Last week, members of the OASIS consortium participated in a interoperability demonstration of XACML. My co-worker, Rich Levinson, was there leading Oracle's participation, along with participants from BEA, IBM, Sun, Axiomatics, Cisco, and the US Department of Veteran Affairs, [correction: and Redhat/JBoss too!].
For me the cool thing was the scenario put forth by Veteran Affairs. It was a scenario that dealt patient health records and privacy (For more info, see Anil Saldhana's write-up.). For me, the really cool thing was when Rich showed me how a patient could block access to a specific doctor, or conversely, a doctor in an emergency room situation could be granted access to patient records. This particular scenario has been one of the primary examples put forward by many government organizations I have spoken with. It was also talked widely by participants of the business requirements review of IGF at Project Liberty.
In fact, when we first talked about a policy language for attribute authorities (back in 2006) to decide how to release personal information, we gravitated quickly towards XACML at Rich Levinson's suggestion. Now, with web policy demonstrating these requirements in an application context at an open interop, it makes the Rich's initial recommendation of basing Attribute Authority Policy Markup Language (AAPML) as a profile of XACML to be right on target!