XACML Version 2.0 Conformance Tests (draft)

Version: 0.5, Oct 13, 2005 Author: Argyn Kuketayev Contributors: Anne Anderson, Satoshi Hada, John Merrells, Jin Peng, Seth Proctor, Argyn Kuketayev This document describes and provides links to a suite of tests intended to aid implementers in conforming to the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard.

Contents

  1. Description of Tests
    1. Test Case Groupings
    2. How to Use the Tests
    3. Preparing Tests for Execution
    4. Contributions of New Tests
    5. Bugs in the Tests
  2. Mandatory-to-Implement Functionality Tests
    1. Attribute References
    2. Target Matching
    3. Function Evaluation
    4. Combining Algorithms
    5. Schema components
    6. XACML 2.0 new features
  3. Optional, but Normative Functionality Tests
    1. Obligations
    2. DefaultsType
    3. Hierarchical Resources
    4. <ResourceContent> Element
    5. Multiple Decisions
    6. Attribute Selectors
    7. Non-mandatory Functions

  1. Description of Tests
  2. These tests are provided as an aid in achieving conformance to the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard. The tests may aid in determining whether an implementation is correctly interpreting the intent of the XACML Version 2.0 specification, and may provide a basic level of interoperability testing.

    These tests are non-normative and do not constitute a full test of conformance to the XACML Version 2.0 Standard. A full description of the requirements for conformance is included in Section 10. Conformance of the XACML Version 2.0 specification. There is no OASIS- or XACML TC- sponsored branding or certification program for XACML.

    IMPORTANT NOTE

    The tests in this suite were converted to comply with XACML 2.0 from the conformance test suite for XACML 1.0 and 1.1. Conversion was done by using pattern matching/replacement scripts. All tests passed schema validation sucessfully against normative schemas for Context and Policy of XACML 2.0.

    History of changes since XACML 2.0

    Version 0.1
    Version 0.2
    Version 0.3
    Version 0.4
    Version 0.4

    1. Test Case Groupings
    2. Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional, but normative functionality. All implementations that claim conformance to the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard MUST support all Mandatory-to-Implement functionality as described in the XACML Version 2.0 specification. Conforming implementations MAY additionally support various Optional functionality areas.

      Tests are divided into groups based on the primary area of functionality or schema being exercised.

      Each test case consists of three XML documents (or sets of documents):

      1. An XACML Request
      2. An XACML Policy or set of Policy documents
      3. An XACML Response

      Each XML document is named according to the section of this document in which it occurs. For example, the XML documents for the test in Part II (Mandatory to implement), Section B (Target Matching), Test Case 8 (Case: match: multiple actions) are named:

    3. How to Use the Tests
    4. An implementation of an XACML Policy Decision Point (PDP) should be able to:

      1. Accept the given Request, or input consistent with the given Request, as input.
      2. Accept the given Policy or Policies (these files may contain one or more XACML Policies or PolicySets) as input.
      3. Produce the given Response, or output consistent with the given Response, as output.

      Explanation of consistent with:

      The request and response used in executing these tests need not be instances of the XACML Context Schema. The request and response should, however, contain exactly the same information as the given Request and Response file, and should exercise the XACML policy evaluation functionality that the test is intended to exercise. It should be possible, at least conceptually, to mechanically convert the request and response used in the implementation to the given XACML Request and Response instances.

    5. Preparing Tests for Execution
    6. In general, for each test,

      1. Either,
        1. store the *Policy.xml file for the given test in the repository you use for policies, such that the specified *Policy.xml is the only policy that will be retrieved by the PDP, or
        2. configure the PDP with the *Policy.xml file as its initial policy.

      2. Send the *Request.xml file (or its semantic equivalent in your system) to the Context Handler component of the XACML PDP via your access control decision request API.

      3. Compare the result returned from the PDP with the specified *Response.xml file (or its semantic equivalent in your system).

      4. The test passes if your system's result is semantically equivalent to the specified *Response.xml file.

      Some of the tests have special instructions associated with them. They modify the instructions given above for the given test.

    7. Contributions of New Tests
    8. Any XACML implementer may contribute additional conformance tests by submitting them to the xacml-comment@lists.oasis-open.org mailing list. Such contributions will be incorporated into the test suite on the next update.

