A web service can be composed of multiple component web services in a loosely-coupled environment. Traditional Role Based Access Control (RBAC) is inadequate for the authorization management of composite services since the administration of the component web services has not been taken into consideration. In this paper, we propose a novel conceptual model, named as Service Oriented Authorization Control (SOAC) to facilitate the administration and management for both service consumers and component web services. A set of administrative functions are also provided for managing the elements of SOAC. This research will be the first step towards managing service-oriented authorization.