x.1144-I.2.4.3-Example XACML rule instances-Rule3.xml (ITU-T X.1144 (10/2013))

-- XML schema extracted from ITU-T X.1144 (10/2013)

<?xml version="1.0" encoding="UTF-8"?>
<Policy
  xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xacml ="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
  xmlns:md="http:www.med.example.com/schemas/record.xsd"
  PolicyId="urn:oasis:names:tc:xacml:3.0:example:policyid:3"
  Version="1.0"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
  <Description>
    Policy for any medical record in the
    http://www.med.example.com/schemas/record.xsd namespace
  </Description>
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
  </PolicyDefaults> 
  <Target>
    <AnyOf>
      <AllOf>
        <Match
          MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
            >urn:example:med:schemas:record</AttributeValue>
          <AttributeDesignator
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
            AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace" 
            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:ruleid:3"
    Effect="Permit">
    <Description>
      A physician may write any medical element in a record
      for which he or she is the designated primary care
      physician, provided an email is sent to the patient
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
              >physician</AttributeValue>
            <AttributeDesignator
              MustBePresent="false"
         Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
              AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:role" 
              DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </Match>
        </AllOf>
      </AnyOf>
      <AnyOf>
        <AllOf>
          <Match
             MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match">
             <AttributeValue 
              DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
       XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                >md:record/md:medical</AttributeValue>
             <AttributeDesignator
               MustBePresent="false"
             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
               AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" 
             DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
          </Match>
        </AllOf>
      </AnyOf>
      <AnyOf>
        <AllOf>
          <Match
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string"
              >write</AttributeValue>
            <AttributeDesignator
              MustBePresent="false"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
              DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply
         FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <AttributeDesignator
            MustBePresent="false"
         Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      AttributeId="urn:oasis:names:tc:xacml:3.0:example: attribute:physician-id"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
        <Apply
         FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <AttributeSelector
             MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
 Path="md:record/md:primaryCarePhysician/md:registrationID/text()"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <ObligationExpressions>
    <ObligationExpression ObligationId="urn:oasis:names:tc:xacml:example:obligation:email"
      FulfillOn="Permit">
      <AttributeAssignmentExpression
        AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:mailto">
        <AttributeSelector
          MustBePresent="true"
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
          Path="md:record/md:patient/md:patientContact/md:email"
          DataType="http://www.w3.org/2001/XMLSchema#string"/>
      </AttributeAssignmentExpression>
      <AttributeAssignmentExpression
        AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
        >Your medical record has been accessed by:</AttributeValue>
      </AttributeAssignmentExpression>
      <AttributeAssignmentExpression
        AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
        <AttributeDesignator
          MustBePresent="false"
         Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string"/>
      </AttributeAssignmentExpression>
    </ObligationExpression>
  </ObligationExpressions>
</Policy>