Skip to main content

Rego Built-in Function: time.clock

time.clock is Rego's built-in function that returns the 'clock time' (hours, minutes, seconds) for a given time in nanoseconds and timezone.

This is most useful for creating policy that's relative to a user's local time, or showing time-based information in a human-readable format in error messages that are shown to the user.

Examples

Grant access during local business hours

A common attribute-based access control (ABAC) requirement is to grant access based on time. This is typically done by determining the user's local time and ensuring it falls within a given period.

In this example we show how to allow requests when made by a user in their local business hours.

policy.rego
package play

import rego.v1

request_time := time.parse_ns("RFC822Z", input.request_time)

local_hours := data.business_hours[input.tz]

default allow := false

allow if {
[hour, _, _] := time.clock([request_time, input.tz])
hour > local_hours.start
hour < local_hours.end
}
input.json
{
"user": "y.hanako@example.com",
"tz": "Asia/Tokyo",
"request_time": "03 Jul 24 14:04 +0000"
}
data.json
{
"business_hours": {
"Asia/Tokyo": {
"start": 9,
"end": 18
}
}
}

Open in OPA Playground

RuleOutput ValueNotes
allowfalseThe request is made outside business hours in Japan