Аннотация:Modern software systems require complex fine-grained access control policies that can not be implemented in terms of the classical role-based access control (RBAC) model. In this paper we argue the necessity of conceptual modeling for developing a flexible, readable and concise attribute-based access control policies. In the proposed approach the access control rules are associated with domain specific concepts, that are mapped to the underlying data model.