An automated technique implemented in a computer system for selecting one
or more resources on which a principal is authorized to perform at least
one action comprises the following steps/operations. First, one or more
authorization policies that apply to a given principal are selected.
Then, the one or more authorization policies are transformed based on
meta-information associated with the one or more resources so as to form
a query against a resource store that selects the one or more resources
on which the one or more authorization policies allow the given principal
to perform the at least one action. The query may then be executed to
select the one or more resources from the resource store. In another
automated technique, the query may be formed without use of the one or
more authorization policies, but where the policies are used to remove
unauthorized resources from the superset of resources returned as a
result of query execution. The techniques may return no resources on
which the user is allowed to perform an action, if, for example, no such
resources are stored in the resource store. Also, it may also be that no
authorization policy applies to the user.