This paper presents a dynamic context-aware access control approach that uses resource hierarchies to define flexible and adaptable authorization policies. The approach separates application and security logic, enabling dynamic policy enforcement based on context information and allowing adaptation of authorization granularity outside the application. Resource hierarchies, defined by application needs and related authorization policies, provide flexibility in defining permissions without modifying the applications themselves. The explicit notation of authorization policies and their enforcement independent of the application offer new extensibility. The paper introduces context-aware authorization policies with and without resource hierarchies, and applies them to two real-world scenarios: a business application and an e-health scenario. In the business application, the approach allows fine-grained access control to different types of data, such as employee data, personal data, and salary information. In the e-health scenario, the approach enables dynamic access control to medical data based on context information such as the patient's health status, the physician's role, and proximity. The architecture of the approach is based on a context-aware security framework, which includes intermediaries that enforce security policies on message level. The framework uses XACML (eXtensible Access Control Markup Language) to enforce access control policies, and resource hierarchies to define the granularity of authorization policies. The approach allows the separation of authorization policies and resource hierarchies from the application, enabling the application to focus on functional aspects while the authorization policies are defined and modified independently. The paper also discusses related work, including RBAC (Role-Based Access Control) models and their extensions, and compares them with the proposed approach. The proposed approach offers a more flexible and adaptable solution for access control in SOA (Service-Oriented Architecture) environments, allowing the definition of authorization policies outside the service and enabling dynamic enforcement based on context information. The use of resource hierarchies allows the definition of authorization policy granularity outside the service, and the approach helps maintain relationships between sub-resources that would not be possible if the service itself were to split its functionality to a similar level.This paper presents a dynamic context-aware access control approach that uses resource hierarchies to define flexible and adaptable authorization policies. The approach separates application and security logic, enabling dynamic policy enforcement based on context information and allowing adaptation of authorization granularity outside the application. Resource hierarchies, defined by application needs and related authorization policies, provide flexibility in defining permissions without modifying the applications themselves. The explicit notation of authorization policies and their enforcement independent of the application offer new extensibility. The paper introduces context-aware authorization policies with and without resource hierarchies, and applies them to two real-world scenarios: a business application and an e-health scenario. In the business application, the approach allows fine-grained access control to different types of data, such as employee data, personal data, and salary information. In the e-health scenario, the approach enables dynamic access control to medical data based on context information such as the patient's health status, the physician's role, and proximity. The architecture of the approach is based on a context-aware security framework, which includes intermediaries that enforce security policies on message level. The framework uses XACML (eXtensible Access Control Markup Language) to enforce access control policies, and resource hierarchies to define the granularity of authorization policies. The approach allows the separation of authorization policies and resource hierarchies from the application, enabling the application to focus on functional aspects while the authorization policies are defined and modified independently. The paper also discusses related work, including RBAC (Role-Based Access Control) models and their extensions, and compares them with the proposed approach. The proposed approach offers a more flexible and adaptable solution for access control in SOA (Service-Oriented Architecture) environments, allowing the definition of authorization policies outside the service and enabling dynamic enforcement based on context information. The use of resource hierarchies allows the definition of authorization policy granularity outside the service, and the approach helps maintain relationships between sub-resources that would not be possible if the service itself were to split its functionality to a similar level.