Some online applications can have a complex access control policy, that is not easily modeled by simple ‘roles’. For example, E-learning applications have to implement a particularly complex access control policy. Access to a resource such as an ‘assignment’ can not only be based on role, it can be based on date and time, on the state of the resource (hidden/visible), the location of the device from which the resource is accessed, the actual identity of the user (beyond just the role). While an “Attribute Based Access Control” paradigm can help model such a policy, it still has to be expressed and implemented in the form of code. This implies that effecting any changes in the policy involves changing the code. Furthermore, the lines of code implementing access control policy can often be found scattered across various functionalities, coded by developers coding the functionality. This approach is extremely error prone, and can lead to critical access control bugs. In this project, we have two goals, one is a stepping stone to the final goal. First, we aim to develop a software design paradigm that completely separates access control policy implementation from functionality implementation. Our aim is to ensure that the front-end and back-end software functionality developers should not have to ‘know’ the access control policy at all. Functionality code should simply ‘query’ the access control layer with the request context, and be granted or denied access to a certain resource. The access control layer should be the one and only layer where *policy* is implemented and this layer simply grants or denies certain kinds of accesses, and implements no other functionality. Second, we aim to generalize this approach such that the access control policy becomes ‘*data*, not *code*. Thus no code should have to change when any policy changes. Policy changes should be effected by privileged users of the application, developers need not be involved. To our knowledge there is no existing work which has addressed this goal.