      While this suite of tests is non-normative, we hope the suite will represent a general consensus as to the intent of the XACML Version 2.0 Standard. For this reason, contributed tests are marked **EXPERIMENTAL** until the tests have undergone successful review and use, defined as follows:

      1. a reasonable review period has elapsed since submission, and
      2. several implementers have reported successful execution of these tests to xacml-comment@lists.oasis-open.org, and
      3. no objections to the test have been reported to the xacml-comment mailing list.

      Once the tests have undergone successful review and use, then the **EXPERIMENTAL** status will be removed.

      If an objection is reported on the xacml-comment mailing list to an **EXPERIMENTAL** test during the review period, then the test will be removed from the test suite on the next update unless the XACML TC upholds the objection. It is up to the test submitter to request review by the TC, and it is up to the TC to decide whether or not to review a test.

      If an objection is reported to a test that is no longer **EXPERIMENTAL**, the objection is treated as a bug. See Bugs in the Tests for a description of how bugs are handled.

    9. Bugs in the Tests
    10. Following are the known bugs:

      1. The <Description> in many *Policy.xml files is incorrect: instead of "read or write Bart Simpson's medical record", the description should say "perform any action on any resource".

      If you believe any test does not correctly interpret the intent of the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard, or if you find any additional errors in these tests, please submit a report to the xacml-comment@lists.oasis-open.org mailing list. Absent any objections to a bug report, minor bugs may be fixed at the test editor's discretion in the next test suite update.

      Major or controversial bugs reported against non-**EXPERIMENTAL** tests will be reviewed by the XACML TC. If the TC agrees that the test does not conform to the intent of the XACML Version 2.0 Standard, then the test will be modified or removed as appropriate on the next test suite update.

      Major or controversial bugs reported against tests marked **EXPERIMENTAL** will be treated as an objection to the test. See Contributions of New Tests for the handling of such objections.

      Periodically, an updated copy of the entire Conformance Test Suite, containing all corrections to date, will be posted to the XACML TC Web Site.


  3. Mandatory-to-Implement Functionality Tests
  4. This section contains tests of all mandatory-to-implement functionality. All implementations that conform to the XACML Version 2.0 Standard should pass all these tests except as explained in any associated Special Instructions (<test ID>Special.txt) file.

    1. Attribute References
    2. These tests exercise referencing of attribute values in the Request by a policy.

      1. Case: Simple type attribute element present in Request Request,Policy,Response
      2. Case: Simple type attribute element not present in original decision Request, but retrievable from Attribute repository Request,Policy,Response, Special Instructions
      3. Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority Request,Policy,Response
      4. Case: INVALID syntax for Attribute Designator Request,Policy,Response,Special Instructions
      5. Case: INVALID syntax for Request attribute Request,Policy,Response
      6. Case: TRUE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
      7. Case: FALSE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
      8. Case: TRUE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
      9. Case: FALSE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
      10. Case: Permit: Multiple attributes match except for DataType Request,Policy,Response
      11. Case: Indeterminate: Multiple attributes match except for DataType Request,Policy,Response
      12. Case: Permit: Multiple subjects with same subject-category: different attribute in each Request,Policy,Response
      13. Case: Indeterminate: Multiple subjects with same subject-category: same attributes in each Request,Policy,Response
      14. Case: Permit: SubjectAttributeDesignator with SubjectCategory XML attribute Request,Policy,Response
      15. Case: Permit: SubjectAttributeDesignator without SubjectCategory XML attribute Request,Policy,Response
      16. Case: explicit environment:current-time attribute. Updates: Rule description is modified to match the condition. Aug 11, 2005 - Argyn Kuketayev. Request,Policy,Response
      17. Case: implicit environment:current-time attribute Request,Policy,Response
      18. Case: explicit environment:current-date attribute Request,Policy,Response
      19. Case: implicit environment:current-date attribute Request,Policy,Response
      20. Case: explicit environment:current-dateTime attribute Request,Policy,Response
      21. Case: implicit environment:current-dateTime attribute Request,Policy,Response

    3. Target Matching
    4. These tests exercise various forms of Target matching.

      1. Case: match: anySubject, anyResource, anyAction Request,Policy,Response

      2. Case: match: anySubject, anyResource, specified Action value Request,Policy,Response
      3. Case: no match: anySubject, anyResource, specified Action value Request,Policy,Response
      4. Case: match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
      5. Case: no match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
      6. Case: match: impliedAction Request,Policy,Response
      7. Case: no match: impliedAction Request,Policy,Response
      8. Case: match: multiple actions Request,Policy,Response
      9. Case: no match: multiple actions Request,Policy,Response

