We propose an access control model that extends RBAC (role-based access control) to take time and location into account, and use term rewriting systems to specify access control policies in this model. We discuss implementation techniques for rewrite-based policy specifications, and the integration of these policies in Web applications. The declarative nature of the model facilitates the analysis of policies and the evaluation of access requests: we present two case-studies.