Schema for the attribute filter policies. Root element of the attribute filter policy. Represents a named group of filter policies. Defines a set of applications requirements that may be reused across multiple filter policies. Defines a permit value rule that may be reused across multiple attribute rules. Defines a deny value rule that may be reused across multiple attribute rules. Defines an attribute rule that may be reused across multiple filter policies. A policy that defines the set of attribute value filters that will be applied if its application requirements are met. Digital signature for the policy. Policies that are fetched from an external source, such as a federation site, should be signed. A policy that defines a set of attribute value filters rules that should be used if given requirements are met. A requirement that if met signals that this filter policy should be used. A rule that describes how values of an attribute will be filtered. A rule that describes how values of an attribute will be filtered. Reference to a PermitValueRule defined within this policy group or another. Reference to a DenyValueRule defined within this policy group or another. The ID of the attribute to which this rule applies. If present, and true injects an implicit permit value rule of type ANY A requirement that if met signals that a filter policy should be used. A filter for attribute values. If the filter evaluates to true the value is permitted to be released. A filter for attribute values. If the filter evaluates to true the value is denied and may not be released. An ID, unique within the policy and component type. Used to reference a globally defined policy component. A match function that evaluates to true. A match function that evaluates to true. A match function that evaluates to true. A match function that performs a logical AND on the results of all contained matching functions. The set of match function rules to be ANDed. A match function that performs a logical OR on the results of all contained matching functions. The set of match function rules to be ORed. A match function that performs a logical NOT on the result of the contained matching function. The set of match function rules to be negated. A match function that matches the attribute request against the specified value. The reference to an externally defined bean to do the predicate work A match function that matches the attribute requester against the specified value. A match function that matches a proxied attribute requester against the specified value. A match function that matches the attribute issuer against the specified value. A match function that matches the principal name against the specified value. A match function that matches the active profile identifier against the specified value. A match function that matches the value of an attribute against the specified value. This match evaluates to true if the attribute contains the specified value. A match function that matches the attribute scope against the specified value. The ID of the attribute whose value should be matched. If no attribute ID is specified the ID of the containing attribute rule is assumed. The string value to match. A boolean flag indicating whether the match evaluation should be case sensitive. A match function that matches the attribute requester against the specified regular expression. A match function that matches a proxied attribute requester against the specified regular expression. A match function that matches the attribute issuer against the specified regular expression. A match function that matches the principal name against the specified regular expression. A match function that matches an attribute value against the specified regular expression. This function evaluates to true if any value matches the given expression. A match function that matches the attribute scope against the specified regular expression. The ID of the attribute whose value should be matched. If no attribute ID is specified the ID of the containing attribute rule is assumed. The regular expression values are matched against. Whether the comparison is case sensitive, default TRUE A match function that evaluates a script to determine if some criteria is met. The script MUST return a boolean. The script to evaluate to construct the attribute. The filesystem path to the script to evaluate to construct the attribute. The JSR-233 name for the scripting language that will be used. By default "javascript" is supported. The name of a bean defined somewhere else which will be injected into the script as an object called "custom". If not supplied nothing is injected. A match function that evaluates to true if the given attribute has as a number of values that falls between the minimum and maximum. This method may be used as a sanity check to ensure that an unexpected number of values did not come from the attribute resolver and be released. The ID of the attribute whose value should be matched. Minimum number of values an attribute may have. Maximum number of values an attribute may have. A match function that checks if the attribute requester's metadata contains an entity attribute with the specified value. A match function that checks if a proxied requester's metadata contains an entity attribute with the specified value. A match function that checks if the attribute issuer's metadata contains an entity attribute with the specified value. The name of the entity attribute to match. The value of the entity attribute to match. The NameFormat of the entity attribute to match. Boolean attribute, whether to examine only mapped/decoded attributes, default is false. A match function that checks if the attribute requester's metadata contains an entity attribute with a value that matches the given regular expression. A match function that checks if a proxied requester's metadata contains an entity attribute with a value that matches the given regular expression. A match function that checks if the attribute issuer's metadata contains an entity attribute with a value that matches the given regular expression. The name of the entity attribute to match. The regular expression that must match the value of the entity attribute to match. The name format of the entity attribute to match. Boolean attribute, whether to examine only mapped/decoded attributes, default is false. A match function that evaluates to true if the attribute requester supports a specified NameID format. A match function that evaluates to true if the attribute issuer supports a specified NameID format. The NameID format that needs to be supported by the entity. A match function that evaluates to true if the attribute requester is found in metadata and is a member of the given entity group. A match function that evaluates to true if a proxied requester is found in metadata and is a member of the given entity group. A match function that evaluates to true if the attribute issuer is found in metadata and is a member of the given entity group. The entity group ID that an entity must be in. Whether to check for membership in metadata-based AffiliationDescriptors. Defaults to false. A match function that matches a requester's MDRPI against a list of potential values. A match function that matches a proxied requester's MDRPI against a list of potential values. A match function that matches the attribute issuer's MDRPI content against a list of potential values. The string values to match. A boolean flag indicating whether a match should occur if the metadata does not contain an MDRPI statement (coded) default is false. A match function that ensures that an attribute value's scope matches a scope given in metadata for the entity or role of the attribute issuer. A match function that ensures that an attribute value's scope matches a scope given in metadata for the entity or role of the attribute issuer. A match function that evaluates to true if an attribute (or specific values) is specified by the requesting entity's AttributeConsumingService SP metadata. It supports both explicit checking for a named SAML RequestedAttribute in metadata, or comparison via the transcoding registry to compare the internal attribute form against decoded objects produced from the metadata. This is the old "mapped" functionality in V3 and is now collapsed into one matcher type. The ID of the attribute whose value should be matched. If no attribute ID is specified the ID of the containing attribute rule is assumed. A boolean flag indicating whether attributes noted as optional should match. A boolean flag indicating whether a match should occur if (after mapping) the metadata does not contain and Attributes. The name of a requested attribute to look for. The name format of a requested attribute to look for.