An authorization data model factors roles into generic roles and responsibilities, using these attributes at run-time to complete an authorization process based on non-static privileges associated with currently defined roles and responsibilities. Multiple applications collect current variable authorization information at run-time, when prompted by a user request to access a protected resource, from an external central repository that maintains updated generic role and responsibility information independent of user identity, thus replacing a fixed authorization structure with a flexible wild-card based model.