In this paper we propose a novel access control model called workflow-based dynamic access control (WBDAC) for SOA and workflow-based systems. Besides regulating the access control according to the dynamic behavior of workflow processes, the WBDAC is based on the idea of creating transient policies dynamically so as to alleviate the role- and rule-explosion problems in RBAC and ABAC. We define a logical expression language of WBDAC called the dynamic access control language for an SOA (DACL4SOA). We have also designed an architecture to support the DACL4SOA in SOA systems based on the Business Process Execution Language and the Extensible Access Control Markup Language. The presented implementation and experimental results demonstrate the feasibility of the proposed model.