Modular XACML / JACAL schemas

[cdanger]

Most often, an ACAL system may need only a subset of the core (XACML / JACAL) schema depending on its role (PEP, PDP, PAP...).
The idea is to split the core XACML / JACAL schema into:

• Policy schema: to be used by PDP/PAP for policy syntax validation. Contains only element/type definitions for PolicyType PolicyReferenceType, PolicyDefaultsType, PolicyParameterType, ShortIdSetType, BooleanExpressionType, RuleType, EntityType, ExpressionType, ApplyType, FunctionType, QuantifiedExpressionType, AttributeDesignatorType, NamedAttributeDesignatorType, AttributeSelectorType, EntityAttributeSelectorType, BaseAttributeSelectorType, EntityAttributeDesignatorType, VariableDefinitionType, VariableReferenceType, BundleType, SharedVariableDefinitionType, SharedVariableReferenceType, NoticeExpressionType, AttributeAssignmentExpressionType, Description objects.
• Request schema: to be used by PDP for decision request validation (at the very least). Contains only element/type definitions for RequestType, all RequestXXXType (RequestAttributeType, RequestEntityType, RequestReferenceType, RequestEntityReference, etc.), MultiRequestsType objects.
• Response schema: to be used by PEP for decision response validation (at the very least). Contains only element/type definitions for ResponseType, ResultType, ResultEntityType , StatusType, StatusCodeType, StatusDetailType, MissingAttributeDetailType, NoticeType, AttributeAssignmentType objects.
• Base schema: base schema used by all the above. Contains the common element/type definitions.

Also a typical use case is a PDP supporting only XACML policies but both XACML and JACAL requests, in which case it needs at least the XACML Policy, XACML Request and JACAL Request schemas, but doesn't need the JACAL Policy schema.

See this example of modular JSON schema based on former XACML 3.0.