A method and system for implementing access control in a computer system is disclosed. Synonyms associated with shareable security policies and policy functions are employed to encapsulate data from underlying data sources. By controlling access and contents of synonyms and their underlying security policies, fine-grained access control can be implemented for system data sources.