OpenPMF policies can either be default security policy model templates, or tailor-made security policy models . Default policy model templates includes policies such as “only allow the interactions the application developer has programmed; deny and log everything else”, or “only allow access to SOA services based on the sequence of the BPM workflow used to orchestrate the SOA”. Tailor-made security policy models include aspects of compliance regulations and enterprise security policies, e.g. “doctors are only allowed to access their current patients’ health records; if anything else is accessed, access is not denied, but an audit log entry will be generated”.