Web service is the emerging standard that supports the seamless interoperation between different applications. While the interoperability, flexibility and automated composition are continuously enhanced, security is still the major hurdle. In recent years, lots of studies have been conducted in web service security and various security standards have been proposed. But most of these studies and standards focus on the access control policies for individual web services and do not consider the access issues in composed services. Consider a simplest service chain wherein a user x accesses service s_1, and s_1, in turn, accesses service s_2. The current web service security framework assumes s_1 accesses s_2 based on its own privilege; thus sensitive information may be incorrectly revealed to x. A better solution is that x delegates its privilege to service s_1 for this access. However, problems such as how much privilege to delegate, how to confirm cross-domain delegation, how to delegate additional privilege when needed, etc. arise. The problem becomes more complex when workflow involves many layers of services. In this paper, we propose a delegation-based security model to address all these issues. It extends the basic security models and supports flexible delegation and evaluation-based access control.