A method and system for enabling a user to authorize a client, acting under the directed of a first resource, to access a second resource. Before the client accesses the second resource, client programming, that is autonomous of the first and second resources, redirects the client to an authorization service that is also autonomous of the first and second resource. The authorization service authenticates the user, identifies policy data, if any, associated with the user and the first resource, and then returns to the client an interface generated according to the identified policy data, if any, enabling the user to grant or deny authorization. Where policy data does not exist, the authorization service returns an interface to the client enabling the user to set policy data.