In this paper, we discuss the design issues for an authorization framework for Web Services. In particular, we describe the features required for an authorization policy language for Web Services. We briefly introduce the authorization service provided by Microsoft .NET MyServices and describe our extended authorization model that proposes extensions to the .NET MyServices authorization service to support a range of authorization policies required in commercial systems. We discuss the application of the extended authorization model to a health care system built using Web Services. We use the XML Access Control Language (XACL) in our implementation to demonstrate our extended authorization model. This also enables us to evaluate the range of authorization policies that XACL supports.