How Can I Use Date in a XACML Policy?

Axiomatics   ·   Wednesday, September 7th, 2016

We have written in the past about using time in XACML policies. This can be useful when wanting to control access outside office hours for instance. Sometimes, we also want to use dates to achieve similar and complementary use cases.

Using the Date Datatype in XACML

The Date Datatype

XACML provides close to 20 different data types. Some of those data types relate to time and date:

• date
  • http://www.w3.org/2001/XMLSchema#date
  • Example value: 2002-10-10+01:00, which represents the 10th of October 2002 in the time zone one hour before UTC (that is, Central Europe).
• dateTime
  • http://www.w3.org/2001/XMLSchema#dateTime
  • Example value: 2002-10-10T12:00:12-05:00, which means 12 minutes past noon in the timezone five hours after UTC (that is, US eastern time), on the 10th of October 2002.
• dayTimeDuration
  • http://www.w3.org/2001/XMLSchema#dayTimeDuration
  • Example value: P2DT3H45M13.4S, which means a duration of 2 days, 3 hours, 45 minutes and 13.4 seconds.
• time
  • http://www.w3.org/2001/XMLSchema#time
  • Example value: 13:20:00-05:00 which means 1:20 PM in the timezone 5 hours before UTC.
• yearMonthDuration
  • http://www.w3.org/2001/XMLSchema#yearMonthDuration
  • Example value: P4Y11M, which means a duration of 4 years and 11 months.

In this blog, we’ll focus on date (http://www.w3.org/2001/XMLSchema#date). The date datatype represents a date, that is, a 24 hour interval which starts at the start of the day in the given time zone. XACML uses the date type from XML schema. The formal definition of the type is available at http://www.w3.org/TR/xmlschema-2/#date.

The Date Datatype in ALFA

Comparing two attributes together

Let’s start by defining a new attribute called expiryDate. Our simple policy will deny access if today’s date is beyond the expiry date. To achieve this, we need to build a condition as follows:

attribute expiryDate{
 category = subjectCat
 id = "expiryDate"
 type = date
}
rule denyExpiredAccess{
 deny
 condition Attributes.currentDate > expiryDate
}

The condition illustrates the use of 2 attributes:

• currentDate is a standard attribute available in XACML
  • id = “urn:oasis:names:tc:xacml:1.0:environment:current-date”
  • type = date (i.e. “http://www.w3.org/2001/XMLSchema#date“)
  • category = environmentCat (i.e. “urn:oasis:names:tc:xacml:3.0:attribute-category:environment”)
• expiryDate is a custom attribute created for this scenario
  • id = “expiryDate”
  • type = date (i.e. “http://www.w3.org/2001/XMLSchema#date“)
  • category = subjectCat (i.e. urn:oasis:names:tc:xacml:1.0:subject-category:access-subject)

This example shows how to compare two date attributes together. This is a relatively simple example: access will be denied if the current date is greater than the expiry date.

Comparing an attribute to a value

It’s also interesting to look at comparing a date attribute to a value. As always, in ALFA, values are string that need to be converted to the relevant datatype. Conversion happens when :datatype is appended to the value as follows:

/**
* This policy denies access if today's date is beyond the expiry date
*/
policy checkExpiry{
 apply firstApplicable
 rule denyExpiredAccess{
  deny
  condition Attributes.currentDate > expiryDate
 }
 rule deny4thJuly{
  target clause expiryDate == "2016-07-04":date
  deny
 }
}

The Date Datatype in XACML

Comparing two attributes together

The previous ALFA example translates into the following XML:

<xacml3:Rule
  Effect="Deny"
  RuleId="http://axiomatics.com/alfa/identifier/example.checkExpiry.denyExpiredAccess">
 <xacml3:Description>Deny after expiry date</xacml3:Description>
 <xacml3:Target />
 <xacml3:Condition>
  <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
   <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than"/>
   <xacml3:AttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date"
    DataType="http://www.w3.org/2001/XMLSchema#date"
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
    MustBePresent="false"
   />
   <xacml3:AttributeDesignator
    AttributeId="expiryDate"
    DataType="http://www.w3.org/2001/XMLSchema#date"
    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
    MustBePresent="false"
   />
  </xacml3:Apply>
 </xacml3:Condition>
</xacml3:Rule>

Comparing an attribute to a value

<xacml3:Rule
   Effect="Deny"
   RuleId="http://axiomatics.com/alfa/identifier/example.checkExpiry.deny4thJuly">
  <xacml3:Description>Deny on July 4th 2016</xacml3:Description>
  <xacml3:Target>
   <xacml3:AnyOf>
    <xacml3:AllOf>
     <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:date-equal">
      <xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#date">2016-07-04</xacml3:AttributeValue>
      <xacml3:AttributeDesignator
       AttributeId="expiryDate"
       DataType="http://www.w3.org/2001/XMLSchema#date"
       Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
       MustBePresent="false"
      />
    </xacml3:Match>
   </xacml3:AllOf>
  </xacml3:AnyOf>
 </xacml3:Target>
</xacml3:Rule>

Date Functions in XACML

In the previous examples, we used two different functions:

• dateEqual (urn:oasis:names:tc:xacml:1.0:function:date-equal)
• dateGreaterThan (urn:oasis:names:tc:xacml:1.0:function:date-greater-than)

However, there are more functions in the XACML standard. The entire set of functions is listed in the table below.

Comparison Functions

Arithmetic Functions

Conclusion

XACML provides a rich set of datatypes. One datatype commonly used in XACML policies is date. It can be used to define policies that have a scope limited in time. It can also be used to check whether a user’s permissions are still valid or have expired.