This invention relates to an access control mechanism, and more particularly to an access control mechanism for use with entities such as a database, which facilitates implementing an arbitrary access policy to the entities using access control lists, user groups, user attributes, user capability lists, user roles or any user supplied function.