Web-based information systems (WISs) have become mainstream systems on the Internet and are widely deployed by enterprises worldwide. Although it is extremely important to secure access to WISs, the development of access control for WISs is still in its infancy stage. In addition, existing access control models for web applications are not suitable for WISs. In this paper, we proposed an access control model, called X-Menu, for WISs. Also, a prototype had been designed and implemented. The proposed model provides fine-grained control up to the element level of documents and is flexible and secured. The maintenance cost of the proposed model is low, and the proposed model can prevent users from performing any unauthorized task.