The eXtensible Access Control Markup Language (XACML) is the de facto language to specify access control policies for web services. XACML has an RBAC profile (XACML-RBAC) to support role-based access control policies. We extend this profile with an administrative RBAC profile, which we refer to as the XACML-ARBAC profile. One of the advantages of doing so is to use policies based on RBAC model to administrate XACML-RBAC policies. Because using permissions granted by XACML-ARBAC policies alter XACML-RBAC policies, enforcing XACML-ARBAC polices requires some concurrency control within XACML access controller's runtime. In order to solve this concurrency problem, we propose a session-aware administrative model for RBAC, and enhance the XACML policy evaluation runtime using a locking mechanism. Experimental study shows reconcilable performance characteristics of our enhancements to Sun's XACML reference implementation.