that we are in the process of public review, I wanted to
share some comments that I have had on the privacy profile.
I think the privacy profile can be updates to support much
broader privacy policies.
constraints can take the following basic forms (there might
be more complex/combined forms but let’s only consider the
most common forms):
white list: a list of purposes that are allowed. Any other
purposes will be denied.
black list: a list of prohibited purposes. Any other purpose
will be allowed.
constraints can be combined with other authorization factors
and form purpose-based policies. The following are the main
categories for such policies. These can be combined to form
more complex policies.
a purpose constraint on the action or action attributes:
is only allowed for the purpose of treatment."
purpose is forbidden for remote actions."
a purpose constraints on the use of a certain resource or a
group of resources: e.g.
medical record must only be used for the purpose of
health data must not be used for the purpose of research."
a purpose constraint on the subject or a group of subjects:
purpose of treatment is forbidden for members of the role
staff can only assume the purpose of research."
a purpose constraint on the environmental attributes: e.g.
action for the purpose of ‘product research’ is allowed on
the sales department computers."
only purposes allowed outside business hours are telephone
and email marketing."
current profile only supports type 1.B.
suggestions is that the attributes definitions be extended
and remain normative while the standard rules section is
made non-normative and extended to incorporate the above
forms as different possible forms of purpose-based policies.
Architect, Edmond Scientific Company
I have also posted an announcement to
the OASIS and XACML LinkedIn groups, Twitter and the
OASIS FaceBook page. Feel free to like/comment/retweet
these announcements to spread the word.
Please consider forwarding these
announcement on to other parties who may be interested
in the work. In my experience, TCs that actively solicit
outside review get more and better quality feedback on
Also, please keep in mind the OASIS
requirements for handling comments . Non-TC member
feedback can only be submitted to the TC's comment list
The TC must have someone subscribed to this mail list to
monitor comments. All submitted comments must be
acknowledged by the TC. In addition, the TC needs to
maintain a log of comments received and their
resolutions. The comment resolution log will need to be
available when you begin your next public review. A
simple comment resolution log template is available in
OpenDocument  and Office  format.
Let me know if you have any questions
regarding the review or next steps.
=== Additional references:
Director of Standards Development and TC Administration
OASIS: Advancing open standards for the information
Primary: +1 973-996-2298
Mobile: +1 201-341-1393