﻿<?xml version="1.0" encoding="utf-8"?>
<xacml:Policy xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:altinn:example:delegationscheme:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
	<xacml:Target />
	<xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
		<xacml:Description>Default policy template for Maskinporten DelegationSchemes</xacml:Description>
		<xacml:Target>
			<xacml:AnyOf>
				<xacml:AllOf>
					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">APIADM</xacml:AttributeValue>
						<xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
					</xacml:Match>
				</xacml:AllOf>
				<xacml:AllOf>
					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">maskinporten-scopes</xacml:AttributeValue>
						<xacml:AttributeDesignator AttributeId="urn:altinn:accesspackage" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
					</xacml:Match>
				</xacml:AllOf>
			</xacml:AnyOf>
			<xacml:AnyOf>
				<xacml:AllOf>
					<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">skd-maskinportenschemaid-8</xacml:AttributeValue>
						<xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
					</xacml:Match>
				</xacml:AllOf>
			</xacml:AnyOf>
			<xacml:AnyOf>
				<xacml:AllOf>
					<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scopeaccess</xacml:AttributeValue>
						<xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
					</xacml:Match>
				</xacml:AllOf>
			</xacml:AnyOf>
		</xacml:Target>
	</xacml:Rule>
	<xacml:ObligationExpressions>
		<xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
			<xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
				<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
			</xacml:AttributeAssignmentExpression>
		</xacml:ObligationExpression>
	</xacml:ObligationExpressions>
</xacml:Policy>