
index ad0e748..25e045f 100644
--- a/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
@@ -7,13 +7,13 @@
 
 namespace Drupal\Core\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface as RoutingAccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Symfony\Component\Routing\Route;
 
 /**
  * Allows access to routes to be controlled by an '_access' boolean parameter.
  */
-class DefaultAccessCheck implements RoutingAccessInterface {
+class DefaultAccessCheck extends AccessBase {
 
   /**
    * Checks access to the route based on the _access parameter.
@@ -39,8 +39,17 @@ public function access(Route $route) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   *
+   * This is globally cacheable.
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/lib/Drupal/Core/Cache/CacheabilityAffectorInterface.php b/core/lib/Drupal/Core/Cache/CacheabilityAffectorInterface.php
new file mode 100644
index 0000000..093d278
--- /dev/null
+++ b/core/lib/Drupal/Core/Cache/CacheabilityAffectorInterface.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * @file
+ * Contains \Drupal\Core\CacheabilityAffectorInterface.
+ */
+
+namespace Drupal\Core\Cache;
+
+/**
+ * Defines an interface for an object affecting the cacheability of its parents.
+ *
+ * @ingroup cache
+ */
+interface CacheabilityAffectorInterface {
+
+  /**
+   * Returns the cache tags that this and any parent should be associated with.
+   *
+   * @return array
+   *  An array of cache tags.
+   */
+  public function getCacheTags();
+
+  /**
+   * Indicates whether this object is cacheable.
+   *
+   * @return bool
+   *   Returns TRUE if the object is cacheable, FALSE otherwise.
+   */
+  public function isCacheable();
+
+  /**
+   * Returns the cache contexts that this and any parent should be varied by.
+   *
+   * Only relevant when this is object is cacheable.
+   *
+   * @return array
+   *   An array of cache context IDs.
+   */
+  public function getCacheContexts();
+
+  /**
+   * Returns the maximum age that this and any parent may be cached.
+   *
+   * Only relevant when this is object is cacheable.
+   *
+   * @return int
+   *   The maximum time in seconds that this object may be cached.
+   */
+  public function getCacheMaxAge();
+
+}
diff --git a/core/lib/Drupal/Core/Entity/EntityAccessCheck.php b/core/lib/Drupal/Core/Entity/EntityAccessCheck.php
index 6c420cf..4ecaceb 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessCheck.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessCheck.php
@@ -7,7 +7,7 @@
 
 namespace Drupal\Core\Entity;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
@@ -15,7 +15,7 @@
 /**
  * Provides a generic access checker for entities.
  */
-class EntityAccessCheck implements AccessInterface {
+class EntityAccessCheck extends AccessBase {
 
   /**
    * Checks access to the entity operation on the given route.
@@ -58,9 +58,19 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being accessed.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php b/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php
index 83d9063..fabb013 100644
--- a/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php
+++ b/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php
@@ -7,7 +7,7 @@
 
 namespace Drupal\Core\Entity;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Route;
@@ -15,7 +15,7 @@
 /**
  * Defines an access checker for entity creation.
  */
-class EntityCreateAccessCheck implements AccessInterface {
+class EntityCreateAccessCheck extends AccessBase {
 
   /**
    * The entity manager.
@@ -75,8 +75,15 @@ public function access(Route $route, Request $request, AccountInterface $account
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user');
   }
 
