Remote work is sold as freedom. Work from anywhere. Laptop by the pool. Coffee shop vibes. Total flexibility.

That story sounds good, but it is mostly nonsense.

Ashkan Rajaee argues something uncomfortable that most remote founders do not want to hear. If you do not aggressively control your environment, remote work will eventually break you and stall your business.

This idea goes against popular remote culture, and that is exactly why it matters.

The Hidden Ceiling Nobody Talks About

Most people think remote failure comes from lack of discipline, motivation, or talent. That assumption is flawed.

The real bottleneck is environment.

According to :contentReference[oaicite:0]{index=0}, every remote operator eventually hits a ceiling if their workspace is chaotic, shared, or constantly shifting. You might survive short term. You might even grow a bit. But at scale, cracks turn into collapse.

The logic is simple. If you do not control your space, something else does. Family. Noise. Bad internet. Missing gear. All of it drains cognitive energy that should be spent building.

This is not about comfort. It is about leverage.

One Space. Total Control.

Rajaee’s core rule is brutal and clear. You need one place that you fully control.

Not five locations. Not a backpack setup. One environment where noise, internet, and equipment are predictable every single day.

That might sound extreme, but consider the alternative. Constant setup and teardown. Forgotten chargers. Spotty WiFi. Interrupted calls. Each issue feels small, but over a year, the damage compounds.

You cannot scale a serious operation while mentally tracking cables and battery percentages.

Noise Is the First Enemy

Noise is not just sound. It is interruption.

If anyone can walk into your workspace while you are working, you are not in control. Period.

This includes well meaning partners, kids, roommates, or anyone else sharing your space. Even quick questions fracture focus. Deep work does not survive open doors.

Rajaee recommends a dedicated office, even a small one person room. A Regus office near home works. So does a properly isolated home office. What matters is the boundary.

No access. No interruptions. No negotiation.

This is not antisocial. It is professional.

Internet Is Not the Place to Save Money

Residential internet is cheaper. It is also unreliable.

Commercial internet costs more for a reason. Service level agreements. Dedicated support. No throttling. Faster fixes when something breaks.

Dropped calls are not just annoying. They erode trust with clients, partners, and teams. Multiply those drops across hundreds of calls per year and the cost becomes obvious.

If your income depends on being online, your internet is infrastructure, not a utility.

Gear Multiplies Output or Destroys It

Minimalism is trendy. It is also inefficient at scale.

Rajaee is known for running extreme multi monitor setups, sometimes up to seven screens. That might sound excessive, but the reasoning is solid. Every window switch burns mental energy.

Gestures. Swipes. Tab juggling. Those are micro costs that add up fast.

Multiple monitors externalize information. Calendars stay visible. Dashboards stay open. Decisions get faster.

The same applies to peripherals. Dedicated microphones. Cameras. Lighting. Backup devices. Redundancy is not luxury. It is insurance against friction.

Why Laptop Nomad Culture Fails

Working from anywhere sounds empowering until you track the hidden costs.

Every pack and unpack shifts focus away from strategy and execution. Instead of thinking about growth, you think about adapters, batteries, and cables.

Rajaee calls this the biggest mistake remote workers make. Mobility becomes a distraction disguised as freedom.

If you must travel, fine. But your core workspace should always be waiting for you, powered on, configured, and ready.

No friction. No setup rituals. No excuses.

Why Companies Force Offices

Here is the uncomfortable truth.

Companies want employees in offices because offices work.

Not because of control for its own sake, but because structured environments eliminate chaos. Internet is there. Gear is there. The workspace is ready every day.

That structure produces efficiency. Efficiency produces profit.

Remote founders who ignore this lesson try to run companies without the very systems businesses have relied on for decades.

The Non Negotiable Rule

If you want to build a serious company remotely, control your space or accept the ceiling.

Noise. Internet. Gear.

Ignore any one of them and growth becomes fragile.

Remote work is not about being anywhere. It is about being effective.

And effectiveness starts with an environment that serves the work instead of sabotaging it.

