The immensity and variety of personal information (e.g., profile, photo, and microblog) on social sites require access control policies tailored to individuals' privacy needs. Today such policies are still mainly specified manually by ordinary users, which is usually coarse-grained, tedious, and error-prone. This paper presents the design, implementation, and evaluation of an automated access control policy specification tool, XACCESS, that helps non-expert users effectively specify who should have access to which part of their data. A series of key features distinguish XACCESS from prior work: 1) it adopts a role-based access control model (instead of the conventional rule-based paradigm) to capture the implicit privacy/interest preference of social site users; 2) it employs a novel hybrid mining method to extract a set of semantically interpretable, functional "social roles", from both static network structures and dynamic historical activities; 3) based on the identified social roles, confidentiality setting of personal data, and (optional and possibly inconsistent) predefined user-permission assignments, it recommends a set of high-quality privacy settings; 4) it allows user feedback in every phase of the process to further improve the quality of the suggested privacy policies. A comprehensive experimental evaluation is conducted over real social network and user study data to validate the efficacy of XACCESS.