 }
diff --git a/core/lib/Drupal/Core/Routing/Access/AccessBase.php b/core/lib/Drupal/Core/Routing/Access/AccessBase.php
new file mode 100644
index 0000000..1dc3e30
--- /dev/null
+++ b/core/lib/Drupal/Core/Routing/Access/AccessBase.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\Core\Routing\Access\AccessBase.
+ */
+
+namespace Drupal\Core\Routing\Access;
+
+use Drupal\Core\Cache\Cache;
+
+/**
+ * Defines a base implementation of a route access checker.
+ *
+ *
+ *
+ * This implements sane defaults for the CacheabilityAffectorInterface. Every
+ * access check still has to implement @code isCacheable() @endcode and
+ * @code getCacheContexts() @endcode, to ensure developers make a conscious
+ * choice there.
+ *
+ * @see Drupal\Core\CacheabilityAffectorInterface
+ */
+abstract class AccessBase implements AccessInterface {
+
+  /**
+   * {@inheritdoc}
+   *
+   * Access check objects don't have references to the data needed to perform
+   * the access check; that data is only passed to ::access() when invoked. Thus
+   * it's impossible for access checks to generate meaningful cache tags.
+   * Fortunately, we can approximate the necessary cache tags by getting the
+   * cache tags from the associated route's parameters.
+   * @todo Consider either instantiating access check objects for every check
+   *       that needs to be performed, or alternatively, to have a setArgs()
+   *       method.
+   */
+  public function getCacheTags() {
+    return array();
+  }
+
+  /**
+   * {@inheritdoc}
+   *
+   * Typically, access check results remain permanently valid, until one of the
+   * associated cache tags automatically invalidate the result.
+   */
+  public function getCacheMaxAge() {
+    return Cache::PERMANENT;
+  }
+
+}
diff --git a/core/lib/Drupal/Core/Routing/Access/AccessInterface.php b/core/lib/Drupal/Core/Routing/Access/AccessInterface.php
index 62d3d83..2516fcd 100644
--- a/core/lib/Drupal/Core/Routing/Access/AccessInterface.php
+++ b/core/lib/Drupal/Core/Routing/Access/AccessInterface.php
@@ -8,24 +8,18 @@
 namespace Drupal\Core\Routing\Access;
 
 use Drupal\Core\Access\AccessInterface as GenericAccessInterface;
+use Drupal\Core\Cache\CacheabilityAffectorInterface;
 
 /**
  * An access check service determines access rules for particular routes.
+ *
+ * This extends the @code CacheabilityAffectorInterface @endcode to ensure that
+ * access checks provide sufficient information to menus that are render cached,
+ * to ensure both effective caching and correct cache invalidation.
  */
-interface AccessInterface extends GenericAccessInterface {
+interface AccessInterface extends GenericAccessInterface, CacheabilityAffectorInterface {
 
   // @todo Remove this interface since it no longer defines any methods?
   // @see https://drupal.org/node/2266817.
 
-  /**
-   * Indicates whether the results of this access check are cacheable per role.
-   *
-   * @return bool
-   */
-  public function isCacheablePerRole();
-
-  // necessary to invalidate cached rendered menus when e.g. node 1 is modified
-//  public function getCacheTags(Route $route, Request $request);
-
-
 }
diff --git a/core/lib/Drupal/Core/Theme/ThemeAccessCheck.php b/core/lib/Drupal/Core/Theme/ThemeAccessCheck.php
index dd2a671..9bc5fd3 100644
--- a/core/lib/Drupal/Core/Theme/ThemeAccessCheck.php
+++ b/core/lib/Drupal/Core/Theme/ThemeAccessCheck.php
@@ -7,12 +7,12 @@
 
 namespace Drupal\Core\Theme;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 
 /**
  * Provides access checking for themes for routing and theme negotiation.
  */
-class ThemeAccessCheck implements AccessInterface {
+class ThemeAccessCheck extends AccessBase {
 
   /**
    * Checks access to the theme for routing.
@@ -44,8 +44,17 @@ public function checkAccess($theme) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   *
+   * This is globally cacheable.
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/book/src/Access/BookNodeIsRemovableAccessCheck.php b/core/modules/book/src/Access/BookNodeIsRemovableAccessCheck.php
index bcea6b4..1f8e73d 100644
--- a/core/modules/book/src/Access/BookNodeIsRemovableAccessCheck.php
+++ b/core/modules/book/src/Access/BookNodeIsRemovableAccessCheck.php
@@ -8,13 +8,13 @@
 namespace Drupal\book\Access;
 
 use Drupal\book\BookManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\node\NodeInterface;
 
 /**
  * Determines whether the requested node can be removed from its book.
  */
-class BookNodeIsRemovableAccessCheck implements AccessInterface {
+class BookNodeIsRemovableAccessCheck extends AccessBase {
 