      10. Case: match: Subject with specific SubjectCategory Request,Policy,Response
      11. Case: no match: Subject with specific SubjectCategory Request,Policy,Response
      12. Case: match: Subject with specific SubjectId value Request,Policy,Response
      13. Case: no match: Subject with specific SubjectID value Request,Policy,Response
      14. Case: match: Subject with non-string SubjectId DataType and value Request,Policy,Response
      15. Case: no match: Subject with non-string SubjectId DataType and value Request,Policy,Response
      16. Case: match: Subject with specific KeyInfo value Request,Policy,Response
      17. Case: no match: Subject with specific KeyInfo value Request,Policy,Response
      18. Case: match: Subject AttributeId Request,Policy,Response
      19. Case: no match: Subject AttributeId Request,Policy,Response
      20. Case: match: Subject AttributeId and Issuer Request,Policy,Response
      21. Case: no match: Subject AttributeId and Issuer Request,Policy,Response
      22. Case: match: Subject AttributeId and IssueInstant Request,Policy,Response
      23. Case: no match: Subject AttributeId and IssueInstant Request,Policy,Response
      24. Case: match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
      25. Case: no match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
      26. Case: match: Subject identifier value and attribute value Request,Policy,Response
      27. Case: no match: Subject identifier value and attribute value Request,Policy,Response
      28. Case: match: multiple Subjects Request,Policy,Response
      29. Case: no match: multiple Subjects Request,Policy,Response

      30. Case: match: ResourceId Request,Policy,Response
      31. Case: no match: ResourceId Request,Policy,Response
      32. Case: match: ResourceId with specific DataType Request,Policy,Response
      33. Case: no match: ResourceId with specific DataType Request,Policy,Response
      34. Case: match: Resource AttributeId Request,Policy,Response
      35. Case: no match: Resource AttributeId Request,Policy,Response
      36. Case: match: Resource AttributeId and Issuer Request,Policy,Response
      37. Case: no match: Resource AttributeId and Issuer Request,Policy,Response
      38. Case: match: Resource AttributeId and IssueInstant Request,Policy,Response
      39. Case: no match: Resource AttributeId and IssueInstant Request,Policy,Response
      40. Case: match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
      41. Case: no match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
      42. Case: match: Resource identifier value and attribute value Request,Policy,Response
      43. Case: no match: Resource identifier value and attribute value Request,Policy,Response
      44. Case: match: multiple resources Request,Policy,Response
      45. Case: no match: multiple resources Request,Policy,Response

      46. Case: match: specified Subject and Resource Request,Policy,Response
      47. Case: no match: specified Subject and Resource Request,Policy,Response
      48. Case: match: specified Subject, Action Request,Policy,Response
      49. Case: no match: specified Subject, Action Request,Policy,Response
      50. Case: match: specified Resource, Action Request,Policy,Response
      51. Case: no match: specified Resource, Action Request,Policy,Response
      52. Case: match: specified Subject, Resource, Action Request,Policy,Response
      53. Case: no match: specified Subject, Resource, Action Request,Policy,Response

    5. Function Evaluation
    6. These tests exercise each of the mandatory-to-implement functions.

        GENERAL APPLY TESTS
      1. Case: Apply with Apply argument Request,Policy,Response
      2. Case: Apply with AttributeValue argument Request,Policy,Response
      3. Case: Apply with single-element bag where function expects primitive type Request, Policy, Response, Special Instructions
      4. Case: Apply with SubjectAttributeDesignator argument Request,Policy,Response
      5. Case: Apply with ResourceAttributeDesignator argument Request,Policy,Response
      6. Case: Apply with ActionAttributeDesignator argument Request,Policy,Response
      7. Case: Apply with EnvironmentAttributeDesignator argument Request,Policy,Response
      8. Case: Apply with empty bag argument Request,Policy,Response
      9. Case: Apply with multiple-element bag argument Request,Policy,Response
      10. Case: true: Condition Evaluation Request,Policy,Response
      11. Case: false: Condition Evaluation Request,Policy,Response
      12. Case: ERROR: Condition Evaluation - non-boolean datatype Request,Policy,Response, Special Instructions

