-- XML schema extracted from ITU-T X.1144 (10/2013)
<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xacml ="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
xmlns:md="http:www.med.example.com/schemas/record.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:policyid:3"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Policy for any medical record in the
http://www.med.example.com/schemas/record.xsd namespace
</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
>urn:example:med:schemas:record</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:ruleid:3"
Effect="Permit">
<Description>
A physician may write any medical element in a record
for which he or she is the designated primary care
physician, provided an email is sent to the patient
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
>physician</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>md:record/md:medical</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>write</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:3.0:example: attribute:physician-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="md:record/md:primaryCarePhysician/md:registrationID/text()"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<ObligationExpressions>
<ObligationExpression ObligationId="urn:oasis:names:tc:xacml:example:obligation:email"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:mailto">
<AttributeSelector
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="md:record/md:patient/md:patientContact/md:email"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
>Your medical record has been accessed by:</AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>