Under the present invention, a mapping is provided that interrelates security permissions for an application-based resource with security permissions for a set of IT-based resources in the distributed system. When a desired security permission for the application-based resource is expressed, the mapping can be accessed to determine the corresponding security permissions for the IT-based resources. Once these security permissions are determined, resource plug-ins corresponding to the IT-based resources will effect their respective security permissions.