Listing 1: The XACML Policy for the Example

<Policy
     xmlns="urn:oasis:names:tc:xacml:1.0:policy"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
        cs-xacml-schema-policy-01.xsd"
      PolicyId="Finance-Dept-Example"
      RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:
   rule-combining-algorithm:deny-overrides">
       	<VariableDefinition VariableId="1">
		<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:
		double-greater-than-or-equal">
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
			function:string-one-and-only">
				<SubjectAttributeDesignator AttributeId="ApprovalLimit" 
					DataType="http://www.w3.org/2001/XMLSchema#string"/>
			</Apply>
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
			function:string-one-and-only">
				<AttributeSelector RequestContextPath="//
				xacml-context:Resource/xacml-context:ResourceContent/invoice:amount/text()"
				DataType="http://www.w3.org/2001/XMLSchema#string"/>
			</Apply>
		</Apply>
	</VariableDefinition>
       <Rule
          RuleId="ExampleInvoiceApprovalRule"
          Effect="Permit">
        <Target>
            <Subjects>
                <Subject>
                    <SubjectMatch
   MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remote.finance.com
	 </AttributeValue>
                        <SubjectAttributeDesignator
                              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:
							  authn-locality:dns-name"
                              DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </SubjectMatch>
                   <SubjectMatch
                          MatchId="urn:oasis:names:tc:xacml:1.0:function:
						  string-equal">
                        <AttributeValue
                              DataType="http://www.w3.org/2001/XMLSchema#string">
							  Hardware token</AttributeValue>
                        <SubjectAttributeDesignator
                              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:
							  authn-locality:authentication-method"
                              DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </SubjectMatch>
                   <SubjectMatch
                          MatchId="urn:oasis:names:tc:xacml:1.0:function:
						  string-equal">
                        <AttributeValue
                              DataType="http://www.w3.org/2001/XMLSchema#string">Buyer</A
							  ttributeValue>
                        <SubjectAttributeDesignator
                              AttributeId="Role"
                              DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </SubjectMatch>
                </Subject>
            </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch
                          MatchId="urn:oasis:names:tc:xacml:1.0:function:
						  anyURI-equal">
                        <AttributeValue

DataType="http://www.w3.org/2001/XMLSchema#anyURI">
https://central.finance.com/InvoiceManagement.jws</AttributeValue>
                        <ResourceAttributeDesignator
                              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:
							  resource-id"
                              DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
            <Actions>
                <Action>
                    <ActionMatch
                          MatchId="urn:oasis:names:tc:xacml:1.0:function:
						  string-equal">
                        <AttributeValue
              DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
                        <ActionAttributeDesignator
                              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                              DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </ActionMatch>
                </Action>
             </Actions>
        </Target>
	<Condition>
		<VariableReference VariableId="1"/>
	</Condition>
    </Rule>
</Policy>

Listing 2: The Request

<Request
      xmlns="urn:oasis:names:tc:xacml:1.0:context"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:
   context
        cs-xacml-schema-context-01.xsd">
    <Subject>
        <Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:
			  subject-id"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>John Smith</AttributeValue>
        </Attribute>
        <Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:
			  authn-locality:dns-name"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>remote.finance.com</AttributeValue>
        </Attribute>
        <Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:
			  authn-locality:authentication-method"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>Hardware token</AttributeValue>
        </Attribute>
        <Attribute
              AttributeId="Role"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>Buyer</AttributeValue>
        </Attribute>
       <Attribute
              AttributeId="ApprovalLimit"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>100000</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:
			  resource-id"
              DataType="http://www.w3.org/2001/XMLSchema#anyURI">
            <AttributeValue>https://central.finance.com/InvoiceManagement.jws</AttributeValue>
        </Attribute>
    </Resource>
    <Action>
        <Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
              DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>Approve</AttributeValue>
        </Attribute>
    </Action>
</Request>