With the current rapid increase of cloud computing, enterprises outsource their sensitive data for sharing in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data on cloud servers. This paper aims to solve these problems. Firstly, based on the attribute encryption and the dual encryption system, we propose a concrete access control scheme constructed over the composite order bilinear groups, and we prove its security under the standard model. Then, we propose a fully fine-grained revocation scheme under the direct revocation model, so as to efficiently revoke access rights from users on cloud servers.