that we are in the process of public review, I
wanted to share some comments that I have had on the
privacy profile. I think the privacy profile can be
updates to support much broader privacy policies.
constraints can take the following basic forms
(there might be more complex/combined forms but
let’s only consider the most common forms):
white list: a list of purposes that are allowed. Any
other purposes will be denied.
black list: a list of prohibited purposes. Any other
purpose will be allowed.
constraints can be combined with other authorization
factors and form purpose-based policies. The
following are the main categories for such policies.
These can be combined to form more complex policies.
a purpose constraint on the action or action
is only allowed for the purpose of treatment."
purpose is forbidden for remote actions."
a purpose constraints on the use of a certain
resource or a group of resources: e.g.
medical record must only be used for the purpose of
health data must not be used for the purpose of
a purpose constraint on the subject or a group of
purpose of treatment is forbidden for members of the
staff can only assume the purpose of research."
a purpose constraint on the environmental
action for the purpose of ‘product research’ is
allowed on the sales department computers."
only purposes allowed outside business hours are
telephone and email marketing."
current profile only supports type 1.B.
suggestions is that the attributes definitions be
extended and remain normative while the standard
rules section is made non-normative and extended to
incorporate the above forms as different possible
forms of purpose-based policies.
Architect, Edmond Scientific Company
I have also posted an
announcement to the OASIS and XACML LinkedIn
groups, Twitter and the OASIS FaceBook page.
Feel free to like/comment/retweet these
announcements to spread the word.
Please consider forwarding
these announcement on to other parties who may
be interested in the work. In my experience, TCs
that actively solicit outside review get more
and better quality feedback on their
Also, please keep in mind the
OASIS requirements for handling comments .
Non-TC member feedback can only be submitted to
the TC's comment list firstname.lastname@example.org.
The TC must have someone subscribed to this mail
list to monitor comments. All submitted comments
must be acknowledged by the TC. In addition, the
TC needs to maintain a log of comments received
and their resolutions. The comment resolution
log will need to be available when you begin
your next public review. A simple comment
resolution log template is available in
OpenDocument  and Office  format.
Let me know if you have any
questions regarding the review or next steps.
=== Additional references:
Director of Standards Development and TC
OASIS: Advancing open standards for the
Primary: +1 973-996-2298
Mobile: +1 201-341-1393