Access controls for a Web service (which controls are based on abstract WSDL definitions) are defined for a WSDL defined protected object space and, as such, are loosely coupled with the concrete WSDL binding derived from those definitions, preferably on a per binding level. This WSDL-defined POS is in turn loosely bound to a resource-specific protected object space definition. This loose coupling is leveraged to allow changes (e.g., updates) to the abstract WSDL binding's protected object space to be transitively applied to the application-specific protected object space. If appropriate, changes to the resource-specific protected object space may be applied to the WSDL's protected object space. Thus, according to the invention, the coupling may be one-way (typically, from the WSDL POS to the resource level POS) or two-way (from the WSDL POS to the resource level POS and vice versa). This technique ensures that different security policies are not applied unintentionally to the same resource (for example, one at the Web services entry level, and the other at the resource level). By synchronizing the protected object spaces in the manner described, neither the entity that deploys the application nor the security administrator need to be aware of the differences between the Web service request and the resource request.