In distributed microservice architecture based cloud services environments, various servers can have or otherwise manage protected resources, such as services, applications, virtual machines, host computers, other servers, network resources, storage resources, and the like. For user-centric access control, such computing environments can include an identity and access management (IAM) service that embeds access control polices in access tokens it issues to clients. The IAM service establishes the format of the policy document that is used to specify privileges for end users with respect to accessing protected resources. In such a configuration, the IAM service must find common ground among the various heterogeneous resource servers in the system to determine a standardized policy document format that is acceptable to all of the resource servers. Such a standardized policy document is not scalable and is not amenable to changes in the format. Since the standardized policy document has a format common to the entire system, scaling non-additive changes to the format involves every resource server in the system, which can be slow.