Controlling access of system entities on behalf of subjects to objects based on a access control policy.