In this paper, we propose an access control architecture for constrained healthcare resources in the IoT. Our policy-based approach provides fine-grained access for authorised users to services while protecting valuable resources from unauthorised access. We use a hybrid approach by employing attributes, roles and capabilities for our authorisation design. We apply attributes for role membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterised based on further attributes of the user and are then used to access specific services provided by IoT devices. This significantly reduces the number of policies required for specifying access control settings. The proposed scheme is XACML driven. Our approach requires very little additional overhead when compared to other proposals employing capabilities for access control in the IoT. We have implemented a proof of concept prototype and provide a performance evaluation of the implementation.