Some examples of policies are:

Managers can view documents in their city

Users can edit documents they own
Each policy uses attributes. In the examples above, the policies use the following attributes:

A user’s role e.g. manager

An action e.g. view, edit.

A resource type e.g. document

A user’s city e.g. Kalamazoo

A document’s city e.g. Tallahassee
Functions in XACML
To make sense of the attributes and their values, XACML uses functions. There are different types of functions available in the language:

Bag functions: these functions are here to manipulate attributes as bags. One such example is stringOneAndOnly as previously described in this blog post.

Date and time arithmetic functions: these functions operate on date and time attributes. They can be useful to apply timebased authorization as described in this blog post

Regularexpressionbased functions: these functions are great to check whether strings or other datatypes comply to a given pattern.

Set functions: these functions are great to work on bags of values and do unions or intersections.

String functions: these functions cover different aspects of using string attributes.

XPathbased functions: these functions are great to extract and compare XML.

Arithmetic function: these functions include add() and subtract().

Equality predicates: these functions cover all the equality functions for the different data types in XACML.

Logical functions: these functions operate on boolean values e.g. and() and or().

Numeric comparison functions: these functions work on numeric data types.

Higher order bag functions: these functions are great to apply other functions to bags of values e.g. AnyOf, AllOf… The map function we will discuss today belongs to this category.
The Map Function
Standard Definition
The XACML 3.0 map function is defined in the XACML 3.0 standard in Appendix A.3.12. Its identifier is:
1 
urn:oasis:names:tc:xacml:3.0:function:map 
According to the standard, “this function converts a bag of values to another bag of values”.
The map function takes in n parameters:

The first parameter is the function to be applied e.g. the arithmetic function integerAdd()

The second parameter is a bag of values of the relevant data type which in this case would have to be integer.

The remaining parameters – here only one since add() only takes 2 parameters – are atomic values of the relevant data type – integer again in this case – that are to be used along with the function onto each value of the bag in the second parameter so as to produce a bag of the same size with updated values.
ALFA Example #1
Let’s implement the example aforementioned in ALFA. First, we create 2 attributes of type integer, age and groupAges.
Then, we use them inside a XACML condition.
1 
attribute age{ <br> category = subjectCat<br> id = "age<br> type = integer<br>}<br>attribute groupAges{<br> category = subjectCat<br> id = "groupAges"<br> type = integer<br>}<br>/**<br> * This policy grants access if the user is more than 5 years older than anyone in the group<br> */<br>policy mapExample{<br> apply firstApplicable<br> rule addAge{<br> permit<br> condition age > map(function[integerAdd], groupAges, 5)<br> }<br>} 
ALFA Example #2
Assume we have an attribute called age of data type string and we want to convert it to an attribute of data type integer. We would do the following, using ALFA notation:
1 
attribute age{<br> category = subjectCat<br> id = "age"<br> type = integer<br>}<br>attribute groupAges{<br> category = subjectCat<br> id = "groupAges"<br> type = string<br>}<br>/**<br> * This policy grants access if the user is older than anyone in the group.<br> */<br>policy mapExample{<br> apply firstApplicable<br> rule addAge{<br> permit<br> condition age > map(function[integerFromString], groupAges)<br> }<br>} 
A more useful example, perhaps, is to use the map() function to normalize an entire bag of strings to lower or upper case. In this case, the code would look as:
1 
rule allowCitizen{<br> permit<br> condition<br>stringIsIn(stringNormalizeToLowerCase(stringOneAndOnly(citizenship)), map(function[stringNormalizeToLowerCase], allowedCitizenship))<br>} 
Conclusion
The map function will always output a bag of the same size and type as the main parameter being applied to. It is useful to work on all the values of the bag in one go. The map function does not care about the order of the values. Lastly, the map function is only available inside conditions. It cannot be used inside XACML targets.
The “Question of the Week” – an ongoing feature that will tackle technical and usage questions. We’ll have input from our sales engineers and customer relations teams. If you have a question to consider, please send it to webinfo@axiomatics.com.