Apparatus for controlling cross-organizational access by end users associated with a plurality of organizations to one or more distributed object services available via a resource server across an information technology communications network. The apparatus comprises at least one Requesting Organization (RO) having access to services via the resource server, the Requesting Organization being adapted to issue enrollments to one or more end users upon request and electronically transmitting the enrollments to the respective end users. The apparatus further comprises at least one Servicing Organization (SO) communicating with the Requesting Organization and defining the credentials required for access to a service via the resource server by end users associated with each of the organizations. A Clearance Service (CS) is provided in which is stored one or more mappings of enrollments to credentials, the end user being adapted to transmit to the resource server a request for access to a resource together with data relating to their respective enrollment, in response to receipt of which request, the Requesting Organization is adapted to transmit the data relating to the enrollment to the Clearance Service which is adapted to map the enrollment to one or more respective credentials and return data representative of the credentials to the resource server which in turn is adapted to compare the data representative of the credentials to the original resource request and to comply (or otherwise) with the request. The Requesting Organization the resource server and the Clearance Service are all implemented as web or e-services.