The success of service-oriented architectures (SOAs) and the Web Service technology in fulfilling the business's needs for inter-enterprise processes led to new challenges for security management in federated environments. Because of the predominant aspect of loose coupling in a SOA the issue of where to locate the processes of authentication and authorization, forming together the access control, a vital part of security management, has to be addressed during the design of access control systems. In the area of tension between local, service-oriented, and federated approaches for access control architectures we identify several essential dimensions, e.g. scalability and maintenance, for evaluating access control architectures. Due to the challenges of quantifying the metrics we propose a ranking system as it is widely used in risk assessment. We examine existing access control architectures and evaluate the different approaches based on our evaluation dimensions. The results of the performed evaluation will guide the design decisions of an organization fulfilling its security requirements in requirements engineering and software design. A case study illustrates how the evaluation criteria serve as a pattern to establish an organization's access control to secure Web Services.