A distributed access control technique assigns permission to a user without permission explosion, thereby facilitating the system administration of user access to a piece of content represented by a Web service. Permissions are granted to pieces of content through expressions rather than explicitly coupled between a piece of content and a user. Each expression defines an access scope for either a user or a piece of content. An expression defining the access scope for a user can be created and maintained independently of an expression defining the access scope to a piece of content, hence simplifying management information system implementation and administration.