<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="http://www.oasis-open.org/committees/accessControl/docs/draft-actc-schema-policy-08.xsd" xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-21" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xacml="http://www.oasis-open.org/committees/accessControl/docs/draft-actc-schema-policy-08.xsd" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<xs:import namespace="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-21" schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-2.xsd"/>
	<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
	<xs:element name="applicablePolicy" type="xacml:ApplicablePolicyType"/>
	<xs:complexType name="ApplicablePolicyType">
		<xs:sequence>
			<xs:element name="target" type="xacml:TargetType" minOccurs="0" maxOccurs="unbounded"/>
			<xs:element name="policy" type="xacml:PolicyType"/>
			<xs:element name="ds:Signature" minOccurs="0" maxOccurs="1"/>
		</xs:sequence>
		<xs:attribute name="majorVersion" type="xs:integer" use="required"/>
		<xs:attribute name="minorVersion" type="xs:integer" use="required"/>
		<xs:attribute name="issuer" type="xs:string" use="required"/>
		<xs:attribute name="policyName" type="xs:string" use="optional"/>
		<xs:attribute name="issueInstant" type="xs:dateTime" use="optional"/>
	</xs:complexType>
	<xs:complexType name="TargetType">
		<xs:sequence>
			<xs:element ref="saml:Actions" minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="resourceClassification" type="xs:anyURI"/>
		<xs:attribute name="resourceToClassificationTransform" type="xs:anyURI" use="optional"/>
		<!-- One transform algorithm could be "regular expression" -->
	</xs:complexType>
	<xs:complexType name="PolicyType">
		<xs:complexContent>
			<xs:extension base="xacml:RuleType">
				<xs:sequence>
					<xs:element ref="xacml:postCondition" minOccurs="0" maxOccurs="unbounded"/>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<xs:complexType name="RuleAbstractType" abstract="true">
		<xs:sequence maxOccurs="unbounded">
			<xs:choice>
				<xs:element name="and" type="xacml:AndType"/>
				<xs:element name="or" type="xacml:OrType"/>
				<xs:element name="not" type="xacml:NotType"/>
				<xs:element ref="xacml:predicate"/>
			</xs:choice>
		</xs:sequence>
	</xs:complexType>
	<xs:complexType name="RuleType">
		<xs:complexContent>
			<xs:restriction base="xacml:RuleAbstractType">
				<xs:sequence>
					<xs:choice>
						<xs:element name="and" type="xacml:AndType"/>
						<xs:element name="or" type="xacml:OrType"/>
						<xs:element name="not" type="xacml:NotType"/>
						<xs:element ref="xacml:predicate"/>
					</xs:choice>
				</xs:sequence>
			</xs:restriction>
		</xs:complexContent>
	</xs:complexType>
	<xs:complexType name="AndType">
		<xs:complexContent>
			<xs:restriction base="xacml:RuleAbstractType">
				<xs:sequence minOccurs="2" maxOccurs="unbounded">
					<xs:choice>
						<xs:element name="and" type="xacml:AndType"/>
						<xs:element name="or" type="xacml:OrType"/>
						<xs:element name="not" type="xacml:NotType"/>
						<xs:element ref="xacml:predicate"/>
					</xs:choice>
				</xs:sequence>
			</xs:restriction>
		</xs:complexContent>
	</xs:complexType>
	<xs:complexType name="OrType">
		<xs:complexContent>
			<xs:restriction base="xacml:RuleAbstractType">
				<xs:sequence minOccurs="2" maxOccurs="unbounded">
					<xs:choice>
						<xs:element name="and" type="xacml:AndType"/>
						<xs:element name="or" type="xacml:OrType"/>
						<xs:element name="not" type="xacml:NotType"/>
						<xs:element ref="xacml:predicate"/>
					</xs:choice>
				</xs:sequence>
			</xs:restriction>
		</xs:complexContent>
	</xs:complexType>
	<xs:complexType name="NotType">
		<xs:complexContent>
			<xs:restriction base="xacml:RuleAbstractType">
				<xs:sequence>
					<xs:choice>
						<xs:element name="and" type="xacml:AndType"/>
						<xs:element name="or" type="xacml:OrType"/>
						<xs:element name="not" type="xacml:NotType"/>
						<xs:element ref="xacml:predicate"/>
					</xs:choice>
				</xs:sequence>
			</xs:restriction>
		</xs:complexContent>
	</xs:complexType>
	<xs:element name="predicate" type="xacml:PredicateAbstractType" abstract="true"/>
	<!--This is an XACML extensibility point.  New predicates may be added in the
		substitution group of "predicate"-->
	<xs:complexType name="PredicateAbstractType"/>
	<xs:element name="present" type="xacml:PresentType" substitutionGroup="xacml:predicate"/>
	<xs:element name="equal" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="greaterOrEqual" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="lessOrEqual" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="subsetOf" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="supersetOf" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="patternMatch" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="nonNullSetIntersection" type="xacml:CompareType" substitutionGroup="xacml:predicate"/>
	<xs:element name="externalFunction" type="xacml:ExternalFunctionType" substitutionGroup="xacml:predicate"/>
	<xs:complexType name="PresentType">
		<xs:complexContent>
			<xs:extension base="xacml:PredicateAbstractType">
				<xs:sequence>
					<xs:element ref="xacml:valueRef"/>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<xs:complexType name="CompareType">
		<xs:complexContent>
			<xs:extension base="xacml:PredicateAbstractType">
				<xs:sequence>
					<xs:element ref="xacml:valueRef"/>
					<xs:choice>
						<xs:element ref="xacml:valueRef"/>
						<xs:element ref="xacml:value"/>
					</xs:choice>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
		<!-- XML operands in "set" operations MUST be of type xs:list -->
		<!-- XML operands in "inequality" operations MUST contain an xsi:type attribute for which
	XACML defines a comparison algorithm -->
	</xs:complexType>
	<xs:element name="valueRef">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="authority" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"/>
			</xs:sequence>
			<xs:attribute name="entity" type="EntityType" use="optional"/>
			<xs:attribute name="attributeName" type="string" use="required"/>
		</xs:complexType>
	</xs:element>
	<xs:simpleType name="EntityType">
		<xs:restriction base="string">
			<xs:enumeration value="principal"/>
			<xs:enumeration value="resource"/>
			<xs:enumeration value="environment"/>
		</xs:restriction>
	</xs:simpleType>
	<xs:element name="value" type="xs:anyType"/>
	<xs:complexType name="ExternalFunctionType">
		<xs:complexContent>
			<xs:extension base="xacml:PredicateAbstractType">
				<xs:sequence>
					<xs:element ref="xs:string"/>
					<!-- could be a wsdl definition -->
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<xs:element name="postCondition" type="xacml:PostConditionType"/>
	<xs:complexType name="PostConditionType">
		<xs:sequence>
			<xs:element name="internalPostCondition" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
			<xs:element name="externalPostCondition" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
			<!-- could be a wsdl definition -->
		</xs:sequence>
	</xs:complexType>
</xs:schema>

