In this paper, we propose a novel integrated authentication and access control scheme using smart cards. A list of accessible resources with privileges is encrypted in the smart card issued to the user. Without storing access control information, a server can authenticate each user, realize resources to be accessed, and determine access privileges. We propose the use of card identifiers to prevent privilege elevation attacks and to protect the privacy of access requests. Our scheme has the following merits: low communication and computational cost, no access control information in the server, prevention of privilege elevation attack, multiple-access requests, privacy protection of access requests, mutual authentication, and session key agreement.