Improved detecting the authorization requirements and defining the security policies for an application comprising one or more components is disclosed. A call and resource-access graph is used to model all the possible paths of execution within the application. Then, paths of execution detected during the analysis are combined with the access control information found in the security policy of the application. Finally, for each authorization point in the application, a minimal security policy is reported that the executing principal should be granted in order to pass the authorization successfully.