As already mentioned earlier, different application services may be hosted in a cloud environment and may use the same physical resources. However, each application service is logically separated from others. Different types of system entities consume those services; therefore, application service provider should manage a proper mechanism for access control decisions.

This means that various users, after being successfully authenticated, should request and access those resources and services for which they are authorized in a particular enterprise security domain.

As the number of the services and service consumers grow, management of access control mechanism becomes more complex and expensive: each service provider needs to implement independent access control mechanism by means of self-governing security policies and policy enforcement points.

Decoupling policies from application services and managing them independently from application services results in a solution which is more effective for an authorization system.

Applications focus only on system functionality and business value. Having a single security policy management point makes the entire authorization system more flexible and secure, meaning that it can be administered, configured and protected separately from application services.

In this way, it is easy to configure and apply common policies for every application service in a single security domain. Besides, changing a policy becomes very simple because of a single location for policy management.

Protection and auditing of the authorization system is managed separately thus making it much harder to compromise.

Role-based authorization system is proposed for a cloud environment which is a component of the central security system. The system provides authorization services for cloud-based application services.

Policy Decision Point (PDP) server resides in the central security system. It implements role-based access control mechanism and provides authorization services to application service providers within a security domain.

Policy Administration Point (PAP) component is in charge of providing policy administration services to security administrators. It is the main repository for policies and authorization service provider makes authorization decisions based on security policies created and stored in that repository by security administrators.

In the designed security system PAP component is deployed in the PDP server. End-users, that may access resources at an application service site, must be assigned different access roles by security administrator.

PAP provides role defining and assigning services to authorized security administrators. In order to as sign a role to an end-user, the latter should have a valid registration entry in IDMS.

PAP and IDMS are coordinated together and they share a repository for storing and retrieving end-user attributes, such as roles. At the same time, security administrator defines role-based policy: it represents authorization result based on a combination of resource, action and role.

Thus, the complete decision service is centralized in a single security system.