The Internet of Things (IoT) presents distinct challenges for access control due to its dynamic, heterogeneous, and evolving nature, which existing mechanisms often struggle to address. To overcome these challenges, this paper proposes a novel context-aware role-capability based access control (CRCBAC) system which effectively handles key issues such as dynamic adaptation, capability delegation, context awareness, scalability, and security. At its core, CRCBAC utilizes a structured role capability tree (RCT) to ensure secure capability propagation and management across roles, resolving conflicts through a priority system. Additionally, we design a set of protocols leveraging RCT-operations to securely evaluate access requests, as well as to create, transfer, and revoke capabilities. These protocols are validated through formal analysis using BAN logic and Scyther-based attack simulation, demonstrating CRCBAC’s robustness in ensuring both confidentiality and integrity. Experimental evaluation confirms CRCBAC’s superior scalability and efficiency, achieving up to lower response times and 4.6 times higher throughput compared to state-of-the-art approaches. The capability delegation mechanism consistently maintains response times below 3 ms, even as user capabilities scale, while also reducing energy consumption by compared to state-of-the-art approach, making CRCBAC particularly well-suited for energy-constrained IoT environments.