We present a new access control model for XML Web-Services that provides users with two kinds of authorities: the authority to delegate their authorities to other users and the authority to create new authorities based on their own authorities. We developed this model by introducing capability-based access control to Web services. A capability consists of an object identifier and the list of permitted operations for that object. We map an authority of a Web-Services object to a capability of the object and express the capability as a description in Web Services Description Language (WSDL). Delegation of an authority corresponds to distribution of a capability, which is done by passing a WSDL description. Creation of a new authority corresponds to generating a restricted capability based on an original capability, which is done by stacking an object on an original object. Stacking objects also makes it possible to add new functions to existing Web-Services objects without modifying the existing objects. We demonstrate the effectiveness of the proposed model using a schedule management application, which enables a project leader to delegate his or her tasks to subordinates by comparing it with Google Calendar. We also show that the execution times of stackable objects are acceptable by comparing them with typical Internet delay.