Abstract: In this study, a formal model for specification of Access Control Policies (ACP) is represented. This model is capable of expressing several ACPs and combining them in a unified framework. We call present model Constrained Policy Graph (CPG), which is an extension of Take-Grant (TG) protection model. Although TG can be used to specify the ACPs but it represents the policies without any constraint (e.g., time, location, or any other restriction parameters). Furthermore, it hasn`t ever been used for combining the policies and nested expression of them. In present proposed model, not only the policies can be constrained according to system requirements but also, it can be used for combining ACPs as well as their nested specification. Furthermore, ACPs can be verified conflicts or contradictions using this model. One of the main applications of the proposed model is specifying and combining the ACPs of web services and verifying their composed policies in web service composition.