Providing access to a resource via authorization data that conditionally defines the access by an expression that identifies the resource by name and by at least one property of the resource. An authorization service issues the authorization data (e.g., as a token) and evaluating authorization data received from a client. The authorization service evaluates the expression in the authorization data to identify the resource and determine the rights associated with the user for the resource. The authorization service implements role-based access control to control access to resources in a distributed, multi-site network.