We propose an approach for the selective enforcement of access control restrictions in, possibly distributed, large data collections based on two basic concepts: i) flexible authorizations identify, in a declarative way, the data that can be released, and ii) queries are checked for execution not with respect to individual authorizations but rather evaluating whether the information release they (directly or indirectly) entail is allowed by the authorizations. Our solution is based on the definition of query profiles capturing the information content of a query and builds on a graph-based modeling of database schema, authorizations, and queries. Access control is then effectively modeled and efficiently executed in terms of graph coloring and composition and on traversal of graph paths. We then provide a polynomial composition algorithm for determining if a query is authorized.