Bag Functions | Enforcer Documentation

Enforcer provides the following cateogries of Oasis functions accessible from ALFA. These functions can be used as part of an expression inside a policy.

To make use of these functions from inside an ALFA file, use the import statement:

import Oasis.Functions
import Enforcer.Functions

Attribute Bags

The following functions provide set functionality on attribute bags.

Single
Size
IsIn
ToBag
Intersection
Union
IsSubSet
IsEqual

Single

Namespace : Oasis.Functions

function Single = "urn:oasis:names:tc:xacml:x.x:function:type-one-and-only"
                : inputBag:bag[string] -> string
                | inputBag:bag[integer] -> integer
                | inputBag:bag[boolean]-> boolean
                | inputBag:bag[double] -> double
                | inputBag:bag[date] -> date
                | inputBag:bag[dateTime] -> dateTime
                | inputBag:bag[time] -> time

Returns the single value from a bag that only contains one value.

Indeterminate

If the bag does not contain a single item then the function will fail resulting in the overall result of the expression being indeterminate.

Size

Namespace : Oasis.Functions

function Size = "urn:oasis:names:tc:xacml:x.x:function:type-bag-size"
             : inputBag:bag[string] -> integer
             | inputBag:bag[integer] -> integer
             | inputBag:bag[boolean]-> integer
             | inputBag:bag[double] -> integer
             | inputBag:bag[date] -> integer
             | inputBag:bag[dateTime] -> integer
             | inputBag:bag[time] -> integer

Returns the number of items in the bag.

Example

Will return the number of Roles associated with the user.

Size(Subject.Roles)

IsIn

Namespace : Oasis.Functions

function IsIn = "urn:oasis:names:tc:xacml:x.x:function:type-is-in"
              : itemToCheck:string inputBag:bag[string]  -> boolean
              | itemToCheck:integer inputBag:bag[integer] -> boolean
              | itemToCheck:boolean inputBag:bag[boolean]-> boolean
              | itemToCheck:double inputBag:bag[double] -> boolean
              | itemToCheck:date inputBag:bag[date] -> boolean
              | itemToCheck:dateTime inputBag:bag[dateTime] -> boolean
              | itemToCheck:time inputBag:bag[time] -> boolean

Takes a bag and a value, and returns true if the item is in the bag. The value needs to be the same type as items in the bag.

ToBag

Namespace : Oasis.Functions

function ToBag = "urn:oasis:names:tc:xacml:x.x:function:type-bag"
               : items:string* -> bag[string]
               | items:integer* -> bag[integer]
               | items:boolean* -> bag[boolean]
               | items:double* -> bag[double]
               | items:date* -> bag[date]
               | items:dateTime* -> bag[dateTime]
               | items:time* -> bag[time]

Creates a bag from multiple single values.

Example

ToBag("first", "second", "third")

Would produce a bag containing the three strings.

Intersection

Namespace : Oasis.Functions

function Intersection = "urn:oasis:names:tc:xacml:x.x:function:type-intersection"
                      : first:bag[string]   second:bag[string]    -> bag[string]
                      | first:bag[integer]  second:bag[integer]   -> bag[integer] 
                      | first:bag[boolean]  second:bag[boolean]   -> bag[boolean]
                      | first:bag[double]   second:bag[double]    -> bag[double] 
                      | first:bag[date]     second:bag[date]      -> bag[date] 
                      | first:bag[dateTime] second:bag[dateTime]  -> bag[dateTime]
                      | first:bag[time]     second:bag[time]      -> bag[time]

Creates a bag from the two input bags, which represents items that only appear in both bags.

Union

Namespace : Oasis.Functions

function Union = "urn:oasis:names:tc:xacml:x.x:function:type-union" 
               : first:bag[string]   second:bag[string]   -> bag[string]
               | first:bag[integer]  second:bag[integer]   -> bag[integer] 
               | first:bag[boolean]  second:bag[boolean]   -> bag[boolean]
               | first:bag[double]   second:bag[double]    -> bag[double] 
               | first:bag[date]     second:bag[date]      -> bag[date] 
               | first:bag[dateTime] second:bag[dateTime]  -> bag[dateTime]
               | first:bag[time]     second:bag[time]      -> bag[time]

Creates a bag from the two input bags, which represents all unique items that appear in both bags.

IsSubSet

Namespace : Oasis.Functions

function IsSubSet = "urn:oasis:names:tc:xacml:x.x:function:type-subset"  
                  : potentialSubset:bag[string]   superSet:bag[string]    -> boolean
                  | potentialSubset:bag[integer]  superSet:bag[integer]   -> boolean
                  | potentialSubset:bag[boolean]  superSet:bag[boolean]   -> boolean
                  | potentialSubset:bag[double]   superSet:bag[double]    -> boolean
                  | potentialSubset:bag[date]     superSet:bag[date]      -> boolean
                  | potentialSubset:bag[dateTime] superSet:bag[dateTime]  -> boolean
                  | potentialSubset:bag[time]     superSet:bag[time]       -> boolean

Returns true if all the items in the first parameter bag appear in the second parameter bag.

IsEqual

Namespace : Oasis.Functions

function IsEqual = "urn:oasis:names:tc:xacml:x.x:function:type-set-equals" 
                 : first:bag[string]   second:bag[string]   -> boolean
                 | first:bag[integer]  second:bag[integer]  -> boolean
                 | first:bag[boolean]  second:bag[boolean]  -> boolean
                 | first:bag[double]   second:bag[double]   -> boolean
                 | first:bag[date]     second:bag[date]     -> boolean
                 | first:bag[dateTime] second:bag[dateTime] -> boolean
                 | first:bag[time]     second:bag[time]     -> boolean

Returns true if both bags contain the same items, otherwise false.

Previous Next