This is a post in a serious of discussions I am starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0.
This is a thread to talk about deployment. In a simple XACML implementation you may be able to have everything (PAP, PDP, PEP) co-located in a single JVM, but as you protect more resources in a distributed system or across multiple sytems you may need a more distributed approach. You may want the capability to administer centrally, but spread the work across multiple PDPs to put them closer to their PEPs or to enable them to index/process against smaller sets of policies. You may want to separate the PDP concern from the application (and the PEP) for maintainability, or perhaps you have a non-java system that needs to execute policies using PDP as a service.
There needs to be protocols to support a variety of deployment models. Ways to distribute policies from PAP to 1 or more PDPs, ways to communicate to PDPs remotely from PEPs, etc. There is an article already about using a PDP remotely, so there may already be ways to handle some of this distributed capability.