Specifies the users or roles that are authorized and denied access to a Web service