Given a large component-based program, it may be very complex to identify an optimal access-control policy, allow- ing the program to execute with no authorization failures and no violations of the Principle of Least Privilege. This paper presents a novel combination of static and dynamic analysis for automatic determination of precise access- control policies for programs that will be executed on Stack- Based Access Control systems, such as Java and the Com- mon Language Runtime (CLR). The static analysis soundly models the execution of the program taking into account na- tive methods, reflection, and multi-threaded code. The dy- namic analysis interactively refines the potentially conser- vative results of the static analysis, with no need for writing or generating test cases or for restarting the system if an authorization failure occurs during testing, and no risk of corrupting the underlying system on which the analysis is performed. We implemented the analysis framework presented by this paper in an analysis tool for Java programs, called Access-Control Explorer (ACE). ACE allows for automatic, safe, and precise identification of access-right requirements and library-code locations that should be made privilege- asserting to prevent client code from requiring unnecessary access rights. This paper presents experimental results ob- tained on large production-level applications.