   /**
    * Book Manager Service.
@@ -48,9 +48,19 @@ public function access(NodeInterface $node) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable globally  if we could associate the cache tag
+   *       of the book node being checked.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/config_translation/src/Access/ConfigTranslationFormAccess.php b/core/modules/config_translation/src/Access/ConfigTranslationFormAccess.php
index 198cc87..5cf9c91 100644
--- a/core/modules/config_translation/src/Access/ConfigTranslationFormAccess.php
+++ b/core/modules/config_translation/src/Access/ConfigTranslationFormAccess.php
@@ -42,9 +42,19 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per role if we could associate the cache tag
+   *       of the target language.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/config_translation/src/Access/ConfigTranslationOverviewAccess.php b/core/modules/config_translation/src/Access/ConfigTranslationOverviewAccess.php
index ccd28c1..186b401 100644
--- a/core/modules/config_translation/src/Access/ConfigTranslationOverviewAccess.php
+++ b/core/modules/config_translation/src/Access/ConfigTranslationOverviewAccess.php
@@ -8,7 +8,7 @@
 namespace Drupal\config_translation\Access;
 
 use Drupal\config_translation\ConfigMapperManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Route;
@@ -16,7 +16,7 @@
 /**
  * Checks access for displaying the configuration translation overview.
  */
-class ConfigTranslationOverviewAccess implements AccessInterface {
+class ConfigTranslationOverviewAccess extends AccessBase {
 
   /**
    * The mapper plugin discovery service.
@@ -76,9 +76,19 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per role if we could associate the cache tag
+   *       of the config mapper's and that of its source language.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/contact/src/Access/ContactPageAccess.php b/core/modules/contact/src/Access/ContactPageAccess.php
index cc645d3..b890d9d 100644
--- a/core/modules/contact/src/Access/ContactPageAccess.php
+++ b/core/modules/contact/src/Access/ContactPageAccess.php
@@ -8,7 +8,7 @@
 namespace Drupal\contact\Access;
 
 use Drupal\Core\Config\ConfigFactoryInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\user\UserDataInterface;
 use Drupal\user\UserInterface;
@@ -16,7 +16,7 @@
 /**
  * Access check for contact_personal_page route.
  */
-class ContactPageAccess implements AccessInterface {
+class ContactPageAccess extends AccessBase {
 
   /**
    * The contact settings config object.
@@ -96,9 +96,19 @@ public function access(UserInterface $user, AccountInterface $account) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the user being contacted.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/content_translation/src/Access/ContentTranslationManageAccessCheck.php b/core/modules/content_translation/src/Access/ContentTranslationManageAccessCheck.php
index 2ce01a3..fc672ad 100644
--- a/core/modules/content_translation/src/Access/ContentTranslationManageAccessCheck.php
+++ b/core/modules/content_translation/src/Access/ContentTranslationManageAccessCheck.php
@@ -9,7 +9,7 @@
 
 use Drupal\Core\Entity\EntityManagerInterface;
 use Drupal\Core\Language\Language;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
@@ -17,7 +17,7 @@
 /**
  * Access check for entity translation CRUD operation.
  */
-class ContentTranslationManageAccessCheck implements AccessInterface {
+class ContentTranslationManageAccessCheck extends AccessBase {
 
   /**
    * The entity type manager.
@@ -93,9 +93,19 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being translated.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/content_translation/src/Access/ContentTranslationOverviewAccess.php b/core/modules/content_translation/src/Access/ContentTranslationOverviewAccess.php
index 8702c1f..0a835c6 100644
--- a/core/modules/content_translation/src/Access/ContentTranslationOverviewAccess.php
+++ b/core/modules/content_translation/src/Access/ContentTranslationOverviewAccess.php
@@ -8,14 +8,14 @@
 namespace Drupal\content_translation\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Access check for entity translation overview.
  */
-class ContentTranslationOverviewAccess implements AccessInterface {
+class ContentTranslationOverviewAccess extends AccessBase {
 
