To protect sensitive data in Web applications from unauthorized access, a data access strategy consisting of user set and data access authority is proposed, which is based on traditional role based access control model. The data access strategy is related to function. After parsing the original business SQL, row-level-rules are applied to filter the data records in row level, and column-level-rules are applied to mask the corresponding attributes of the data records. A data security access control framework is designed. Finally, this strategy is implemented in the Agricultural Products Supply Chain Management System of Xinfadi, and the validity and effectiveness of the presented strategy is demonstrated.