XACML type for bags

What is the XACML type for a bag?

My condition function is string-at-least-one-member-of, and I'm using the string-bag function in my request. What data type DataType do I give the AttributeDesignator for the bag?

My condition is:

     <xacml3:Condition>
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="WHAT SHOULD THIS BE?" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
        </xacml3:Apply>
     </xacml3:Condition>

and my attribute is

    <xacml3:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <xacml3:Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="false">
          <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</xacml3:AttributeValue>
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</xacml3:AttributeValue>
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</xacml3:AttributeValue>
          </xacml3:Apply>
        </xacml3:Attribute>
    </xacml3:Attributes>

When I try the request in WSO2, I get

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Deny</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
    </Result>
</Response>

For those interested in the entire files, my request is:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="test:xacml:1.0:county" IncludeInResult="true">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="true">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</AttributeValue>
      </Apply>
    </Attribute>
</Attributes>
</Request>

and my policy is:

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="county-based-3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
  <xacml3:Description></xacml3:Description>
  <xacml3:Target></xacml3:Target>
  <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/stackoverflow.example.checkGroup">
     <xacml3:Description></xacml3:Description>
     <xacml3:Target></xacml3:Target>
     <xacml3:Condition>
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
        </xacml3:Apply>
     </xacml3:Condition>
  </xacml3:Rule> 
  <xacml3:Rule Effect="Deny" RuleId="deny-rule"></xacml3:Rule>

The data type should be http://www.w3.org/2001/XMLSchema#string:

        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
       <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
       <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
    </xacml3:Apply>

All attribute designators are in fact bags in XACML. The datatype applies to the entire elements of the bag.

Moreover, you use the function urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of which takes 2 bags of String as defined in the XACML 3.0 specification:

urn:oasis:names:tc:xacml:x.x:function:type-at-least-one-member-of

This function SHALL take two arguments that are both a bag of ‘type’ values. It SHALL return a “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL evaluate to "True" if and only if at least one element of the first argument is contained in the second argument as determined by "urn:oasis:names:tc:xacml:x.x:function:type-is-in".

The request you sent in is invalid. A <Request/> element cannot contain an <Apply/> element inside.

Remove <Apply/> and you should get the following request:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="test:xacml:1.0:county" IncludeInResult="true">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="true">

        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</AttributeValue>

    </Attribute>
</Attributes>
</Request>

This is the graphical representation in the Axiomatics Policy Server: