Cyber-physical space is a spatial environment that integrates the cyber world and the physical world,aiming to provide an intelligent environment for users to conduct their day-to-day activities.The interplay between the cyber space and physical space proposes specific security requirements that are not captured by traditional access control frameworks.On one hand,the security of the physical space and the cyber space should be both concerned in the cyber-physical space.On the other hand,the bad results caused by failure in providing secure policy enforcement may directly affect the controlled physical world.In this paper,we propose an effective access control framework for the cyber-physical space.Firstly,a topology-aware access control (TAAC) model is proposed.It can express the cyber access control,the physical access control,and the interaction access control simultaneously.Secondly,a risk assessment approach is proposed for the policy enforcement phase.It is used to evaluate the user behavior and ensures that the suspicious behaviors executed by authorized users can be handled correctly.Thirdly,we propose a role activation algorithm to ensure that the objects are accessed only by legal and honest users.Finally,we evaluate our approach by using an illustrative example and the performance analysis.The results demonstrate the feasibility of our approach.