As organisations migrate to a distributed computing environment, the administration of security policies, in particular authorisation policies, becomes increasingly important. In this talk, we will consider some issues involved in the design of an authorisation system for distributed systems. We will discuss some of the architectural principles involved and consider an authorisation policy language and give some examples of policy specifications. We will conclude the talk by looking at some further work in this area.