In this paper we propose a formalization of access control policies based on term rewriting. The state of the system to which policies are enforced is represented as an algebraic term, which allows us to model several aspects of the policy environment. Policies are implemented by sets of rewrite rules, whose evaluation produces authorization decisions. We discuss the relation between properties of term rewriting systems, such as confluence and termination, and their consequences on defining trusted access control policies.