Abstract: A kind of three level access control policy towards component is presented by extensible access control markup language (XACML) for the protection of component interaction, interface invocation, and parameters access. Based on this policy, the mutation test strategies are designed: policy mutations follow policy mutations, policyset mutations follow policy mutations, and vice versa. Both the case study and semantical verification shows that the access control of component interface and interactions can be tested by XACML mutation policies.