Techniques are described for automating the generation of access control information that identifies users that are permitted to access particular business objects used by a computer application. The generation of access control information is based on a characteristic that is shared by the user and the business object to be accessed. The characteristic may be an attribute. The characteristic also may be the identification of a process to determine a characteristic of a user and/or a characteristic of a business object.