-- XML schema extracted from ITU-T X.1144 (10/2013)

<?xml version="1.0" encoding="UTF-8"?>
<Policy
  xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xf="http://www.w3.org/2005/xpath-functions"
  xmlns:md="http:www.med.example.com/schemas/record.xsd"
  PolicyId="urn:oasis:names:tc:xacml:3.0:example:policyid:2"
  Version="1.0"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
  </PolicyDefaults>
  <Target/>
  <VariableDefinition VariableId="17590035">
    <Apply
      FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-or-equal">
      <Apply
        FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
        <AttributeDesignator
          MustBePresent="false"
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
          AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" 
          DataType="http://www.w3.org/2001/XMLSchema#date"/>
      </Apply>
      <Apply
  FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration">
        <Apply
          FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
          <AttributeSelector
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
            Path="md:record/md:patient/md:patientDoB/text()" 
            DataType="http://www.w3.org/2001/XMLSchema#date"/>
        </Apply>
        <AttributeValue
          DataType="http://www.w3.org/2001/XMLSchema#yearMonthDuration"
          >P16Y</AttributeValue>
      </Apply>
    </Apply>
  </VariableDefinition>
  <Rule
    RuleId="urn:oasis:names:tc:xacml:3.0:example:ruleid:2"
    Effect="Permit">
    <Description>
      A person may read any medical record in the
      http://www.med.example.com/records.xsd namespace
      for which he or she is the designated parent or guardian, 
      and for which the patient is under 16 years of age
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match
            MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
              >urn:example:med:schemas:record</AttributeValue>
            <AttributeDesignator
              MustBePresent="false"
             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
           AttributeId= "urn:oasis:names:tc:xacml:2.0:resource:target-namespace"
             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
          </Match>
          <Match
            MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match">
            <AttributeValue
              DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
       XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              >md:record</AttributeValue>
            <AttributeDesignator
              MustBePresent="false"
             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector"
             DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
          </Match>
        </AllOf>
      </AnyOf>
      <AnyOf>
        <AllOf>
          <Match
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
               >read</AttributeValue>
            <AttributeDesignator
              MustBePresent="false"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
              DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <Apply
         FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeDesignator
              MustBePresent="false"
         Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
             AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id"
              DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </Apply>
          <Apply
         FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector
             MustBePresent="false"
             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
     Path="md:record/md:parentGuardian/md:parentGuardianId/text()"
              DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </Apply>
        </Apply>
        <VariableReference VariableId="17590035"/>
      </Apply>
    </Condition>
  </Rule>
</Policy>