As mentioned in the SanteDB architecture, SanteDB provides a robust policy infrastructure. This policy infrastructure can describe policies which a user account must be granted in order to execute an action (permission policies) or to access a particular piece of data within the database structure.
SanteDB comes pre-installed with all the permission policies it requires to operate appropriately, and also with a few data policies ("Restricted Data" is one). Most of these policies are demanded by SanteDB system components, and therefore cannot be deleted by the system administrator, and thus are marked as "Readonly".
You can also see the policy hierarchy using the policy's OID. The way that this works, is quite simple, if a component or piece of data DEMANDS a policy at a lower level in the OID, and the user is granted a higher level, the decision is inherited.
Here, if the user is granted all MDM : 126.96.36.199.4.1.333188.8.131.52.9.2.6 , and a function demands WRITE MDM 184.108.40.206.4.1.333220.127.116.11.18.104.22.168, the decision is GRANT.
If you wanted to create a new policy, for example, to control access to HIV records. You could select the Create Policy button. You'll then be presented with the new policy ID screen:
Once created, your policy can be assigned to any device, group, or application. For example, if you wanted to DENY access to HIV records you would do so in the UI. Any records tagged with this policy would be disclosed, masked, or not disclosed based on the policy permission you've set.