OASIS Example 4: “An Administrator shall not be permitted to read or write medical elements of a patient record in the http://www.med.example.com/schemas/record.xsd namespace.” By citing only “medical elements”, it's assumed that this example implies that access to other data shall be granted. In CDCL, it will likely be common practice to define the compulsory default rule in one's rulesheet as a redact outcome, although an author may choose another outcome. So, this example may be more interesting to express as "admin may read medical record except for the medical elements". Given a default rule of redaction, two rules are then needed in the rulesheet. One is to grant access to the non-medical data, and the other is to deny access to the medical data so as to prevent inheritance of the disclosure outcome which exists on a non-medical node that is the parent of a medical node.
[This rulesheet would be identified by a composite key that included a problem space of “http://www.med.example.com/schemas/record.xsd”. A single stakeholder could certainly combine the policy from several of these examples into a single rulesheet.]

default-rule
	id:
		1
	apply-outcomes:
		mask

rule
	id:
		2
	apply-outcomes:
		mask
	for-content:
		* present-item has-similar-caption-with “/md:record/md:medical”
	for-conditions:
		* user's-roles contain-something-with-value “administrator”

rule
	id:
		3
	apply-outcomes:
		disclose
	for-content:
		* all-true
			* present-item has-similar-caption-with “/md:record”
			* present-item doesn't-have-similar-caption-with “/md:record/md:medical”
	for-conditions:
		* user's-roles contain-something-with-value “administrator”