        ARITHMETIC FUNCTIONS

      13. Case: function:integer-add Request,Policy,Response
      14. Case: ERROR: function:integer-add - non-integer datatype Request,Policy,Response, Special Instructions
      15. Case: function:double-add Request,Policy,Response
      16. Case: function:integer-subtract Request,Policy,Response
      17. Case: function:double-subtract Request,Policy,Response
      18. Case: function:integer-multiply Request,Policy,Response
      19. Case: function:double-multiply Request,Policy,Response
      20. Case: function:integer-divide Request,Policy,Response
      21. Case: function:double-divide Request,Policy,Response
      22. Case: function:integer-mod Request,Policy,Response
      23. Case: function:double-mod: IIC023*.xml: TEST DELETED
      24. Case: function:round Request,Policy,Response
      25. Case: function:floor Request,Policy,Response
      26. Case: function:integer-abs Request,Policy,Response
      27. Case: function:double-abs Request,Policy,Response

        ARITHMETIC CONVERSION FUNCTIONS

      28. Case: function:double-to-integer Request,Policy,Response
      29. Case: function:integer-to-double Request,Policy,Response

        EQUALITY FUNCTIONS

      30. Case: true: function:integer-equal Request,Policy,Response
      31. Case: false: function:integer-equal Request,Policy,Response
      32. Case: true: function:double-equal Request,Policy,Response
      33. Case: false: function:double-equal Request,Policy,Response
      34. Case: true: function:boolean-equal Request,Policy,Response
      35. Case: false: function:boolean-equal Request,Policy,Response
      36. Case: true: function:string-equal Request,Policy,Response
      37. Case: false: function:string-equal Request,Policy,Response
      38. Case: true: function:rfc822Name-equal Request,Policy,Response
      39. Case: false: function:rfc822Name-equal Request,Policy,Response
      40. Case: true: function:x500Name-equal Request,Policy,Response
      41. Case: false: function:x500Name-equal Request,Policy,Response
      42. Case: true: function:date-equal Request,Policy,Response
      43. Case: false: function:date-equal Request,Policy,Response
      44. Case: true: function:time-equal Request,Policy,Response
      45. Case: false: function:time-equal Request,Policy,Response
      46. Case: true: function:dateTime-equal Request,Policy,Response
      47. Case: false: function:dateTime-equal Request,Policy,Response
      48. Case: true: function:hexBinary-equal Request,Policy,Response
      49. Case: false: function:hexBinary-equal Request,Policy,Response
      50. Case: true: function:base64Binary-equal Request,Policy,Response
      51. Case: false: function:base64Binary-equal Request,Policy,Response
      52. Case: true: function:anyURI-equal Request,Policy,Response
      53. Case: false: function:anyURI-equal Request,Policy,Response
      54. Case: true: function:QName-equal: IIC054*.xml: TEST DELETED
      55. Case: false: function:QName-equal: IIC055*.xml: TEST DELETED

        See also DURATION-EQUALS TESTS below.

        String-regexp-match FUNCTION

      56. Case: true: function:string-regexp-match Request,Policy,Response
      57. Case: false: function:string-regexp-match Request,Policy,Response

        COMPARISON FUNCTIONS: GREATER THAN, GREATER THAN OR EQUAL

      58. Case: true: function:integer-greater-than Request,Policy,Response
      59. Case: false: function:integer-greater-than Request,Policy,Response
      60. Case: true: function:double-greater-than Request,Policy,Response
      61. Case: false: function:double-greater-than Request,Policy,Response
      62. Case: true: function:string-greater-than Request,Policy,Response
      63. Case: false: function:string-greater-than Request,Policy,Response
      64. Case: true: function:date-greater-than Request,Policy,Response
      65. Case: false: function:date-greater-than Request,Policy,Response
      66. Case: true: function:time-greater-than Request,Policy,Response
      67. Case: false: function:time-greater-than Request,Policy,Response
      68. Case: true: function:dateTime-greater-than Request,Policy,Response
      69. Case: false: function:dateTime-greater-than Request,Policy,Response
      70. Case: true: function:integer-greater-than-or-equal Request,Policy,Response
      71. Case: false: function:integer-greater-than-or-equal Request,Policy,Response
      72. Case: true: function:double-greater-than-or-equal Request,Policy,Response
      73. Case: false: function:double-greater-than-or-equal Request,Policy,Response
      74. Case: true: function:string-greater-than-or-equal Request,Policy,Response
      75. Case: false: function:string-greater-than-or-equal Request,Policy,Response
      76. Case: true: function:date-greater-than-or-equal Request,Policy,Response
      77. Case: false: function:date-greater-than-or-equal Request,Policy,Response
      78. Case: true: function:time-greater-than-or-equal Request,Policy,Response
      79. Case: false: function:time-greater-than-or-equal Request,Policy,Response
      80. Case: true: function:dateTime-greater-than-or-equal Request,Policy,Response
      81. Case: false: function:dateTime-greater-than-or-equal Request,Policy,Response

