Specifying the access policy of a Web system is a relevant design concern that is often dismissed or postponed until the implementation. ADM-RBAC (Ariadne development method with role-based access control) is a model-driven approach for Web systems that supports the specification of access control policies in an integrated way and at two abstraction levels. At the conceptual level a number of visual models specify the access policy in a way that is similar to the userspsila point of view. At the detailed level, models are oriented towards providing enough details to generate prototypes in an automatic or semiautomatic way. In this paper we describe the visual models of ADM-RBAC and their empirical evaluation.