🚀 React Native 0.83: stability-first + a bundled native DevTools desktop app

React Native 0.83 is a stability-focused release that ships React 19.2, meaningful upgrades to React Native DevTools, and support for Web Performance APIs (now stable) plus IntersectionObserver (Canary). It’s also the first React Native release with no user-facing breaking changes, which makes it especially appealing for teams maintaining production apps. This post walks through what’s new, how the DevTools workflow changes, and how to approach the 0.82 → 0.83 upgrade with minimal risk.

🧭 Context: why 0.83 matters for production teams

React Native 0.83 is positioned as a more predictable upgrade: if you’re on 0.82, you should be able to move to 0.83 without changes to your app code. That matters for production teams because it lowers upgrade overhead and lets you invest time in validation (performance, crash rates, networking behavior) rather than reactive refactors. On top of that, DevTools improvements (Network + Performance panels and a new desktop app) directly shorten debugging cycles for large apps.

🆕 What’s new in React Native 0.83

⚛️ React 19.2 (including <Activity> and useEffectEvent)

React Native 0.83 includes React 19.2 and brings the new <Activity> and useEffectEvent APIs to React Native. The release notes also mention a critical security vulnerability in React Server Components and stress that React Native is not directly affected, because it doesn’t depend on the impacted packages (react-server-dom-*), while warning monorepo users to audit and upgrade those packages if present. The post also states that React dependencies will be updated to 19.2.1 in the next patch release.

🧩 <Activity>: prioritize UI subtrees while preserving state

<Activity> lets you split an app into “activities” that can be controlled and prioritized, as an alternative to conditional rendering. It supports two modes: visible (shows children, mounts effects, processes updates normally) and hidden (hides children, unmounts effects, and defers updates until React has nothing left to work on). A key behavior is that trees hidden with <Activity mode="hidden"> preserve their state, so when they become visible again they can keep things like search status and a previous selection.

🧠 useEffectEvent: separate “event” logic from reactive effects

The release notes describe a common useEffect pattern: notifying app code about an “event” from an external system, which can unintentionally cause the effect to re-run whenever any value used inside that event changes. They also note that many developers work around this by disabling the lint rule and excluding dependencies—at the cost of potential bugs later. With useEffectEvent, you can split the “event” part out of the effect that emits it, keeping effects more correct and maintainable.

🛠️ New DevTools features (Network + Performance)

React Native 0.83 delivers “long awaited features and quality of life improvements” to React Native DevTools. Two major additions are Network inspection and Performance tracing, both available now.

• Network inspection shows network requests with metadata such as timings and headers, includes response previews, and adds an Initiator tab to see where in code a request originated.
• Today, network coverage includes calls made via fetch(), XMLHttpRequest, and <Image>, with support for custom networking libraries (like Expo Fetch) planned for later.
• For Expo apps, the notes explain you’ll still see the separate “Expo Network” panel (with broader event coverage, but no request initiator, and no Performance panel integration).
• Performance tracing records a session and shows JavaScript execution, React Performance tracks, network events, and custom User Timings in a single timeline.

The post explicitly connects this to the Web Performance APIs support in 0.83 and encourages teams to incorporate the Performance panel into daily workflow to better understand what makes apps slow.

🖥️ DevTools goes desktop: bundled native app

Previously, React Native DevTools launched in a browser window and required Chrome or Edge to be installed. In 0.83, React Native introduces a new bundled desktop app with the same “zero-install setup,” but no web browser requirement, faster launch via a lightweight notarized desktop binary, and better windowing behavior (including macOS multitasking improvements, auto-raise on breakpoint, and restoring window arrangements). The release notes also say reliability improves because DevTools runs separately from a personal browser profile, avoiding issues caused by certain preinstalled Chrome extensions, and that in rare cases where the desktop binary can’t be downloaded (e.g., corporate firewall) it falls back to the previous browser-based flow.

🧭 IntersectionObserver (Canary)

As part of the effort to bring web APIs to React Native, 0.83 adds IntersectionObserver support in the canary release. The release notes describe it as a way to asynchronously observe layout intersections between a target element and its ancestor, and mention API/implementation docs plus RNTester examples.

