A system, apparatus, and method are provided for entitlement security and control. According to one embodiment, an entitlement request is received from a downstream access control system seeking entitlement permission on behalf of a user, a group of users, all users associated with the downstream access control system, or on behalf of the downstream access control system as a whole, the entitlement request is matched against entitlement rules and roles that are retrieved from a metadata repository, and the entitlement permission is granted if the entitlement request satisfies the entitlement rules and roles.