        rfc822Name and x500Name MATCHING FUNCTIONS

      82. Case: true: function:rfc822Name-match Request,Policy,Response
      83. Case: false: function:rfc822Name-match Request,Policy,Response
      84. Case: true: function:x500Name-match Request,Policy,Response
      85. Case: false: function:x500Name-match Request,Policy,Response

        LOGICAL FUNCTIONS

      86. Case: true: function:and Request,Policy,Response
      87. Case: false: function:and Request,Policy,Response
      88. Case: true: function:ordered-and: IIC088*.xml: TEST DELETED
      89. Case: false: function:ordered-and: IIC089*.xml: TEST DELETED
      90. Case: true: function:or Request,Policy,Response
      91. Case: false: function:or Request,Policy,Response
      92. Case: true: function:ordered-or: IIC092*.xml: TEST DELETED
      93. Case: false: function:ordered-or: IIC093*.xml: TEST DELETED
      94. Case: true: function:n-of Request,Policy,Response
      95. Case: false: function:n-of Request,Policy,Response
      96. Case: true: function:not Request,Policy,Response
      97. Case: false: function:not Request,Policy,Response
      98. Case: true: function:present: IIC098*.xml: TEST DELETED
      99. Case: false: function:present: IIC099*.xml: TEST DELETED

        STRING NORMALIZATION FUNCTIONS

      100. Case: function:string-normalize-space Request,Policy,Response
      101. Case: function:string-normalize-to-lower-case Request,Policy,Response

        DURATION FUNCTIONS

      102. Case: function:dateTime-add-dayTimeDuration Request,Policy,Response
      103. Case: function:dateTime-add-yearMonthDuration Request,Policy,Response
      104. Case: function:dateTime-subtract-dayTimeDuration Request,Policy,Response
      105. Case: function:dateTime-subtract-yearMonthDuration Request,Policy,Response
      106. Case: function:date-add-yearMonthDuration Request,Policy,Response
      107. Case: function:date-subtract-yearMonthDuration Request,Policy,Response

        See also DURATION-EQUALS TESTS below.

        COMPARISON FUNCTIONS: LESS THAN, LESS THAN OR EQUAL

      108. Case: function:string-less-than Request,Policy,Response
      109. Case: function:string-less-than-or-equal Request,Policy,Response
      110. Case: function:integer-less-than Request,Policy,Response
      111. Case: function:double-less-than Request,Policy,Response
      112. Case: function:integer-less-than-or-equal Request,Policy,Response
      113. Case: function:double-less-than-or-equal Request,Policy,Response
      114. Case: function:time-less-than Request,Policy,Response
      115. Case: function:time-less-than-or-equal Request,Policy,Response
      116. Case: function:dateTime-less-than Request,Policy,Response
      117. Case: function:dateTime-less-than-or-equal Request,Policy,Response
      118. Case: function:date-less-than Request,Policy,Response
      119. Case: function:date-less-than-or-equal Request,Policy,Response

