<?xml 
  version="1.0"?>
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<!--                                                       -->
<!-- The Enterprise Privacy Authorization Language (EPAL)  -->
<!--                                                       -->
<!--  Authors:                                             -->
<!--      Paul Ashley <pashley at us.ibm.com>              -->
<!--      Satoshi Hada <satoshih at jp.ibm.com>            -->
<!--      G&uuml;nter Karjoth <gka at zurich.ibm.com>      -->
<!--      Calvin Powers <cspowers at us.ibm.com>           -->
<!--      Matthias Schunter <mts at zurich.ibm.com>        -->
<!--                                                       -->
<!--  Abstract: This schema defines the structure of EPAL  -->
<!--      privacy policies.                                -->
<!--                                                       -->
<!--  Version: 1.1                                         -->
<!--                                                       -->
<!-- Copyright (c) 2000-2003                               -->
<!-- International Business Machines Corporation.          -->
<!--                                                       -->
<!--                                                       -->
<!-- $Id: epal.xsd,v 1.39.2.1 2003/10/15 16:35:01 mts Exp $    -->
<xs:schema
  xmlns:epal="http://www.research.ibm.com/privacy/epal"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:xacml="urn:oasis:names:tc:xacml:1.0:policy"
  targetNamespace="http://www.research.ibm.com/privacy/epal"
  xml:lang="en"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified"
  version="b">

  <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
  <!--                                                       -->
  <!-- Import other namespaces                               -->
  <!--                                                       -->

  <xs:import
    namespace="urn:oasis:names:tc:xacml:1.0:policy"
    schemaLocation="cs-xacml-schema-policy-01.xsd"/>

  <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
  <!--                                                       -->
  <!-- DECLARATION OF REUSABLE TYPES                         -->
  <!--                                                       -->
  <!-- Types needed often are declared here.                 -->

  <!-- Elements which have an identifier should be of this type -->
  <xs:complexType
    name="identifiedObjectType">
    <xs:attribute
      name="id"
      use="required"
      type="xs:NCName"></xs:attribute>
  </xs:complexType>

  <!-- Elements which refer to an identifier should be of this type -->
  <xs:complexType
    name="referringObjectType">
    <xs:attribute
      name="refid"
      use="required"
      type="xs:NCName"></xs:attribute>
  </xs:complexType>


  <!-- Identified Elements which have descriptions should be of this type -->
  <xs:complexType
    name="describedObjectType">
    <xs:complexContent>
      <xs:extension
        base="epal:identifiedObjectType">
        <xs:sequence>
          <xs:element
            name="short-description"
            minOccurs="0"
            maxOccurs="unbounded">
            <xs:complexType>
              <xs:simpleContent>
                <xs:extension
                  base="xs:string">
                  <xs:attribute
                    name="language"
                    use="optional"
                    default="en"
                    type="xs:language"></xs:attribute>
                </xs:extension>
              </xs:simpleContent>
            </xs:complexType>
          </xs:element>
          <xs:element
            name="long-description"
            minOccurs="0"
            maxOccurs="unbounded">
            <xs:complexType>
              <xs:simpleContent>
                <xs:extension
                  base="xs:string">
                  <xs:attribute
                    name="language"
                    use="optional"
                    default="en"
                    type="xs:language"></xs:attribute>
                </xs:extension>
              </xs:simpleContent>
            </xs:complexType>
          </xs:element>
          <xs:element
            name="property"
            minOccurs="0"
            maxOccurs="unbounded">
            <xs:complexType>
              <xs:sequence>
                <xs:element
                  name="value"
                  type="epal:epalSimpleType"
                  minOccurs="0"
                  maxOccurs="unbounded"/>
              </xs:sequence>
              <xs:attribute
                name="id"
                use="required"
                type="xs:NCName"></xs:attribute>
            </xs:complexType>
          </xs:element>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

  <!-- Elements which can participate in a hierarchy should have this type -->
  <xs:complexType
    name="hierarchicalType">
    <xs:complexContent>
      <xs:extension
        base="epal:describedObjectType">
        <xs:attribute
          name="parent"
          use="optional"
          type="xs:NCName"></xs:attribute>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

  <!-- Contact information   -->
  <xs:complexType
    name="contactInfoType">
    <xs:sequence>
      <xs:element
        name="name"
        type="xs:string"
        minOccurs="1"
        maxOccurs="1"></xs:element>
      <xs:element
        name="organization"
        type="xs:string"
        minOccurs="1"
        maxOccurs="1"></xs:element>
      <xs:element
        name="e-mail"
        type="xs:string"
        minOccurs="1"
        maxOccurs="1"></xs:element>
      <xs:element
        name="address"
        type="xs:string"
        minOccurs="1"
        maxOccurs="1"></xs:element>
      <xs:element
        name="country"
        type="xs:string"
        minOccurs="1"
        maxOccurs="1"></xs:element>
    </xs:sequence>
  </xs:complexType>