⏱️ Web Performance APIs are now stable

React Native 0.83 rolls out as stable a subset of Web Performance APIs introduced in 0.82. The list includes High Resolution Time (performance.now(), performance.timeOrigin), Performance Timeline (PerformanceObserver and getEntries* methods), User Timing (performance.mark, performance.measure), Event Timing (event entry types), and Long Tasks (longtask entry types). The release notes state these APIs are visible in the DevTools Performance panel and usable at runtime via PerformanceObserver, including in production builds—enabling real-world performance metrics collection.

🧪 Hermes V1 (experimental)

Hermes V1 is described as the next evolution of Hermes, with compiler/VM improvements that significantly boost JavaScript performance. After being introduced as an experimental opt-in in 0.82, Hermes V1 gets further performance improvements in 0.83. The notes also explain that enabling Hermes V1 requires building React Native from source (not compatible with precompiled React Native builds), and provide specific Android/iOS enablement steps plus a runtime check for the Hermes version.

🍎 iOS: compile out Legacy Architecture (experimental)

React Native 0.83 adds an iOS flag (RCT_REMOVE_LEGACY_ARCH=1) to compile out the Legacy Architecture if your app is already on the New Architecture. The notes claim this can reduce build time and app size, and provide example measurements on a new app without dependencies (build time 73.0s → 58.2s; size 51.2MB → 48.2MB), while noting results depend on how many third-party libraries you use. They also state this flag is not compatible with React Native precompiled binaries and requires building from source.

🍏 iOS: debug precompiled binaries (experimental)

The release notes introduce the ability to debug React Native code shipped with a precompiled binary on iOS, primarily for library maintainers or teams building native modules/components. They describe the workflow and emphasize that RCT_SYMBOLICATE_PREBUILT_FRAMEWORKS=1 instructs CocoaPods to download and expand React Native dSYMs so you can step into React Native code in Xcode.

🧯 Production impact and rollout strategy

React Native 0.83 has no user-facing breaking changes and explicitly states that apps on 0.82 should be able to upgrade without app code changes, which supports safer, more frequent upgrades. The DevTools Performance panel plus stable Web Performance APIs (including PerformanceObserver working in production) create a practical path for measuring regressions during gradual rollout instead of relying only on local profiling. The release also ships two Android-specific deprecations—sendRequestInternal (Networking) and startOperationBatch/finishOperationBatch (Animation)—which teams should track across internal code and third-party dependencies.

📚 https://reactnative.dev/blog/2025/12/10/react-native-0.83

As soon as your app goes beyond a single screen, window and scene management becomes real architecture, not boilerplate.

Most SwiftUI apps accidentally:

• misuse ScenePhase
• hard-code navigation per window
• break state when opening multiple windows
• duplicate ViewModels
• fight iPad & macOS behavior
• misunderstand what a scene actually is

This post explains how SwiftUI really manages windows and scenes, and how to architect apps that work correctly on:

• iPhone
• iPad (multi-window)
• macOS
• visionOS

🧠 1. App vs Scene (The Most Important Distinction)

App

• Defines what your app is
• Owns global configuration
• Creates scenes

Scene

• Defines how your app is presented
• Owns window lifecycle
• Can exist multiple times simultaneously

@main
struct MyApp: App {
    var body: some Scene {
        WindowGroup {
            RootView()
        }
    }
}

Rule:
📌 Your app can have multiple scenes, and each scene can have multiple windows.

🪟 2. What a WindowGroup Really Does

WindowGroup {
    ContentView()
}

This means:

• iOS: multiple app windows (iPad)
• macOS: multiple windows
• visionOS: multiple spatial instances

Each window:

• has its own view hierarchy
• has its own state
• does NOT automatically share ViewModels

⚠️ 3. The Biggest Multi-Window Bug

This is wrong:

@StateObject var vm = GlobalViewModel()

inside a WindowGroup.

Why?

