Skip to main content

Attribute designators

Attribute designators serve as a bridge between policy definitions and their corresponding attribute declarations in the XACML schema. They provide a concise and consistent way to refer to specific attributes within policies, streamlining the process of translating policy rules into XACML.

Attribute designators can be further customized by including additional qualifying criteria, such as specifying a particular issuer or utilizing the mustbepresent attribute.

Consider the following examples of valid attribute designators:

  • role:

    A simplified version of the previous two designators, indicating that the role attribute should be used without any additional conditions.

  • role[mustbepresent]:

    This designator indicates that the role attribute must be present for the expression to evaluate.

  • role[issuer="Axiomatics"]:

    This designator specifically filters for the role attribute, ensuring that only values issued by Axiomatics are considered.

  • role[mustbepresent issuer="Axiomatics"]:

    This designator further refines the role attribute by requiring its value to have been issued by the entity Axiomatics.

Attribute designators can be incorporated into expressions using various operators and functions. For instance, the following target clause utilizes the Attributes.resourceType attribute designator to match the value "document":

target clause Attributes.resourceType == "document"

Atomic attributes and bags

All attribute designators return multi-valued "bags". However, some functions require single values, also known as atomic values. To convert attribute designator values to atomic values, "one-and-only" functions are employed.

Consider the following example, which transforms the subject's age into an atomic value for arithmetic operations:

integerOneAndOnly(Attributes.age) + integerOneAndOnly([Attributes.trainingPeriod]) < 50

This operation assumes that the attribute's age and training period contain exactly one value. If either attribute lacks a value or contains multiple values, the one-and-only function will return an Indeterminate result.