Most access control frameworks for Web application enforce the control along with the invocation of an application function. While effective for preventing unauthorized access, it also incurs certain runtime overhead and user inconvenience, for it is often possible to determine whether a particular function should be allowed without actually having to try to perform it. This paper presents a flexible function menu generator (F-menugen) that restricts user menus to functions that a user?s current access-privileges permit, and can thus support access control on the presentation tier to overcome those shortcomings. The menu structure and rules governing the functions accessible to a user are specified declaratively in an XML configuration file; the rules are based on user attributes, application-specific requirements, and certain contextual information. This scheme retains the advantages of administrative scalability that rolebased access control offers, yet provides the flexibility to specify more complex restrictions without actual coding.