        BAG FUNCTIONS

      120. Case: function:string-bag-size Request,Policy,Response
      121. Case: function:string-bag Request,Policy,Response
      122. Case: function:boolean-one-and-only Request,Policy,Response
      123. Case: function:boolean-bag-size Request,Policy,Response
      124. Case: function:boolean-is-in Request,Policy,Response
      125. Case: function:boolean-bag Request,Policy,Response
      126. Case: function:integer-bag-size Request,Policy,Response
      127. Case: function:integer-is-in Request,Policy,Response
      128. Case: function:integer-bag Request,Policy,Response
      129. Case: function:double-bag-size Request,Policy,Response
      130. Case: function:double-is-in Request,Policy,Response
      131. Case: function:double-bag Request,Policy,Response
      132. Case: function:date-bag-size Request,Policy,Response
      133. Case: function:date-is-in Request,Policy,Response
      134. Case: function:date-bag Request,Policy,Response
      135. Case: function:time-bag-size Request,Policy,Response
      136. Case: function:time-is-in Request,Policy,Response
      137. Case: function:time-bag Request,Policy,Response
      138. Case: function:dateTime-bag-size Request,Policy,Response
      139. Case: function:dateTime-is-in Request,Policy,Response
      140. Case: function:dateTime-bag Request,Policy,Response
      141. Case: function:anyURI-bag-size Request,Policy,Response
      142. Case: function:anyURI-is-in Request,Policy,Response
      143. Case: function:anyURI-bag Request,Policy,Response
      144. Case: function:hexBinary-bag-size Request,Policy,Response
      145. Case: function:hexBinary-is-in Request,Policy,Response
      146. Case: function:hexBinary-bag Request,Policy,Response
      147. Case: function:base64Binary-bag-size Request,Policy,Response
      148. Case: function:base64Binary-is-in Request,Policy,Response
      149. Case: function:base64Binary-bag Request,Policy,Response
      150. Case: function:dayTimeDuration-one-and-only Request,Policy,Response
      151. Case: function:dayTimeDuration-bag-size Request,Policy,Response
      152. Case: function:dayTimeDuration-is-in Request,Policy,Response
      153. Case: function:dayTimeDuration-bag Request,Policy,Response
      154. Case: function:yearMonthDuration-one-and-only Request,Policy,Response
      155. Case: function:yearMonthDuration-bag-size Request,Policy,Response
      156. Case: function:yearMonthDuration-is-in Request,Policy,Response
      157. Case: function:yearMonthDuration-bag Request,Policy,Response
      158. Case: function:x500Name-bag-size Request,Policy,Response
      159. Case: function:x500Name-is-in Request,Policy,Response
      160. Case: function:x500Name-bag Request,Policy,Response
      161. Case: function:rfc822Name-bag-size Request,Policy,Response
      162. Case: function:rfc822Name-is-in Request,Policy,Response
      163. Case: function:rfc822Name-bag Request,Policy,Response

        HIGHER-ORDER BAG FUNCTIONS

      164. Case: function:any-of Request,Policy,Response
      165. Case: function:all-of Request,Policy,Response
      166. Case: function:any-of-any Request,Policy,Response
      167. Case: function:all-of-any Request,Policy,Response
      168. Case: function:any-of-all Request,Policy,Response
      169. Case: function:all-of-all Request,Policy,Response
      170. Case: function:map Request,Policy,Response

