<?xml version="1.0" encoding="UTF-8"?>
-<schema targetNamespace="urn:mace:shibboleth:2.0:afp" xmlns="http://www.w3.org/2001/XMLSchema"
- xmlns:afp="urn:mace:shibboleth:2.0:afp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\r
-\r
- <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="classpath:/schema/xmldsig-core-schema.xsd" />\r
-\r
+<schema targetNamespace="urn:mace:shibboleth:2.0:afp"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="qualified">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="classpath:/schema/xmldsig-core-schema.xsd" />
+
<annotation>
<documentation>Schema for the attribute filter policies.</documentation>
</annotation>
</element>
<complexType name="AttributeFilterPolicyGroupType">
<complexContent>
- <extension base="afp:IndentityType">
+ <extension base="afp:IdentityType">
<sequence>
<element ref="afp:PolicyRequirementRule" minOccurs="0" maxOccurs="unbounded">
<annotation>
</documentation>
</annotation>
</element>
- <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
+ <element ref="afp:PermitValueRule" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>
- Defines an attribute rule that may be reused across multiple filter policies.
+ Defines a permit value rule that may be reused across multiple attribute rules.
</documentation>
</annotation>
</element>
- <element ref="afp:PermitValueRule" minOccurs="0" maxOccurs="unbounded">
+ <element ref="afp:DenyValueRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a deny value rule that may be reused across multiple attribute rules.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>
- Defines an attribute value filter that may be reused across multiple attribtue rules.
+ Defines an attribute rule that may be reused across multiple filter policies.
</documentation>
</annotation>
- </element>\r
+ </element>
<element ref="afp:AttributeFilterPolicy" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>
such as a federation site, should be signed.
</documentation>
</annotation>
- </element>\r
- </sequence>\r
+ </element>
+ </sequence>
</extension>
- </complexContent>\r
+ </complexContent>
</complexType>
<element name="AttributeFilterPolicy" type="afp:AttributeFilterPolicyType">
</element>
<complexType name="AttributeFilterPolicyType">
<complexContent>
- <extension base="afp:IndentityType">
+ <extension base="afp:IdentityType">
<sequence>
<choice>
<element ref="afp:PolicyRequirementRule">
<element name="PolicyRequirementRuleReference" type="afp:ReferenceType">
<annotation>
<documentation>
- Rerfence to a PolicyRequirement defined within this policy group or another.
+ Reference to a PolicyRequirement defined within this policy group or another.
</documentation>
</annotation>
</element>
<element name="AttributeRuleReference" type="afp:ReferenceType">
<annotation>
<documentation>
- Rerfence to a AttribtueRule defined within this policy group or another.
+ Reference to a AttributeRule defined within this policy group or another.
</documentation>
</annotation>
</element>
</sequence>
</extension>
</complexContent>
- </complexType>\r
-\r
+ </complexType>
+
<element name="AttributeRule" type="afp:AttributeRuleType">
<annotation>
<documentation>A rule that describes how values of an attribute will be filtered.</documentation>
</annotation>
- </element>\r
+ </element>
<complexType name="AttributeRuleType">
<complexContent>
- <extension base="afp:IndentityType">
+ <extension base="afp:IdentityType">
<choice>
- <element ref="afp:PermitValueRule">
- <annotation>
- <documentation>
- A filter for attribute values. If the filter evaluates to true the value is permitted,
- otherwise it is filtered out.
- </documentation>
- </annotation>
- </element>
- <element name="PermitValueRuleReference" type="afp:ReferenceType">
- <annotation>
- <documentation>
- Rerfence to a PermitValueRule defined within this policy group or another.
- </documentation>
- </annotation>
- </element>
+ <choice minOccurs="0">
+ <element ref="afp:PermitValueRule" />
+ <element name="PermitValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a PermitValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <choice minOccurs="0">
+ <element ref="afp:DenyValueRule" />
+ <element name="DenyValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a DenyValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
</choice>
<attribute name="attributeID" type="string" use="required">
<annotation>
</annotation>
</attribute>
</extension>
- </complexContent>\r
+ </complexContent>
</complexType>
<element name="PolicyRequirementRule" type="afp:MatchFunctorType">
<element name="PermitValueRule" type="afp:MatchFunctorType">
<annotation>
<documentation>
- A filter for attribtue values. If the filter evaluates to true the value is permitted, otherwise it is
- filtered out.
+ A filter for attribute values. If the filter evaluates to true the value is permitted to be released.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="DenyValueRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ A filter for attribute values. If the filter evaluates to true the value is denied and may not be released.
</documentation>
</annotation>
</element>
<complexType name="MatchFunctorType" abstract="true">
<complexContent>
- <extension base="afp:IndentityType" />
+ <extension base="afp:IdentityType" />
</complexContent>
</complexType>
- <complexType name="IndentityType">
+ <complexType name="IdentityType">
<attribute name="id" type="string">
<annotation>
<documentation>An ID, unique within the policy and component type.</documentation>
</attribute>
</complexType>
-</schema>
\ No newline at end of file
+</schema>