Access control in existing Java-based mobile agents is mostly based on code source due to limitations of early Java security architecture. That is, authorization is based on where the agent code comes from, regardless of the subject of code execution. This paper presents an agent-oriented access control strategy, by taking advantage of the latest Java subject-based security features. It allows the agents to exercise their privileges based on their own roles in distributed applications. The access control is realized by a group of additional agent-oriented permissions. They grant access control privileges to system resources and services in a flexible and secure manner. Permission implications between agents of different clone generations and from different owners are also supported.