How Can I Use Date in a XACML Policy?

We have written in the past about using time in XACML policies. This can be useful when wanting to control access outside office hours for instance. Sometimes, we also want to use dates to achieve similar and complementary use cases.
Using the Date Datatype in XACML
The Date Datatype
XACML provides close to 20 different data types. Some of those data types relate to time and date:
- date
- http://www.w3.org/2001/XMLSchema#date
- Example value: 2002-10-10+01:00, which represents the 10th of October 2002 in the time zone one hour before UTC (that is, Central Europe).
- dateTime
- http://www.w3.org/2001/XMLSchema#dateTime
- Example value: 2002-10-10T12:00:12-05:00, which means 12 minutes past noon in the timezone five hours after UTC (that is, US eastern time), on the 10th of October 2002.
- dayTimeDuration
- http://www.w3.org/2001/XMLSchema#dayTimeDuration
- Example value: P2DT3H45M13.4S, which means a duration of 2 days, 3 hours, 45 minutes and 13.4 seconds.
- time
- http://www.w3.org/2001/XMLSchema#time
- Example value: 13:20:00-05:00 which means 1:20 PM in the timezone 5 hours before UTC.
- yearMonthDuration
- http://www.w3.org/2001/XMLSchema#yearMonthDuration
- Example value: P4Y11M, which means a duration of 4 years and 11 months.
In this blog, we’ll focus on date (http://www.w3.org/2001/XMLSchema#date). The date datatype represents a date, that is, a 24 hour interval which starts at the start of the day in the given time zone. XACML uses the date type from XML schema. The formal definition of the type is available at http://www.w3.org/TR/xmlschema-2/#date.
The Date Datatype in ALFA
Comparing two attributes together
Let’s start by defining a new attribute called expiryDate. Our simple policy will deny access if today’s date is beyond the expiry date. To achieve this, we need to build a condition as follows:
attribute expiryDate{ category = subjectCat id = "expiryDate" type = date } rule denyExpiredAccess{ deny condition Attributes.currentDate > expiryDate }
The condition illustrates the use of 2 attributes:
- currentDate is a standard attribute available in XACML
- id = “urn:oasis:names:tc:xacml:1.0:environment:current-date”
- type = date (i.e. “http://www.w3.org/2001/XMLSchema#date“)
- category = environmentCat (i.e. “urn:oasis:names:tc:xacml:3.0:attribute-category:environment”)
- expiryDate is a custom attribute created for this scenario
- id = “expiryDate”
- type = date (i.e. “http://www.w3.org/2001/XMLSchema#date“)
- category = subjectCat (i.e. urn:oasis:names:tc:xacml:1.0:subject-category:access-subject)
This example shows how to compare two date attributes together. This is a relatively simple example: access will be denied if the current date is greater than the expiry date.
Comparing an attribute to a value
It’s also interesting to look at comparing a date attribute to a value. As always, in ALFA, values are string that need to be converted to the relevant datatype. Conversion happens when :datatype is appended to the value as follows:
/** * This policy denies access if today's date is beyond the expiry date */ policy checkExpiry{ apply firstApplicable rule denyExpiredAccess{ deny condition Attributes.currentDate > expiryDate } rule deny4thJuly{ target clause expiryDate == "2016-07-04":date deny } }
The Date Datatype in XACML
Comparing two attributes together
The previous ALFA example translates into the following XML:
<xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/example.checkExpiry.denyExpiredAccess"> <xacml3:Description>Deny after expiry date</xacml3:Description> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than"/> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="expiryDate" DataType="http://www.w3.org/2001/XMLSchema#date" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule>
Comparing an attribute to a value
<xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/example.checkExpiry.deny4thJuly"> <xacml3:Description>Deny on July 4th 2016</xacml3:Description> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:date-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2016-07-04</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="expiryDate" DataType="http://www.w3.org/2001/XMLSchema#date" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> </xacml3:Rule>
Date Functions in XACML
In the previous examples, we used two different functions:
- dateEqual (urn:oasis:names:tc:xacml:1.0:function:date-equal)
- dateGreaterThan (urn:oasis:names:tc:xacml:1.0:function:date-greater-than)
However, there are more functions in the XACML standard. The entire set of functions is listed in the table below.
ALFA Notation | XACML Identifier |
dateAtLeastOneMemberOf | urn:oasis:names:tc:xacml:1.0:function:date-at-least-one-member-of |
dateBag | urn:oasis:names:tc:xacml:1.0:function:date-bag |
dateBagSize | urn:oasis:names:tc:xacml:1.0:function:date-bag-size |
dateEqual | urn:oasis:names:tc:xacml:1.0:function:date-equal |
dateGreaterThan | urn:oasis:names:tc:xacml:1.0:function:date-greater-than |
dateGreaterThanOrEqual | urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal |
dateIntersection | urn:oasis:names:tc:xacml:1.0:function:date-intersection |
dateIsIn | urn:oasis:names:tc:xacml:1.0:function:date-is-in |
dateLessThan | urn:oasis:names:tc:xacml:1.0:function:date-less-than |
dateLessThanOrEqual | urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal |
dateOneAndOnly | urn:oasis:names:tc:xacml:1.0:function:date-one-and-only |
dateSetEquals | urn:oasis:names:tc:xacml:1.0:function:date-set-equals |
dateSubSet | urn:oasis:names:tc:xacml:1.0:function:date-subset |
dateUnion | urn:oasis:names:tc:xacml:1.0:function:date-union |
dateAddYearMonthDuration | urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration |
dateFromString | urn:oasis:names:tc:xacml:3.0:function:date-from-string |
dateSubtractYearMonthDuration | urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration |
stringFromDate | urn:oasis:names:tc:xacml:3.0:function:string-from-date |
Comparison Functions
ALFA Notation | Description |
dateAtLeastOneMemberOf | This function returns true if there is at least one value in the bag of values of the first argument present in the bag of values of the second argument. Both arguments must be bags. dateAtLeastOneMemberOf(a, b) returns true if:
|
dateEqual | This function returns true if both arguments are atomic values, i.e. not bags, and are equal. dateEqual(“2016-07-05”:date, “2016-07-05”:date) returns true. |
dateGreaterThan | This function returns true if the first argument is greater than the second. Both arguments are atomic values. |
dateGreaterThanOrEqual | This function returns true if the first argument is greater than or equal to the second. Both arguments are atomic values. |
dateIsIn | This function returns true if the first argument is an atomic value, the second argument a bag, and if the first argument’s value is in the second argument’s bag. Example: dateIsIn(a, b) returns true if:
|
dateLessThan | This function returns true if the first argument is less than the second. Both arguments are atomic values. |
dateLessThanOrEqual | This function returns true if the first argument is less than or equal to the second. Both arguments are atomic values. |
Arithmetic Functions
ALFA Notation | XACML Identifier |
dateAddYearMonthDuration | Use this function to add a year/month duration to a date. Example: P4Y11M, which means a duration of 4 years and 11 months |
dateSubtractYearMonthDuration | Use this function to subtract a year/mont duration from a date. Example: P4Y11M, which means a duration of 4 years and 11 months |
Conclusion
XACML provides a rich set of datatypes. One datatype commonly used in XACML policies is date. It can be used to define policies that have a scope limited in time. It can also be used to check whether a user’s permissions are still valid or have expired.