Mary Ellen Zurko Laboratory for Computer Science Massachusetts Institute of Technology and Digital Equipment Corporation Littleton, MA, 01460 This paper describes the User Attribute Service (UAS), a tool providing the stomge and management of application-specific per-user security attributes for applications running in a distributed environment. The UAS provides for the security and integrity of attribute-to-user bindings, as well as the secrecy of those bindings, if the application or user requests it. Four goals of the UAS are support of Least Privilege, local control and autonomyl instantiation of trust relationships, and psychological acceptability. Mechanisms to group and enable privilege attributes support the Least Privilege principal at the user request level. Functions are designed to enhance the usability of the UAS within and across domains by atiribute holders and security managers.