  <!-- A Descriptor of an attribute -->
  <xs:complexType
    name="attributeDefinitionType">
    <xs:complexContent>
      <xs:extension
        base="epal:describedObjectType">
        <xs:attribute
          name="simpleType"
          use="required"
          type="epal:epalSimpleTypeURI"/>
        <xs:attribute
          name="minOccurs"
          use="optional"
          default="1">
          <xs:simpleType>
            <xs:union
              memberTypes="xs:nonNegativeInteger">
              <xs:simpleType>
                <xs:restriction
                  base="xs:string">
                  <xs:enumeration
                    value="unbounded"/>
                </xs:restriction>
              </xs:simpleType>
            </xs:union>
          </xs:simpleType>
        </xs:attribute>
        <xs:attribute
          name="maxOccurs"
          use="optional"
          default="1">
          <xs:simpleType>
            <xs:union
              memberTypes="xs:nonNegativeInteger">
              <xs:simpleType>
                <xs:restriction
                  base="xs:string">
                  <xs:enumeration
                    value="unbounded"/>
                </xs:restriction>
              </xs:simpleType>
            </xs:union>
          </xs:simpleType>
        </xs:attribute>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

  <!-- A Descriptor of a container attribute -->
  <xs:complexType
    name="containerAttributeDefinitionType">
    <xs:complexContent>
      <xs:extension
        base="epal:attributeDefinitionType">
        <xs:attribute
          name="auditable"
          use="optional"
          type="xs:boolean"
          default="false"/>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

  <!-- Allowed EPAL data types -->
  <xs:simpleType
    name="epalSimpleTypeURI">
    <xs:restriction
      base="xs:anyURI">
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#string"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#anyURI"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#boolean"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#hexBinary"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#base64Binary"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#double"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#time"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#date"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#dateTime"/>
      <xs:enumeration
        value="http://www.w3.org/2001/XMLSchema#integer"/>
      <xs:enumeration
        value="http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration"/>
      <xs:enumeration
        value="http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration"/>
      <xs:enumeration
        value="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"/>
      <xs:enumeration
        value="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType
    name="epalSimpleType">
    <!-- Four data types (dayTimeDuration, yearMonthDuration, x500Name, and rfc822Name) are ignored since there are no corresponding simple types.-->
    <xs:union
      memberTypes="xs:string xs:boolean xs:integer xs:double xs:time xs:date xs:dateTime xs:anyURI xs:hexBinary xs:base64Binary"/>
  </xs:simpleType>


  <!-- Information on a policy or a vocabulary -->

  <xs:complexType
    name="infoType">
    <xs:complexContent>
      <xs:extension
        base="epal:describedObjectType">
        <xs:sequence>
          <xs:element
            name="issuer"
            minOccurs="0"
            maxOccurs="1"
            type="epal:contactInfoType"></xs:element>
          <xs:element
            name="location"
            minOccurs="0"
            maxOccurs="1"
            type="xs:anyURI"></xs:element>
          <xs:element
            name="version-info"
            minOccurs="1"
            maxOccurs="1">
            <xs:complexType>
              <xs:attribute
                name="test"
                type="xs:boolean"
                default="false"
                use="optional"></xs:attribute>
              <xs:attribute
                name="start-date"
                type="xs:dateTime"
                use="required"></xs:attribute>
              <xs:attribute
                name="revision-number"
                type="xs:string"
                use="required"></xs:attribute>
              <xs:attribute
                name="last-modified"
                type="xs:dateTime"
                use="required"></xs:attribute>
              <xs:attribute
                name="end-date"
                type="xs:dateTime"
                use="optional"></xs:attribute>
              <xs:attribute
                name="superseded-by-id"
                type="xs:NCName"
                use="optional"></xs:attribute>
              <xs:attribute
                name="superseded-by-revision"
                type="xs:string"
                use="optional"></xs:attribute>
            </xs:complexType>
          </xs:element>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>


  <!-- Importing policies and vocabularies -->

  <xs:complexType
    name="importStatementType">
    <xs:complexContent>
      <xs:extension
        base="epal:describedObjectType">
        <xs:attribute
          name="location"
          use="required"
          type="xs:anyURI"></xs:attribute>
        <xs:attribute
          name="revision-number"
          use="optional"
          type="xs:string"></xs:attribute>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>


  <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
  <!--                                                           -->
  <!-- DECLARATION OF THE <epal-vocabulary> TOPLEVEL ELEMENT     -->
  <!--                                                           -->

