This paper has shown that it is possible to integrate flexible distributed authorization methods and metacomputing application by extending the traditional access control lists framework with restrictions on authorized rights, and by using the Generic Authorization and Access-control API to make access decisions. The policy language interpreted by the GAA-API allows applications and users to define their own access control policy types, and supports both local and distributed security policies. The problem of translation of the policies is addressed by using generic or application-specific evaluation functions. A prototype integrating the GAA-API with the Prospero Resource Manager has been developed at the Information Sciences Institute of the University of Southern California.