Add aggregate functions.

[steven-legg]

The proposal is to add XACML functions to compute the minimum, maximum, sum or average of a bag of values. These functions could be added to both XACML 3.0 and XACML 4.0.

The sum and average functions only make sense for data types that can be added, i.e., integer and double. The sum of integers would return an integer. The average of integers and the sum and average of doubles would return a double.

urn:oasis:names:tc:xacml:3.0:function:integer-sum
urn:oasis:names:tc:xacml:3.0:function:integer-average
urn:oasis:names:tc:xacml:3.0:function:double-sum
urn:oasis:names:tc:xacml:3.0:function:double-average

The minimum and maximum functions could be used with any data type that has an ordering relationship, i.e., integer, double, string, time, date and dateTime.

urn:oasis:names:tc:xacml:3.0:function:integer-minimum
urn:oasis:names:tc:xacml:3.0:function:integer-maximum
urn:oasis:names:tc:xacml:3.0:function:double-minimum
urn:oasis:names:tc:xacml:3.0:function:double-maximum
urn:oasis:names:tc:xacml:3.0:function:string-minimum
urn:oasis:names:tc:xacml:3.0:function:string-maximum
urn:oasis:names:tc:xacml:3.0:function:time-minimum
urn:oasis:names:tc:xacml:3.0:function:time-maximum
urn:oasis:names:tc:xacml:3.0:function:date-minimum
urn:oasis:names:tc:xacml:3.0:function:date-maximum
urn:oasis:names:tc:xacml:3.0:function:dateTime-minimum
urn:oasis:names:tc:xacml:3.0:function:dateTime-maximum

[humantypo]

An interesting idea. Do you have some specific use cases in mind?

[steven-legg]

I thought about adding aggregates in the Entities profile to match more of the capabilities of XPath but didn't have a need at the time. Now I might have one. I've been looking at the processing of NATO confidentiality labels (a structured type) where there is an original label and an optional succession label that overrides at a later time. The references don't specify if there can be more than one succession label, but the XSD allows it. The PEP converts the XML confidentiality labels to XACML entities. If multiple succession labels are allowed then I want to choose the activated one with the latest time. The dateTime-maximum function would let me determine this latest time and I can use the Select expression from the Entities profile to pick just the label with that time (or otherwise ignore the labels that don't have this time).

[steven-legg]

The aggregate functions aren't defined if the input bag is empty. They could evaluate to Indeterminate in that case, though I don't like it.

The XPath aggregate functions avoid throwing an error by returning an empty sequence. We can't mix return data types, but we could have the functions return a bag that is either empty (because the input is empty) or contains a single value that is the computed result.

[steven-legg]

Another alternative is to add a second argument that specifies the primitive return value if the bag is empty. The second argument has the same type as the return type and the type in the bag.

Examples:

<Apply  FunctionId="urn:oasis:names:tc:xacml:3.0:function:double-average">
  <AttributeDesignator
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
    AttributeId="http://example.com/threat-levels"
    DataType="http://www.w3.org/2001/XMLSchema#double"  MustBePresent="false"/>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double"
    >0.5</AttributeValue>
</Apply>

<Apply  FunctionId="urn:oasis:names:tc:xacml:3.0:function:dateTime-minimum">
  <AttributeDesignator
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
    AttributeId="http://example.com/activation-times"
    DataType="http://www.w3.org/2001/XMLSchema#dateTime"  MustBePresent="false"/>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime"
    >2030-01-01T12:00:00Z</AttributeValue>
</Apply>

The second argument should only be evaluated if the first argument is empty. If a policy writer really wants the result to be Indeterminate in that case then they can purposely make the second argument evaluate to Indeterminate without disrupting the non-empty case.