   /**
    * The entity type manager.
@@ -74,9 +74,19 @@ public function access(Request $request, AccountInterface $account) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being translated.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/field_ui/src/Access/FormModeAccessCheck.php b/core/modules/field_ui/src/Access/FormModeAccessCheck.php
index 322c21e..0d1a79a 100644
--- a/core/modules/field_ui/src/Access/FormModeAccessCheck.php
+++ b/core/modules/field_ui/src/Access/FormModeAccessCheck.php
@@ -8,7 +8,7 @@
 namespace Drupal\field_ui\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
@@ -18,7 +18,7 @@
  *
  * @see \Drupal\entity\Entity\EntityFormMode
  */
-class FormModeAccessCheck implements AccessInterface {
+class FormModeAccessCheck extends AccessBase {
 
   /**
    * The entity manager.
@@ -87,8 +87,15 @@ public function access(Route $route, Request $request, AccountInterface $account
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
   }
 
 }
diff --git a/core/modules/field_ui/src/Access/ViewModeAccessCheck.php b/core/modules/field_ui/src/Access/ViewModeAccessCheck.php
index 727b9bb..301350d 100644
--- a/core/modules/field_ui/src/Access/ViewModeAccessCheck.php
+++ b/core/modules/field_ui/src/Access/ViewModeAccessCheck.php
@@ -8,7 +8,7 @@
 namespace Drupal\field_ui\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
@@ -18,7 +18,7 @@
  *
  * @see \Drupal\entity\Entity\EntityViewMode
  */
-class ViewModeAccessCheck implements AccessInterface {
+class ViewModeAccessCheck extends AccessBase {
 
   /**
    * The entity manager.
@@ -86,9 +86,20 @@ public function access(Route $route, Request $request, AccountInterface $account
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being translated.
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
+
 }
diff --git a/core/modules/menu_link/src/MenuTree.php b/core/modules/menu_link/src/MenuTree.php
index 77ba55e..b9ace92 100644
--- a/core/modules/menu_link/src/MenuTree.php
+++ b/core/modules/menu_link/src/MenuTree.php
@@ -807,11 +807,22 @@ public function willBeEmptyForAccount($menu_name, AccountInterface $account, arr
    * anything else than the role as uncacheable.
    */
   public function checkNonDynamicAccess(array $tree) {
+    /** @var \Drupal\Core\Access\AccessManager $access_manager **/
+    $access_manager = \Drupal::getContainer()->get('access_manager');
+
+    // Find all access checks whose results are cacheable per user role
+    // (or globally cacheable, because that means the access check's result
+    // doesn't depend on anything external to the access check itself).
+    $cacheable_access_checks = $access_manager->getCacheableAccessChecks();
+    $is_cacheable = function ($cache_contexts) {
+      $is_globally_cacheable = empty($cache_contexts);
+      $is_role_cacheable = $cache_contexts === array('cache_context.user.roles');
+      return $is_globally_cacheable || $is_role_cacheable;
+    };
+    $cacheable_access_checks = array_keys(array_filter($cacheable_access_checks, $is_cacheable));
+
     foreach ($tree as $key => $v) {
       $item = &$tree[$key]['link'];
-
-      /** @var \Drupal\Core\Access\AccessManager $access_manager **/
-      $access_manager = \Drupal::getContainer()->get('access_manager');
       if ($item['external'] || empty($item['route_name'])) {
         $item['access'] = 1;
         $item['access_checks'] = array();
@@ -828,9 +839,9 @@ public function checkNonDynamicAccess(array $tree) {
         try {
           $route = \Drupal::getContainer()->get('router.route_provider')->getRouteByName($item['route_name'], $item['route_parameters']);
           $checks = $route->getOption('_access_checks') ?: array();
-          // If this route has any permissions that are not cacheable per role,
-          // don't apply access checks here yet.
-          if (count(array_diff($checks, $access_manager->getRoleCacheableAccessChecks()))) {
+          // If this route has any access checks whose results cannot be cached
+          // per role, then don't perform access checking here.
+          if (count(array_diff($checks, $cacheable_access_checks))) {
             $item['access_checks'] = $checks;
           }
           else {
diff --git a/core/modules/node/src/Access/NodeAddAccessCheck.php b/core/modules/node/src/Access/NodeAddAccessCheck.php
index c830fac..90ec739 100644
--- a/core/modules/node/src/Access/NodeAddAccessCheck.php
+++ b/core/modules/node/src/Access/NodeAddAccessCheck.php
@@ -8,14 +8,14 @@
 namespace Drupal\node\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\node\NodeTypeInterface;
 
 /**
  * Determines access to for node add pages.
  */
-class NodeAddAccessCheck implements AccessInterface {
+class NodeAddAccessCheck extends AccessBase {
 
   /**
    * The entity manager.
@@ -64,8 +64,15 @@ public function access(AccountInterface $account, NodeTypeInterface $node_type =
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user');
   }
 
 }
diff --git a/core/modules/node/src/Access/NodeRevisionAccessCheck.php b/core/modules/node/src/Access/NodeRevisionAccessCheck.php
index f409f73..08aa973 100644
--- a/core/modules/node/src/Access/NodeRevisionAccessCheck.php
+++ b/core/modules/node/src/Access/NodeRevisionAccessCheck.php
@@ -9,7 +9,7 @@
 
 use Drupal\Core\Database\Connection;
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\node\NodeInterface;
 use Symfony\Component\Routing\Route;
@@ -17,7 +17,7 @@
 /**
  * Provides an access checker for node revisions.
  */
-class NodeRevisionAccessCheck implements AccessInterface {
+class NodeRevisionAccessCheck extends AccessBase {
 
   /**
    * The node storage.
@@ -164,9 +164,19 @@ public function checkAccess(NodeInterface $node, AccountInterface $account, $op
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being translated.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/quickedit/src/Access/EditEntityAccessCheck.php b/core/modules/quickedit/src/Access/EditEntityAccessCheck.php
index 2f5c3d5..b083201 100644
--- a/core/modules/quickedit/src/Access/EditEntityAccessCheck.php
+++ b/core/modules/quickedit/src/Access/EditEntityAccessCheck.php
@@ -8,7 +8,7 @@
 namespace Drupal\quickedit\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Drupal\Core\Entity\EntityInterface;
@@ -16,7 +16,7 @@
 /**
  * Access check for editing entities with QuickEdit.
  */
-class EditEntityAccessCheck implements AccessInterface {
+class EditEntityAccessCheck extends AccessBase {
 
   /**
    * The entity manager.
@@ -89,9 +89,19 @@ protected function validateAndUpcastRequestAttributes(Request $request) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being edited.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/quickedit/src/Access/EditEntityFieldAccessCheck.php b/core/modules/quickedit/src/Access/EditEntityFieldAccessCheck.php
index 0668868..a17c5ba 100644
--- a/core/modules/quickedit/src/Access/EditEntityFieldAccessCheck.php
+++ b/core/modules/quickedit/src/Access/EditEntityFieldAccessCheck.php
@@ -8,7 +8,7 @@
 namespace Drupal\quickedit\Access;
 
 use Drupal\Core\Entity\EntityManagerInterface;
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Drupal\Core\Entity\EntityInterface;
@@ -16,7 +16,7 @@
 /**
  * Access check for editing entity fields.
  */
-class EditEntityFieldAccessCheck implements AccessInterface, EditEntityFieldAccessCheckInterface {
+class EditEntityFieldAccessCheck extends AccessBase implements EditEntityFieldAccessCheckInterface {
 
   /**
    * The entity manager.
@@ -103,9 +103,19 @@ protected function validateAndUpcastRequestAttributes(Request $request) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being edited.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/rest/src/Access/CSRFAccessCheck.php b/core/modules/rest/src/Access/CSRFAccessCheck.php
index bb4fc92..eeef06e 100644
--- a/core/modules/rest/src/Access/CSRFAccessCheck.php
+++ b/core/modules/rest/src/Access/CSRFAccessCheck.php
@@ -7,7 +7,7 @@
 
 namespace Drupal\rest\Access;
 
-use Drupal\Core\Access\AccessCheckInterface;
+use Drupal\Core\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\HttpFoundation\Request;
@@ -15,7 +15,7 @@
 /**
  * Access protection against CSRF attacks.
  */
-class CSRFAccessCheck implements AccessCheckInterface {
+class CSRFAccessCheck extends AccessBase {
 
