We propose an access control scheme for developing authorization rules for XML documents, allowing flexible data granularity and authorization propagation. To simplify the complex access control policies in XML, we introduce a new tool: Authorization Policy Sheet (APS). Complex access control rules can be easily described in an APS. The administrator of a system can easily manage the access control of the system. With aid of Data Type Definitions(DTD), the policies given in an APS can be converted into a standard XML code that can be implemented in a normal XML environment.