        SET FUNCTIONS

      171. Case: function:string-intersection Request,Policy,Response
      172. Case: function:string-at-least-one-member-of Request,Policy,Response
      173. Case: function:string-union Request,Policy,Response
      174. Case: function:string-subset Request,Policy,Response
      175. Case: function:string-set-equals Request,Policy,Response
      176. Case: function:boolean-intersection Request,Policy,Response
      177. Case: function:boolean-at-least-one-member-of Request,Policy,Response
      178. Case: function:boolean-union Request,Policy,Response
      179. Case: function:boolean-subset Request,Policy,Response
      180. Case: function:boolean-set-equals Request,Policy,Response
      181. Case: function:integer-intersection Request,Policy,Response
      182. Case: function:integer-at-least-one-member-of Request,Policy,Response
      183. Case: function:integer-union Request,Policy,Response
      184. Case: function:integer-subset Request,Policy,Response
      185. Case: function:integer-set-equals Request,Policy,Response
      186. Case: function:double-intersection Request,Policy,Response
      187. Case: function:double-at-least-one-member-of Request,Policy,Response
      188. Case: function:double-union Request,Policy,Response
      189. Case: function:double-subset Request,Policy,Response
      190. Case: function:double-set-equals Request,Policy,Response
      191. Case: function:date-intersection Request,Policy,Response
      192. Case: function:date-at-least-one-member-of Request,Policy,Response
      193. Case: function:date-union Request,Policy,Response
      194. Case: function:date-subset Request,Policy,Response
      195. Case: function:date-set-equals Request,Policy,Response
      196. Case: function:time-intersection Request,Policy,Response
      197. Case: function:time-at-least-one-member-of Request,Policy,Response
      198. Case: function:time-union Request,Policy,Response
      199. Case: function:time-subset Request,Policy,Response
      200. Case: function:time-set-equals Request,Policy,Response
      201. Case: function:dateTime-intersection Request,Policy,Response
      202. Case: function:dateTime-at-least-one-member-of Request,Policy,Response
      203. Case: function:dateTime-union Request,Policy,Response
      204. Case: function:dateTime-subset Request,Policy,Response
      205. Case: function:dateTime-set-equals Request,Policy,Response
      206. Case: function:anyURI-intersection Request,Policy,Response
      207. Case: function:anyURI-at-least-one-member-of Request,Policy,Response
      208. Case: function:anyURI-union Request,Policy,Response
      209. Case: function:anyURI-subset Request,Policy,Response
      210. Case: function:anyURI-set-equals Request,Policy,Response
      211. Case: function:x500Name-intersection Request,Policy,Response
      212. Case: function:x500Name-at-least-one-member-of Request,Policy,Response
      213. Case: function:x500Name-union Request,Policy,Response
      214. Case: function:x500Name-subset Request,Policy,Response
      215. Case: function:x500Name-set-equals Request,Policy,Response
      216. Case: function:rfc822Name-intersection Request,Policy,Response
      217. Case: function:rfc822Name-at-least-one-member-of Request,Policy,Response
      218. Case: function:rfc822Name-union Request,Policy,Response
      219. Case: function:rfc822Name-subset Request,Policy,Response
      220. Case: function:rfc822Name-set-equals Request,Policy,Response
      221. Case: function:hexBinary-intersection Request,Policy,Response
      222. Case: function:hexBinary-at-least-one-member-of Request,Policy,Response
      223. Case: function:hexBinary-union Request,Policy,Response
      224. Case: function:hexBinary-subset Request,Policy,Response
      225. Case: function:hexBinary-set-equals Request,Policy,Response
      226. Case: function:base64Binary-intersection Request,Policy,Response
      227. Case: function:base64Binary-at-least-one-member-of Request,Policy,Response
      228. Case: function:base64Binary-union Request,Policy,Response
      229. Case: function:base64Binary-subset Request,Policy,Response
      230. Case: function:base64Binary-set-equals Request,Policy,Response

        DURATION-EQUALS TESTS

      231. Case: function:dayTimeDuration-equals
        **EXPERIMENTAL**
        Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
        Request,Policy,Response
      232. Case: function:yearMonthDuration-equals
        **EXPERIMENTAL**
        Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
        Request,Policy,Response

    7. Combining Algorithms
    8. These tests exercise each of the mandatory Combining Algorithms.

      1. Case: Permit: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      2. Case: Deny: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      3. Case: NotApplicable: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      4. Case: Indeterminate: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      5. Case: Permit: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      6. Case: Deny: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      7. Case: NotApplicable: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      8. Case: Another Deny (can't return Indeterminate): PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      9. Case: Permit: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      10. Case: Deny: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      11. Case: NotApplicable: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      12. Case: Indeterminate: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      13. Case: Permit: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      14. Case: Deny: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      15. Case: NotApplicable: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      16. Case: Indeterminate: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      17. Case: Permit: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      18. Case: Deny: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      19. Case: NotApplicable: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      20. Case: Indeterminate: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      21. Case: Permit: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      22. Case: Deny: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      23. Case: NotApplicable: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      24. Case: Indeterminate: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      25. Case: Permit: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      26. Case: Deny: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      27. Case: NotApplicable: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      28. Case: Indeterminate: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      29. Case: Permit: Multiple initial policies, but only one applies Request, Policy1, Policy2, Response, Special Instructions
      30. Case: Indeterminate: Multiple initial policies, more than one applies Request, Policy1, Policy2, Response, Special Instructions

    9. Schema components
    10. This section lists test cases for certain elements of the schema not exercised by test cases above.

      1. Case: policy element PolicySetIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions
      2. Case: policy element PolicyIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions
      3. Case: PolicyIdReference to invalid, but non-evaluated, Policy
        **EXPERIMENTAL**
        Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
        Request,Policy,PolicyId1,PolicyId2,Response,Special Instructions

    11. XACML 2.0 new features
    12. This section lists test cases for certain new features introduced in XACML 2.0 specification.

