So you've authenticated the user, and now what? Here's an overlooked problem that causes many headaches: Once a user is authenticated, how will you now handle authorisation? Authorisation, like authentication, should be delegated, and not handled by applications themselves. But how so? The fact that this is not really done today causes unnecessary risks and large potholes not only in SOA environments. Felix looks at different approaches, best practises, and initiatives that currently exist around externalising authorisation and application security, plus an overview where he thinks all of this is heading.