When creating my WCF version of a Security Token Service, I also created a flexible way to add claims to the security token by basing that functionallity on the provider model. One of the providers I created, issues authorization claims that gives you access (for example ReadOwn, Read, Create, UpdateOwn, Update and so on) to tasks (or replace task with resource). When I first did this I wasn't satisfied with scheme that I came up with. My solution was to extend the claim type with the type of permission and then just use the task identifier as resource. After doing some catch up on some of my blog reading I read this excellent post by Vibro called Claim types: a coarse taxonomy and I immediately changed my implementation to follow the R-STS pattern suggested. In my opinion the format is better and one evidence of that is that my code got easier both to write and to read.