Proposes an object-oriented role-based access control (ORBAC) model to efficiently represent the real world. Though ORBAC is a good model, administration of ORBAC, including creating and maintaining an access control security policy, still remains a challenging problem. Presents a practical method that can be employed in an enterprise environment to manage security policies using eXtensible Markup Language (XML). Based on ORBAC security policy expressed in XML, a role assignment algorithm is presented. The computation complexity of the algorithms is O(N) where n is the number of position roles in a user's assigned position role scope.