Rego Built-in Function: time.clock
time.clock is Rego's built-in function that returns the 'clock time'
(hours, minutes, seconds) for a given time in nanoseconds and timezone.
This is most useful for creating policy that's relative to a user's local time, or showing time-based information in a human-readable format in error messages that are shown to the user.
Examples
Grant access during local business hours
A common attribute-based access control (ABAC) requirement is to grant access based on time. This is typically done by determining the user's local time and ensuring it falls within a given period.
In this example we show how to allow requests when made by a user in their local business hours.
# policy.rego
request_time := time.parse_ns("RFC822Z", input.request_time)
local_hours := data.business_hours[input.tz]
default allow := false
allow if {
[hour, _, _] := time.clock([request_time, input.tz])
hour > local_hours.start
hour < local_hours.end
}
# input.json
{
"user": "y.hanako@example.com",
"tz": "Asia/Tokyo",
"request_time": "03 Jul 24 14:04 +0000"
}
# data.json
{
"business_hours": {
"Asia/Tokyo": {
"start": 9,
"end": 18
}
}
}
| Rule | Output Value | Notes |
|---|---|---|
| allow | false | The request is made outside business hours in Japan |