XACML Bags operations

Question

Assume we have a bag of booleans. Is there a function that can tell whether the number of "true" values is larger than some constant (e.g., 5)?

I came across "n-of" function, but it requires multiple separate attributes as an input and not a bag... Maybe "map" function can help, but not sure how since I didn't find a function that can reduce the number of items in a bag.

Thanks! Michael.

Answer 1

To achieve what you are looking for, you need to use two functions:

• a function that measures the size of the bag e.g. booleanBagSize(someAttribute)
• a functiont that checks that each value of the bag is equal to true. e.g. booleanEquals used in conjunction with a higher-order function e.g. AllOf

The resulting code in ALFA would be:

namespace axiomatics{
    attribute allowed{
        category = subjectCat
        id = "axiomatics.allowed"
        type = boolean
    }
    policy allowIf5True{
        apply firstApplicable
        rule allow{
            permit
            condition booleanBagSize(allowed)>5 && allOf(function[booleanEqual], true, allowed)
        }
    }
}

And the XACML 3.0 output would be

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True.allow">
        <xacml3:Description />
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-bag-size" >
                        <xacml3:AttributeDesignator 
                            AttributeId="axiomatics.allowed"
                            DataType="http://www.w3.org/2001/XMLSchema#boolean"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            MustBePresent="false"
                        />
                    </xacml3:Apply>
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#integer">5</xacml3:AttributeValue>
                </xacml3:Apply>
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:all-of" >
                    <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"/>
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#boolean">true</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="axiomatics.allowed"
                        DataType="http://www.w3.org/2001/XMLSchema#boolean"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        MustBePresent="false"
                    />
                </xacml3:Apply>
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>

This approach only works if the bag only contains true values.