  <xs:element
    name="epal-vocabulary">
    <xs:complexType>
      <xs:sequence>
        <xs:element
          name="vocabulary-information"
          minOccurs="1"
          maxOccurs="1"
          type="epal:infoType"></xs:element>
        <xs:element
          name="user-category"
          minOccurs="0"
          maxOccurs="unbounded"
          type="epal:hierarchicalType"></xs:element>
        <xs:element
          name="data-category"
          minOccurs="0"
          maxOccurs="unbounded"
          type="epal:hierarchicalType"></xs:element>
        <xs:element
          name="purpose"
          type="epal:hierarchicalType"
          minOccurs="0"
          maxOccurs="unbounded"></xs:element>
        <xs:element
          name="action"
          type="epal:describedObjectType"
          minOccurs="0"
          maxOccurs="unbounded"></xs:element>
        <xs:element
          name="container"
          minOccurs="0"
          maxOccurs="unbounded">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension
                base="epal:describedObjectType">
                <xs:sequence
                  minOccurs="1"
                  maxOccurs="1">
                  <xs:element
                    name="attribute"
                    type="epal:containerAttributeDefinitionType"
                    minOccurs="1"
                    maxOccurs="unbounded"></xs:element>
                </xs:sequence>
              </xs:extension>
            </xs:complexContent>
          </xs:complexType>
          <!-- Declared attribute id's must be unique within each container -->
          <xs:unique
            name="uniqueAttributeDef">
            <xs:selector
              xpath="./epal:attribute"/>
            <xs:field
              xpath="@id"/>
          </xs:unique>
        </xs:element>
        <xs:element
          name="obligation"
          minOccurs="0"
          maxOccurs="unbounded">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension
                base="epal:describedObjectType">
                <xs:sequence
                  minOccurs="1"
                  maxOccurs="unbounded">
                  <xs:element
                    name="parameter"
                    type="epal:attributeDefinitionType"
                    minOccurs="0"
                    maxOccurs="unbounded"></xs:element>
                </xs:sequence>
              </xs:extension>
            </xs:complexContent>
          </xs:complexType>
          <!-- Declared parameter id's must be unique within each obligation -->
          <xs:unique
            name="uniqueParamDef">
            <xs:selector
              xpath="./epal:parameter"/>
            <xs:field
              xpath="@id"/>
          </xs:unique>
        </xs:element>
      </xs:sequence>
      <xs:attribute
        name="version"
        type="xs:string"
        default="1.1"/>
    </xs:complexType>

    <!-- Key and References for user-category/@id -->
    <xs:key
      name="user-category-identifier">
      <xs:selector
        xpath="./epal:user-category"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:key>

    <xs:keyref
      name="user-category-reference"
      refer="epal:user-category-identifier">
      <xs:selector
        xpath="./epal:user-category"></xs:selector>
      <xs:field
        xpath="@parent"></xs:field>
    </xs:keyref>

    <!-- Key and References for data-category/@id -->
    <xs:key
      name="data-category-identifier">
      <xs:selector
        xpath="./epal:data-category"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:key>

    <xs:keyref
      name="data-category-reference"
      refer="epal:data-category-identifier">
      <xs:selector
        xpath="./epal:data-category"></xs:selector>
      <xs:field
        xpath="@parent"></xs:field>
    </xs:keyref>

    <!-- Key and References for purpose/@id -->
    <xs:key
      name="purpose-identifier">
      <xs:selector
        xpath="./epal:purpose"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:key>

    <xs:keyref
      name="purpose-reference"
      refer="epal:purpose-identifier">
      <xs:selector
        xpath="./epal:purpose"></xs:selector>
      <xs:field
        xpath="@parent"></xs:field>
    </xs:keyref>

    <!-- Declared action id's must be unique -->
    <xs:unique
      name="action-identifier">
      <xs:selector
        xpath="./epal:action"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:unique>

    <!-- Declared container id's must be unique -->
    <xs:unique
      name="container-identifier">
      <xs:selector
        xpath="./epal:container"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:unique>

    <!-- Declared obligation id's must be unique -->
    <xs:unique
      name="obligation-identifier">
      <xs:selector
        xpath="./epal:obligation"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:unique>

  </xs:element>

  <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
  <!--                                                           -->
  <!-- DECLARATION OF THE <epal-policy> TOPLEVEL ELEMENT     -->
  <!--                                                           -->

