Administrators of web services lack the ability to easily and efficiently change access control policies of the web services without having to directly alter their application runtime or configuration. Current solutions for writing access control policies have a steep learning curve and an unintuitive format for writing policies, leading to inefficient and, in some cases, insecure, access control policies. Proper configuration of security components is often one of the weakest points of any security technology. Due to the complexity of many current solutions, it is not uncommon to find code that is rife with poorly implemented, or even ineffective, configuration.