This article presents a dynamic context-aware access control model that uses resource hierarchies to define fine-grained, adaptable authorization policies. The approach separates application and security logic, allowing policies to be defined and adapted outside the application. Context information is integrated into the authorization policies to enable dynamic enforcement based on runtime parameters. The use of resource hierarchies enables flexible and adaptable authorization policies that are independent of the application itself. The model defines context-aware authorization policies as triples consisting of a subject, a permission, and a context constraint. The context constraint is a logical expression that determines whether a permission is granted based on runtime context information. The model also introduces resource hierarchies, which are directed acyclic graphs that allow for the definition of authorization policies at the level of individual resource nodes. This enables more precise and adaptable authorization policies that can be applied to specific resources within a hierarchy. The article presents two scenarios where the model is applied: one involving a business application and another involving e-health applications. In the business scenario, the model is used to define authorization policies for different roles, such as HR accountants, employees, and managers. In the e-health scenario, the model is used to define authorization policies for physicians accessing medical data of patients, taking into account factors such as the patient's health status, the physician's role, and the proximity of the physician to the patient. The model is implemented in a prototype based on a context-aware security framework. The framework includes message filters that enforce security policies on message level, and a policy decision point that evaluates authorization policies based on context information. The framework also includes a security token service that generates signed context information and a context-aware authorization service that enforces the access control policies. The article concludes that the proposed model provides a flexible and adaptable approach to access control that can be used in service-oriented architecture (SOA) environments. The model allows for the definition of authorization policies outside the application, and the use of resource hierarchies enables more precise and adaptable policies. The model also allows for the separation of security-related application knowledge, enabling the application to focus on functional aspects while the authorization policies are defined and modified independently.This article presents a dynamic context-aware access control model that uses resource hierarchies to define fine-grained, adaptable authorization policies. The approach separates application and security logic, allowing policies to be defined and adapted outside the application. Context information is integrated into the authorization policies to enable dynamic enforcement based on runtime parameters. The use of resource hierarchies enables flexible and adaptable authorization policies that are independent of the application itself. The model defines context-aware authorization policies as triples consisting of a subject, a permission, and a context constraint. The context constraint is a logical expression that determines whether a permission is granted based on runtime context information. The model also introduces resource hierarchies, which are directed acyclic graphs that allow for the definition of authorization policies at the level of individual resource nodes. This enables more precise and adaptable authorization policies that can be applied to specific resources within a hierarchy. The article presents two scenarios where the model is applied: one involving a business application and another involving e-health applications. In the business scenario, the model is used to define authorization policies for different roles, such as HR accountants, employees, and managers. In the e-health scenario, the model is used to define authorization policies for physicians accessing medical data of patients, taking into account factors such as the patient's health status, the physician's role, and the proximity of the physician to the patient. The model is implemented in a prototype based on a context-aware security framework. The framework includes message filters that enforce security policies on message level, and a policy decision point that evaluates authorization policies based on context information. The framework also includes a security token service that generates signed context information and a context-aware authorization service that enforces the access control policies. The article concludes that the proposed model provides a flexible and adaptable approach to access control that can be used in service-oriented architecture (SOA) environments. The model allows for the definition of authorization policies outside the application, and the use of resource hierarchies enables more precise and adaptable policies. The model also allows for the separation of security-related application knowledge, enabling the application to focus on functional aspects while the authorization policies are defined and modified independently.