Traditional RBAC model describes a static access control policy. As the development of network application, such as Web services, access control faces many new challenges, one of which is that access control policies need to protect not only static resources but also dynamic ones that are encapsulated in a service. In order to capture the flexibility of application, we specify a fine-grained control on individual users by introducing user attributes which are associated to user's role and permission. We take the service as an action that changes some of user's attributes so as to adjust users' permission at run. In order to represent and reason on the access control automatically, we use the description logics combined with prepositional dynamic logic as a logic framework to construct a knowledge base for the access control and action rules, and semantically explain how a user's permission can be changed at runtime.