   /**
    * Implements AccessCheckInterface::applies().
@@ -75,8 +75,15 @@ public function access(Request $request, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/shortcut/src/Access/ShortcutSetSwitchAccessCheck.php b/core/modules/shortcut/src/Access/ShortcutSetSwitchAccessCheck.php
index 8e426e2..80727cf 100644
--- a/core/modules/shortcut/src/Access/ShortcutSetSwitchAccessCheck.php
+++ b/core/modules/shortcut/src/Access/ShortcutSetSwitchAccessCheck.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\shortcut\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\user\UserInterface;
 
 /**
  * Checks access to switch a user's shortcut set.
  */
-class ShortcutSetSwitchAccessCheck implements AccessInterface {
+class ShortcutSetSwitchAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -49,8 +49,15 @@ public function access(UserInterface $user, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user');
   }
 
 }
diff --git a/core/modules/system/src/Access/CronAccessCheck.php b/core/modules/system/src/Access/CronAccessCheck.php
index 08ef919..423ee45 100644
--- a/core/modules/system/src/Access/CronAccessCheck.php
+++ b/core/modules/system/src/Access/CronAccessCheck.php
@@ -7,12 +7,12 @@
 
 namespace Drupal\system\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 
 /**
  * Access check for cron routes.
  */
-class CronAccessCheck implements AccessInterface {
+class CronAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -37,9 +37,19 @@ public function access($key) {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable per user if we could associate the cache tag
+   *       of the entity being translated.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/system/tests/modules/router_test_directory/src/Access/DefinedTestAccessCheck.php b/core/modules/system/tests/modules/router_test_directory/src/Access/DefinedTestAccessCheck.php
index 1469d20..dd66276 100644
--- a/core/modules/system/tests/modules/router_test_directory/src/Access/DefinedTestAccessCheck.php
+++ b/core/modules/system/tests/modules/router_test_directory/src/Access/DefinedTestAccessCheck.php
@@ -7,13 +7,13 @@
 
 namespace Drupal\router_test\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Symfony\Component\Routing\Route;
 
 /**
  * Defines an access checker similar to DefaultAccessCheck
  */
-class DefinedTestAccessCheck implements AccessInterface {
+class DefinedTestAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -36,4 +36,20 @@ public function access(Route $route) {
     }
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   *
+   * This is globally cacheable.
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/system/tests/modules/router_test_directory/src/Access/TestAccessCheck.php b/core/modules/system/tests/modules/router_test_directory/src/Access/TestAccessCheck.php
index d8af2c6..73be18c 100644
--- a/core/modules/system/tests/modules/router_test_directory/src/Access/TestAccessCheck.php
+++ b/core/modules/system/tests/modules/router_test_directory/src/Access/TestAccessCheck.php
@@ -7,12 +7,12 @@
 
 namespace Drupal\router_test\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 
 /**
  * Access check for test routes.
  */
-class TestAccessCheck implements AccessInterface {
+class TestAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -25,4 +25,21 @@ public function access() {
     // allowed or not.
     return static::DENY;
   }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   *
+   * This is globally cacheable.
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/tracker/src/Access/ViewOwnTrackerAccessCheck.php b/core/modules/tracker/src/Access/ViewOwnTrackerAccessCheck.php
index 40a8889..68cdebb 100644
--- a/core/modules/tracker/src/Access/ViewOwnTrackerAccessCheck.php
+++ b/core/modules/tracker/src/Access/ViewOwnTrackerAccessCheck.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\tracker\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\user\UserInterface;
 
 /**
  * Access check for user tracker routes.
  */
-class ViewOwnTrackerAccessCheck implements AccessInterface {
+class ViewOwnTrackerAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -34,8 +34,15 @@ public function access(AccountInterface $account, UserInterface $user) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
-    return FALSE;
+  public function isCacheable() {
+    return TRUE;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user');
   }
 
 }
diff --git a/core/modules/update/src/Access/UpdateManagerAccessCheck.php b/core/modules/update/src/Access/UpdateManagerAccessCheck.php
index 5586f6f..9967bd3 100644
--- a/core/modules/update/src/Access/UpdateManagerAccessCheck.php
+++ b/core/modules/update/src/Access/UpdateManagerAccessCheck.php
@@ -7,13 +7,13 @@
 
 namespace Drupal\update\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Site\Settings;
 