• Each window gets a new instance
• State diverges
• Navigation desyncs

🧱 4. Correct Global State Placement

Global state must live above scenes:

@main
struct MyApp: App {
    @StateObject private var appState = AppState()

    var body: some Scene {
        WindowGroup {
            RootView()
                .environmentObject(appState)
        }
    }
}

Now:

• all windows share state
• navigation is consistent
• data stays in sync

🧭 5. Scene-Local State vs App-Global State

Scene-local:

• navigation stack
• selection
• focus
• scroll position

App-global:

• authentication
• user session
• cache
• feature flags
• deep links

Never mix them.

🔄 6. ScenePhase Is Per-Scene (Not Global)

@Environment(\.scenePhase) var scenePhase

Each window has its own phase.

That means:

• backgrounding one window ≠ app background
• inactive ≠ destroyed
• active ≠ foreground for all windows

Use this wisely.

🧩 7. Supporting Multiple Scene Types

SwiftUI supports multiple scene roles:

var body: some Scene {
    WindowGroup("Main") {
        MainView()
    }

    WindowGroup("Inspector") {
        InspectorView()
    }

    Settings {
        SettingsView()
    }
}

Use cases:

• inspector panels
• settings windows
• auxiliary tools
• debug overlays

🪟 8. Opening New Windows Programmatically

@Environment(\.openWindow) var openWindow

Button("Open Details") {
    openWindow(id: "details")
}

Define the window:

WindowGroup(id: "details") {
    DetailView()
}

This is how real desktop-class SwiftUI apps work.

🧠 9. Window-Scoped Dependency Injection

Each window should get:

• its own navigation state
• shared services
• shared app state

Example:

WindowGroup {
    RootView(
        router: Router(),
        services: services
    )
}

But:

• services are shared
• routers are per-window

🧪 10. Testing Multi-Window Behavior

You must test:

• opening multiple windows
• closing windows
• backgrounding one scene
• restoring state
• shared state mutation

Most SwiftUI bugs only appear with two windows open.

🚀 Final Thoughts

SwiftUI scenes are not boilerplate — they are architecture.

Once you understand:

• app vs scene
• window identity
• scene-local vs global state
• multi-window behavior

You can build apps that feel:

• native
• correct
• scalable

Are you overwhelmed by the sheer number of books to choose from? Here’s a reading challenge to make choosing a book (and reading it!) more fun.

The Writers Write Book Reading Challenge – 3

At Writers Write, we believe in healthy challenges. After all, they push us to the edge of our comfort zone, and we all know that’s where learning begins, and where adventure starts.

We’d like you to start this new book-reading challenge with us. You can begin at any month of the year. For example, let’s say you start in May. Then you simply work your way to the end of the list and continue with January until you reach April. Challenge completed! But of course, we hope you’ll grab a book the minute this post is published.

This is our third book reading challenge. You can read all about our other challenges at the end of this post.

A New Challenge Every Month

1. January: January is the time of new beginnings. Choose a book about a journey. How about Jules Verne’s Around The World In 80 Days? Or the Outlander series by Diana Gabaldon?
2. February: Read a love story. This month, you don’t need to feel ashamed for enjoying a cheesy one.
3. March: Go through your phone contacts or your social media friends. Message the third person, asking for a book recommendation.
4. April: Honour April Fool’s Day and read a funny book. Yu could get started on one of the two series by Douglas Adams. Choose either the series The Hitchhiker’s Guide To The Galaxy or Dirk Gently’s Holistic Detective Agency. You may, of course, also choose any other book you think is funny.
5. May: This month, please read a book that was written after the movie. For example, any of the Books on Star Wars. May the force be with you!
6. June: Read a novel written by an author who uses a pen name. You could choose Robert Galbraith, John Le Carré, Mark Twain, or Ellis Peters, for example.
7. July: Indulge in a beach read. To find one, go to the next train station or airport. Usually, their bookstores sell lots of beach reads.
8. August: Read a book set in the desert. Here are two suggestions: T.E. Lawrence’s Seven Pillars Of Wisdom (that’s the story of Lawrence of Arabia), or Michael Ondaatje’s novel The English Patient.
9. September: Please visit your local library, and ask which novel is most popular, and which is least popular. Look at both and choose one, or both.
10. October: Time to get a little spooked. Please read a book about a witch. I suggest Deborah Harkness, any one of her All Souls series (the first one is called A Discovery Of Witches). It’s all about witches and vampires.
11. November: This is the month of Thanksgiving. So, choose a book about gratitude. How about Louisa May Alcott’s Little Women? Or Paulo Coelho’s The Alchemist? Maybe these books can inspire you to keep a gratitude journal.
12. December: Please gift the joy of reading to children. Maybe you’d like to volunteer to read a Christmas-themed book to kids at your local library? Or at an elementary school? My favourite is Nicholas Allan’s Father Christmas Needs A Wee.

