Skip to main content

Rego Built-in Function: time.clock

time.clock is Rego's built-in function that returns the 'clock time' (hours, minutes, seconds) for a given time in nanoseconds and timezone.

This is most useful for creating policy that's relative to a user's local time, or showing time-based information in a human-readable format in error messages that are shown to the user.


Grant access during local business hours

A common attribute-based access control (ABAC) requirement is to grant access based on time. This is typically done by determining the user's local time and ensuring it falls within a given period.

In this example we show how to allow requests when made by a user in their local business hours.

# policy.rego
request_time := time.parse_ns("RFC822Z", input.request_time)

local_hours := data.business_hours[]

default allow := false

allow if {
[hour, _, _] := time.clock([request_time,])
hour > local_hours.start
hour < local_hours.end
# input.json
"user": "",
"tz": "Asia/Tokyo",
"request_time": "03 Jul 24 14:04 +0000"
# data.json
"business_hours": {
"Asia/Tokyo": {
"start": 9,
"end": 18

Run in OPA Playground

RuleOutput ValueNotes
allowfalseThe request is made outside business hours in Japan