  <xs:element
    name="epal-policy">
    <xs:complexType>
      <xs:sequence>
        <xs:element
          name="policy-information"
          minOccurs="1"
          maxOccurs="1"
          type="epal:infoType"></xs:element>
        <xs:element
          name="epal-vocabulary-ref"
          minOccurs="1"
          maxOccurs="1"
          type="epal:importStatementType"/>
        <xs:element
          name="condition"
          minOccurs="0"
          maxOccurs="unbounded">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension
                base="epal:describedObjectType">
                <xs:sequence>
                  <xs:element
                    name="evaluates-container"
                    minOccurs="1"
                    maxOccurs="unbounded"
                    type="epal:referringObjectType"/>
                  <xs:element
                    minOccurs="1"
                    maxOccurs="1"
                    ref="xacml:Condition"/>
                </xs:sequence>
              </xs:extension>
            </xs:complexContent>
          </xs:complexType>
        </xs:element>

        <xs:element
          name="rule"
          minOccurs="0"
          maxOccurs="unbounded">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension
                base="epal:describedObjectType">
                <xs:sequence>
                  <xs:element
                    name="user-category"
                    type="epal:referringObjectType"
                    minOccurs="1"
                    maxOccurs="unbounded"></xs:element>
                  <xs:element
                    name="data-category"
                    type="epal:referringObjectType"
                    minOccurs="1"
                    maxOccurs="unbounded"></xs:element>
                  <xs:element
                    name="purpose"
                    type="epal:referringObjectType"
                    minOccurs="0"
                    maxOccurs="unbounded"></xs:element>
                  <xs:element
                    name="action"
                    type="epal:referringObjectType"
                    minOccurs="1"
                    maxOccurs="unbounded"></xs:element>
                  <xs:element
                    name="condition"
                    type="epal:referringObjectType"
                    minOccurs="0"
                    maxOccurs="unbounded"></xs:element>
                  <xs:element
                    name="obligation"
                    minOccurs="0"
                    maxOccurs="unbounded">
                    <xs:complexType>
                      <xs:complexContent>
                        <xs:extension
                          base="epal:referringObjectType">
                          <xs:sequence
                            minOccurs="0"
                            maxOccurs="1">
                            <xs:element
                              name="parameter"
                              minOccurs="0"
                              maxOccurs="unbounded">
                              <xs:complexType>
                                <xs:sequence>
                                  <xs:element
                                    name="value"
                                    type="epal:epalSimpleType"
                                    minOccurs="0"
                                    maxOccurs="unbounded"/>
                                </xs:sequence>
                                <xs:attribute
                                  name="refid"
                                  use="required"
                                  type="xs:NCName"></xs:attribute>
                              </xs:complexType>
                            </xs:element>
                          </xs:sequence>
                        </xs:extension>
                      </xs:complexContent>
                    </xs:complexType>
                    <!-- Parameter refid's must be unique within each obligation -->
                    <xs:unique
                      name="uniqueParameter">
                      <xs:selector
                        xpath="./epal:parameter"/>
                      <xs:field
                        xpath="@refid"/>
                    </xs:unique>
                  </xs:element>
                </xs:sequence>
                <xs:attribute
                  name="ruling">
                  <xs:simpleType>
                    <xs:restriction
                      base="xs:string">
                      <xs:enumeration
                        value="allow"/>
                      <xs:enumeration
                        value="deny"/>
                    </xs:restriction>
                  </xs:simpleType>
                </xs:attribute>
              </xs:extension>
            </xs:complexContent>
          </xs:complexType>
        </xs:element>
      </xs:sequence>
      <xs:attribute
        name="version"
        type="xs:string"
        default="1.1"/>
      <xs:attribute
        name="global-condition"
        type="xs:NCName"
        use="optional"/>
      <xs:attribute
        name="default-ruling"
        use="required">
        <xs:simpleType>
          <xs:restriction
            base="xs:string">
            <xs:enumeration
              value="allow"/>
            <xs:enumeration
              value="deny"/>
            <xs:enumeration
              value="not-applicable"/>
          </xs:restriction>
        </xs:simpleType>
      </xs:attribute>
    </xs:complexType>

    <!-- Key and References for condition/@id -->
    <xs:key
      name="condition-identifier">
      <xs:selector
        xpath="./epal:condition"></xs:selector>
      <xs:field
        xpath="@id"></xs:field>
    </xs:key>

    <xs:keyref
      name="condition-reference"
      refer="epal:condition-identifier">
      <xs:selector
        xpath="./epal:rule/epal:condition"></xs:selector>
      <xs:field
        xpath="@refid"></xs:field>
    </xs:keyref>

    <!-- Rule id's must be unique within a policy -->
    <xs:unique
      name="uniqueRuleId">
      <xs:selector
        xpath="./epal:rule"/>
      <xs:field
        xpath="@id"/>
    </xs:unique>

  </xs:element>
</xs:schema>