A method, system, and program storage device for establishing security and authorization policies for users accessing a software application, wherein the method comprises generating at least one application object group from an application object description document comprising an XML format run on a data processor; creating an authorization policy for each application object; sending a selected application object group to an access controller; and establishing access control parameters at a time of deployment of the software application for users attempting to access the selected application object group based on the authorization policy. The method further comprises specifying environmental variables for the authorization policy; changing the authorization policy by modifying a declarative specification of the environmental variables and modifying constraints defined on attributes of an application object; implementing varied classes of authorization policies using a same authorization policy classifier; and specifying the application object group using grouping parameters.