A Web service [8] is a Web-based application that can be published, located and invoked across the Web. Compared to centralized systems and client-server environments, a Web service environment is much more dynamic and security for such an environment poses unique challenges. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Some proposals for securing Web services have been presented [1, 2, 4] over the last two years. In particular, the SAML [1] and XACML [6] standards provide a sound basis for the development of the secure infrastructure for Web services. SAML, acronimous of Security assertion markup language, is an XML based framework for exchanging security information, developed by the OASIS XML-Based Security Services Technical Committee, whereas XACML is a speci.cation that is used in conjunction with SAML, and it provides a means for standardizing access control decision for XML documents. However, none of these technologies provide a general and formal model for access control of web services. Indeed, among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. At .rst glance, it may seem that such an issue may be solved by relying on security technologies commonly adopted for Web sites. Indeed, there is a number of embedded software applications whose purpose is to control access to web service applications. But such an approach is not adequate when dealing with loosely coupled applications as the Web service technology asks, and can just be considered as a temporary solution until more appropriate techniques be devised.