 /**
  * Determines whether allow authorized operations is set.
  */
-class UpdateManagerAccessCheck implements AccessInterface {
+class UpdateManagerAccessCheck extends AccessBase {
 
   /**
    * Settings Service.
@@ -44,9 +44,19 @@ public function access() {
 
   /**
    * {@inheritdoc}
+   *
+   * @todo This would be cacheable globally if we could associate the cache tag
+   *       of the Settings.
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return FALSE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array();
+  }
+
 }
diff --git a/core/modules/user/src/Access/LoginStatusCheck.php b/core/modules/user/src/Access/LoginStatusCheck.php
index 3fd8e80..577b846 100644
--- a/core/modules/user/src/Access/LoginStatusCheck.php
+++ b/core/modules/user/src/Access/LoginStatusCheck.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\user\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Determines access to routes based on login status of current user.
  */
-class LoginStatusCheck implements AccessInterface {
+class LoginStatusCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -34,8 +34,15 @@ public function access(Request $request, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
 }
diff --git a/core/modules/user/src/Access/PermissionAccessCheck.php b/core/modules/user/src/Access/PermissionAccessCheck.php
index 4ecbb22..17f88b6 100644
--- a/core/modules/user/src/Access/PermissionAccessCheck.php
+++ b/core/modules/user/src/Access/PermissionAccessCheck.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\user\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 
 /**
  * Determines access to routes based on permissions defined via hook_permission().
  */
-class PermissionAccessCheck implements AccessInterface {
+class PermissionAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -35,8 +35,15 @@ public function access(Route $route, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
 }
diff --git a/core/modules/user/src/Access/RegisterAccessCheck.php b/core/modules/user/src/Access/RegisterAccessCheck.php
index 2e336b8..f199a62 100644
--- a/core/modules/user/src/Access/RegisterAccessCheck.php
+++ b/core/modules/user/src/Access/RegisterAccessCheck.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\user\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Access check for user registration routes.
  */
-class RegisterAccessCheck implements AccessInterface {
+class RegisterAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -34,8 +34,15 @@ public function access(Request $request, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
 }
diff --git a/core/modules/user/src/Access/RoleAccessCheck.php b/core/modules/user/src/Access/RoleAccessCheck.php
index ba619f8..25afe82 100644
--- a/core/modules/user/src/Access/RoleAccessCheck.php
+++ b/core/modules/user/src/Access/RoleAccessCheck.php
@@ -7,7 +7,7 @@
 
 namespace Drupal\user\Access;
 
-use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 
@@ -18,7 +18,7 @@
  * single role, users with that role with have access. If you specify multiple
  * ones you can conjunct them with AND by using a "+" and with OR by using ",".
  */
-class RoleAccessCheck implements AccessInterface {
+class RoleAccessCheck extends AccessBase {
 
   /**
    * Checks access.
@@ -57,8 +57,15 @@ public function access(Route $route, AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
 }
diff --git a/core/modules/views/src/ViewsAccessCheck.php b/core/modules/views/src/ViewsAccessCheck.php
index b184ef2..afc32c9 100644
--- a/core/modules/views/src/ViewsAccessCheck.php
+++ b/core/modules/views/src/ViewsAccessCheck.php
@@ -8,6 +8,7 @@
 namespace Drupal\views;
 
 use Drupal\Core\Access\AccessCheckInterface;
+use Drupal\Core\Routing\Access\AccessBase;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\Routing\Route;
 
@@ -16,7 +17,7 @@
  *
  * @todo We could leverage the permission one as well?
  */
-class ViewsAccessCheck implements AccessCheckInterface {
+class ViewsAccessCheck extends AccessBase implements AccessCheckInterface {
 
   /**
    * {@inheritdoc}
@@ -41,8 +42,15 @@ public function access(AccountInterface $account) {
   /**
    * {@inheritdoc}
    */
-  public function isCacheablePerRole() {
+  public function isCacheable() {
     return TRUE;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getCacheContexts() {
+    return array('cache_context.user.roles');
+  }
+
 }