      1. Case: policy element PolicySetIdReference **EXPERIMENTAL**
        Contributed by Argyn Kuketayev. Added to this test suite 13 October 2005.
        Request,Policy,Response,

    13. Optional, but Normative Functionality Tests
    14. These tests exercise areas of functionality that are not mandatory-to-implement, but that are normative when implemented. Submissions of tests for this section are invited.

      1. Obligations
      2. These tests exercise obligations (Special Instructions).

          For rule combining algorithms:

        1. Case: Permit: RuleCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        2. Case: Deny: RuleCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        3. Case: NotApplicable: RuleCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        4. Case: Indeterminate: RuleCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        5. Case: Permit: RuleCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        6. Case: Deny: RuleCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        7. Case: NotApplicable: RuleCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        8. Case: Indeterminate: RuleCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        9. Case: Permit: RuleCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        10. Case: Deny: RuleCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        11. Case: NotApplicable: RuleCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        12. Case: Indeterminate: RuleCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response

          For policy combining algorithms:

        13. Case: Permit: PolicyCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        14. Case: Deny: PolicyCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        15. Case: NotApplicable: PolicyCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        16. Case: AnotherDeny (can't return Indeterminate): PolicyCombiningAlgorithm DenyOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        17. Case: Permit: PolicyCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        18. Case: Deny: PolicyCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        19. Case: NotApplicable: PolicyCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        20. Case: Indeterminate: PolicyCombiningAlgorithm PermitOverrides
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        21. Case: Permit: PolicyCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        22. Case: Deny: PolicyCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        23. Case: NotApplicable: PolicyCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        24. Case: Indeterminate: PolicyCombiningAlgorithm FirstApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        25. Case: Permit: PolicyCombiningAlgorithm OnlyOneApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        26. Case: Deny: PolicyCombiningAlgorithm OnlyOneApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        27. Case: NotApplicable: PolicyCombiningAlgorithm OnlyOneApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response
        28. Case: Indeterminate: PolicyCombiningAlgorithm OnlyOneApplicable
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
          Request,Policy,Response

      3. DefaultsType
        1. Case: PolicySetDefaults XPathVersion
        2. Case: PolicyDefaults XPathVersion
        3. Case: PolicyDefaults XPathVersion differs from parent PolicySetDefaults XPathVersion

      4. Hierarchical Resources
      5. These tests exercise policy evaluation for hierarchical resources (Special Instructions).

        1. Case: Scope="Immediate"
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
          Request,Policy,Response
        2. Case: Scope="Children"
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
          Request,Policy,Response
        3. Case: Scope="Descendants"
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
          Request,Policy,Response

      6. <ResourceContent> Element

      7. Multiple Decisions

      8. Attribute Selectors
      9. These tests exercise attribute selectors (Special Instructions).

        1. Case: PRESENT: "MustBePresent" attribute in Target Attribute Selector
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003
          Request,Policy,Response
        2. Case: MISSING: "MustBePresent" attribute in Target Attribute Selector
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
          Fix/modification for IIIF002Request.xml contributed by John Merrells <merrells@jiffysoftware.com>. Added to this test suite 11 March 2003.
          Request,Policy,Response
        3. Case: PRESENT: "MustBePresent" attribute in Condition Attribute Selector
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
          Request,Policy,Response
        4. Case: MISSING: "MustBePresent" attribute in Condition Attribute Selector
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
          Request,Policy,Response
        5. Case: Syntax error in XPath expression
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003, updated 2 March 2004 (fixed a bug reported by Jin Peng).
          Request,Policy,Response
        6. Case: Attribute Selector in PolicySet Target
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
          Request,Policy,Response
        7. Case: Relative XPath expressions in Attribute Selector
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 21 March 2003.
          Request,Policy,Response

      10. Non-mandatory Functions
      11. These tests exercise each of the non-mandatory functions

        1. Case: xpath-node-count
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
          Request,Policy,Response
        2. Case: true: xpath-node-equal
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
          Request,Policy,Response
        3. Case: false: xpath-node-equal
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
          Request,Policy,Response
        4. Case: true: xpath-node-match
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
          Request,Policy,Response
        5. Case: false: xpath-node-match
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
          Request,Policy,Response
        6. Case: Relative XPath expressions in XPath-based functions
          **EXPERIMENTAL**
          Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 21 March 2003, updated 19 August 2003.
          Request,Policy,Response,Special Instructions