One of the most important features of XML Web services is that they can be easily accessed over the Internet, but this makes them vulnerable to a series of security threats. What makes security for web services so challenging is their distributed and heterogeneous nature. In this sense, this paper presents an access control system for Web services. We introduce the Semantic Policy Language(SPL) for the description of access control criteria based on the use of attribute certificates. This language has been specifically designed to take advantage of semantic information about resources and the context to achieve full (syntactic and semantic) validation of policies. Furthermore, another objective in its design has been to facilitate the security management. In particular, SPL is modular, enables the abstraction and reuse of components, the composition of SPL policies in an unambiguous way, and the dynamic instantiation of parameters based on semantic properties about resources. Finally, the semantic integration of a Privilege Management Infrastructure (PMI) in access control systems of heterogeneous Web services built upon SPL enables their interoperability.