Because of the limitations of condition configuration and execution mechanism, the exiting access control models are not flexible and can not support multi-policy. Focusing on this, the paper presents a policy-based access control model (PBAC). Different from the traditional models which restrict session only with subject authorization, PBAC realizes policy-based access control by defining attribute to describe session property, performing a new policy management method that is free from application logic, and advocating an independent access control decision mechanism. As a consequence, PBAC is more flexible on restricting session, and makes great progress on multi-policy supporting. The comparison analysis indicates that PBAC is superior to the current access control models.