When you’ve completed this challenge, pat yourself on the shoulder!  We know that life is busy, and it can be hard to find the time for reading. Yet you have made time and space for one of the greatest hobbies in the world. It’s also a fundamental activity if you want to be a writer.

The Last Word

If you’ve enjoyed this challenge, you can continue with more challenges! Please look at our previous ones:

1. The Writers Write Book Reading Challenge
2. The Writers Write Book Reading Challenge 2

Image: Pixabay

By Susanne Bennett. Susanne is a German-American writer who is a journalist by trade and a writer by heart. After years of working at German public radio and an online news portal, she has decided to accept challenges by Deadlines for Writers. Currently she is writing her first novel with them. She is known for overweight purses and carrying a novel everywhere. Follow her on Facebook.

More Posts From Susanne

1. 20 Weird Things Readers Do
2. The 5 Most Common Themes In Literature
3. What’s A Golden Shovel Poem? & How Do I Write One?
4. How Your Writing Tool Shapes Your Text
5. Why Writers Should Write By Hand
6. What Is A Parody & How Do I Write One?
7. The 7 Pillars Of Historical Fiction
8. How To Travel Like A Writer
9. What Is Dystopian Fiction? & How Do I Write It?
10. Impostor Syndrome – What It Is And How To Get Over It

Top Tip: Find out more about our workbooks and online courses in our shop.

The post The Writers Write Book Reading Challenge – 3 appeared first on Writers Write.

Below, find the best things to do in Philadelphia this week and weekend, December 29, 2025, to January 4, 2026.

Imagine a scenario where my organization uses XACML for all of our policy. This is where HR policies are on what HR relevant data can be accessed by whom, etc. This same XACML system would also be used to protect Patient data, including imaging, EHR, and HIE access. Thus, the XACML system is very broad and deep. Thus, it is the one that we want to use to protect everything.

Along comes FHIR Consent and we feel that there is a need to have some representation of the Patient Consent in FHIR form, but the actual rules that are applied stay in XACML. So, what does the FHIR Consent look like?

Generally speaking, the FHIR Consent would be just a cross-reference between the Patient as known in FHIR with the XACML subject id as known in XACML. The FHIR Consent would not replicate any of the patient specific rules. 

So, lets imagine a Patient has indicated that they agree to permit all the normal clinical activities with Normal sensitivity data, but that they do not allow external access to Restricted sensitivity data. 

In FHIR Consent, this would be a set of Consent.provisions; but in my case I already have this in computable form in XACML.

Further, my organizational overriding policies are written in XACML.

<!-- This XACML policy file defines an organizational governance layer that overrides patient consent preferences. Specifically:

Purpose: It demonstrates how an organization's data access rules take precedence over patient consent policies using XACML's "deny-overrides" combining algorithm.

