We have written in the past about using time in XACML policies. This can be useful when wanting to control access outside office hours for instance. Sometimes, we also want to use dates to achieve similar and complementary use cases.

Using the Date Datatype in XACML

The Date Datatype

XACML provides close to 20 different data types. Some of those data types relate to time and date:

In this blog, we’ll focus on date (http://www.w3.org/2001/XMLSchema#date). The date datatype represents a date, that is, a 24 hour interval which starts at the start of the day in the given time zone. XACML uses the date type from XML schema. The formal definition of the type is available at http://www.w3.org/TR/xmlschema-2/#date.

The Date Datatype in ALFA

Comparing two attributes together

Let’s start by defining a new attribute called expiryDate. Our simple policy will deny access if today’s date is beyond the expiry date. To achieve this, we need to build a condition as follows:

The condition illustrates the use of 2 attributes:

  • currentDate is a standard attribute available in XACML
    • id = “urn:oasis:names:tc:xacml:1.0:environment:current-date”
    • type = date (i.e. “http://www.w3.org/2001/XMLSchema#date“)
    • category = environmentCat (i.e. “urn:oasis:names:tc:xacml:3.0:attribute-category:environment”)
  • expiryDate is a custom attribute created for this scenario

This example shows how to compare two date attributes together. This is a relatively simple example: access will be denied if the current date is greater than the expiry date.

Comparing an attribute to a value

It’s also interesting to look at comparing a date attribute to a value. As always, in ALFA, values are string that need to be converted to the relevant datatype. Conversion happens when :datatype is appended to the value as follows:

The Date Datatype in XACML

Comparing two attributes together

The previous ALFA example translates into the following XML:

Comparing an attribute to a value

Date Functions in XACML

In the previous examples, we used two different functions:

  • dateEqual (urn:oasis:names:tc:xacml:1.0:function:date-equal)
  • dateGreaterThan (urn:oasis:names:tc:xacml:1.0:function:date-greater-than)

However, there are more functions in the XACML standard. The entire set of functions is listed in the table below.

ALFA Notation

XACML Identifier

dateAtLeastOneMemberOf

urn:oasis:names:tc:xacml:1.0:function:date-at-least-one-member-of

dateBag

urn:oasis:names:tc:xacml:1.0:function:date-bag

dateBagSize

urn:oasis:names:tc:xacml:1.0:function:date-bag-size

dateEqual

urn:oasis:names:tc:xacml:1.0:function:date-equal

dateGreaterThan

urn:oasis:names:tc:xacml:1.0:function:date-greater-than

dateGreaterThanOrEqual

urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal

dateIntersection

urn:oasis:names:tc:xacml:1.0:function:date-intersection

dateIsIn

urn:oasis:names:tc:xacml:1.0:function:date-is-in

dateLessThan

urn:oasis:names:tc:xacml:1.0:function:date-less-than

dateLessThanOrEqual

urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal

dateOneAndOnly

urn:oasis:names:tc:xacml:1.0:function:date-one-and-only

dateSetEquals

urn:oasis:names:tc:xacml:1.0:function:date-set-equals

dateSubSet

urn:oasis:names:tc:xacml:1.0:function:date-subset

dateUnion

urn:oasis:names:tc:xacml:1.0:function:date-union

dateAddYearMonthDuration

urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration

dateFromString

urn:oasis:names:tc:xacml:3.0:function:date-from-string

dateSubtractYearMonthDuration

urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration

stringFromDate

urn:oasis:names:tc:xacml:3.0:function:string-from-date

Comparison Functions

ALFA Notation

Description

dateAtLeastOneMemberOf

This function returns true if there is at least one value in the bag of values of the first argument present in the bag of values of the second argument. Both arguments must be bags.

dateAtLeastOneMemberOf(a, b) returns true if:

  • a = {“2016-07-04”, ”2016-07-05”} and
  • b = {“2016-07-14”, ”2016-07-05”}

dateEqual

This function returns true if both arguments are atomic values, i.e. not bags, and are equal. dateEqual(“2016-07-05”:date, “2016-07-05”:date) returns true.

dateGreaterThan

This function returns true if the first argument is greater than the second. Both arguments are atomic values.

dateGreaterThanOrEqual

This function returns true if the first argument is greater than or equal to the second. Both arguments are atomic values.

dateIsIn

This function returns true if the first argument is an atomic value, the second argument a bag, and if the first argument’s value is in the second argument’s bag. Example: dateIsIn(a, b) returns true if:

  • a is an atomic value e.g. “2016-05-04”
  • b is a bag of values e.g. {“2016-05-04”, “2016-05-05”, “2016-05-06”}

dateLessThan

This function returns true if the first argument is less than the second. Both arguments are atomic values.

dateLessThanOrEqual

This function returns true if the first argument is less than or equal to the second. Both arguments are atomic values.

Arithmetic Functions

ALFA Notation

XACML Identifier

dateAddYearMonthDuration

Use this function to add a year/month duration to a date. Example: P4Y11M, which means a duration of 4 years and 11 months

dateSubtractYearMonthDuration

Use this function to subtract a year/mont duration from a date. Example: P4Y11M, which means a duration of 4 years and 11 months

Conclusion

XACML provides a rich set of datatypes. One datatype commonly used in XACML policies is date. It can be used to define policies that have a scope limited in time. It can also be used to check whether a user’s permissions are still valid or have expired.



Leave a Reply

Your email address will not be published. Required fields are marked *