In some example embodiments, a method includes storing a user attribute, a resource attribute of a resource of a web service, one or more scope conditions for applying one of attributes in generating a decision of whether to permit an action, and a script comprising an access control policy comprising one or more policy conditions to be satisfied in order to permit an action. A web service request may be received for accessing the resource. The scope condition(s) may be determined to be satisfied, and a decision to permit or deny the web service request may be generated based on the access control policy, with use of the stored attribute in generating the decision being based on the determination that the scope condition(s) are satisfied. Generating the decision may comprise interpreting the script. The decision may be transmitted to the web service.