Key Rules:

1. Emergency Access - Permits doctors to access data during life-safety emergencies, regardless of consent restrictions
2. Archived Data Denial - Strictly forbids access to archived records, overriding any patient permits
3. Administrative Staff Restriction - Denies administrative staff access to data tagged as "Restricted" (R), even if patient consent would allow it

Context: This sits within a larger governance framework where patient consent (referenced via PolicySetIdReference) is evaluated, but organizational policies can override patient preferences when necessary for clinical workflows, safety, or compliance reasons. A master container applies default-deny if neither permits nor denies are found.
-->

<Policy PolicyId="Org_Policy_7890_Workflow_Governance" 
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" 
        xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    
    <Description>
        Organizational Governance: Enforces workflow roles and clinical status.
        This policy overrides subject-level permits.
    </Description>

    <Target/> 
    
    <Rule RuleId="Emergency_Access_Permit" Effect="Permit">
        <Description>Allows doctors to access data regardless of tags during a life-safety event.</Description>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Emergency</AttributeValue>
                <AttributeDesignator 
                    AttributeId="urn:example:names:clinical:access-context" 
                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" 
                    DataType="http://www.w3.org/2001/XMLSchema#string" 
                    MustBePresent="true"/>
            </Apply>
        </Condition>
    </Rule>

    <Rule RuleId="Deny_Archived_Data_Access" Effect="Deny">
        <Description>Strictly forbids access if the record is in 'Archived' status, overriding user permits.</Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Archived</AttributeValue>
                        <AttributeDesignator 
                            AttributeId="urn:example:names:resource:status" 
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
                            DataType="http://www.w3.org/2001/XMLSchema#string" 
                            MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>

    <Rule RuleId="Deny_Non_Clinical_Staff_Restricted" Effect="Deny">
        <Description>Forbids administrative staff from seeing any data tagged as 'Restricted' (R).</Description>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Administrative</AttributeValue>
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">R</AttributeValue>
                    <AttributeDesignator AttributeId="urn:example:med:names:resource:data-tag" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
</Policy>

<!-- This XACML policy file encodes a patient consent for Patient ID 12345. Specifically:

Purpose: Defines the patient's preferences for data sharing based on sensitivity tags using Attribute-Based Access Control (ABAC).

Consent Rules:

1. Permits Normal Data - Allows sharing of data tagged as "Normal" (N) sensitivity
2. Denies Restricted Data - Blocks sharing of data tagged as "Restricted" (R) sensitivity

How it Works:

- Targets requests where the subject-id matches patient 12345
- Uses "deny-overrides" at the PolicySet level to ensure denials take precedence
- Contains two sub-policies: one for Normal data (permit-overrides) and one for Restricted data (deny-overrides)
- Evaluates the data-sensitivity attribute on resources to determine access
- This represents the patient's preferences layer in the consent framework, which works in conjunction with organizational policies (like xacml-overriding.xml) to make final access decisions.
-->

<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
           PolicySetId="consent-policy-set-12345"
           Version="1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">

    <Description>Consent Policy Set for Patient ID 12345</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">12345</AttributeValue>
                    <AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                        DataType="http://www.w3.org/2001/XMLSchema#string" 
                        MustBePresent="true"/>
                </Match>
            </AllOf>
        </AnyOf>
    </Target>

    <Policy PolicyId="consent-policy-12345-normal-data"
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

        <Description>Policy to permit sharing of Normal (N) data</Description>

        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Normal</AttributeValue>
                        <AttributeDesignator AttributeId="data-sensitivity"
                                             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                                             DataType="http://www.w3.org/2001/XMLSchema#string"
                                             MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>

        <Rule RuleId="permit-normal-data" Effect="Permit">
            <Description>Permit access to Normal data</Description>
        </Rule>

    </Policy>

    <Policy PolicyId="consent-policy-12345-restricted-data"
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">

        <Description>Policy to deny sharing of Restricted (R) data</Description>

        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Restricted</AttributeValue>
                        <AttributeDesignator AttributeId="data-sensitivity"
                                             Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                                             DataType="http://www.w3.org/2001/XMLSchema#string"
                                             MustBePresent="true"/>
                    </Match>
                </AllOf>    
            </AnyOf>
        </Target>
        <Rule RuleId="deny-restricted-data" Effect="Deny">
            <Description>Deny access to Restricted data</Description>
        </Rule>
    </Policy>
</PolicySet>