I’m currently working on a web application using the MERN stack (MongoDB, Express.js, React.js, Node.js). I need to implement XACML (eXtensible Access Control Markup Language) for fine-grained access control, and I’m a bit confused about how to integrate all the XACML components (PEP, PIP, PAP, PDP) into my application. I want to know how all the components like MERN and XACML will work together with code examples

Here’s the architecture I’m aiming for:
Policy Enforcement Point (PEP): Intercepts user requests and enforces access control based on the decision from the PDP.
Policy Information Point (PIP): Provides additional information about the user or resource that might be needed for policy evaluation.
Policy Administration Point (PAP): Manages and stores the access control policies.
Policy Decision Point (PDP): Evaluates access requests against policies and returns an access decision (Permit/Deny).

My questions are:
Integration Flow: What should be the overall flow of integrating these XACML components into a MERN stack application?

Component Implementation:

How should I implement the PEP in a React and Express.js environment?
How to design the PDP logic in Node.js to evaluate policies stored in MongoDB?
What is the best way to set up the PAP for creating and managing policies?
How can I implement a PIP to fetch additional information needed for policy evaluation?
Tools and Libraries: Are there any recommended libraries or tools that can help in implementing XACML with Node.js?

I want to know very detailed information on this with code examples about how this flow will work. For example, in this code the policies are being evaluated. In this code it’ll be going to a xml file to check some policies.

Best Practices: What are the best practices for handling performance and security when implementing XACML in a MERN stack application?

Additional Context:
User Authentication: I’ll be using SAML for user authentication.
Policies Storage: Still having confusions in where I should store the policies
Application Type: It’s a multi-tenant application, so different tenants might have different access policies.
Any guidance, examples, or resources would be greatly appreciated!

I am expecting that using this answer I can start my work. I am in utter confusion due to less resources and tutorials and docs made me more confused too. I don’t know how these things will work together.