I'd like to get some insights about the PDP process decisions for XACML Version 3 regarding the processing of time window based decisions, especially how does it work with the time-zone field support that is part of the specification.
For policy, I use to define time events like this: HH:MM:SS-Tz:00
As an example, we could talk about a data centre located in New York city currently at UTC -4 hour running under Eastern Daylight Saving Time (EDT), while there exists customers at the West coast, San Francisco area at UTC -7 hours, also using DST adjustment. Further we might see an access from São Paulo at UTC-3 without DST.
How to define an authorized access window to cover all service delivery during the business hours of each location? Should we declare it under UTC (+00:00) or does the PDP make the required conversion during the policy processing, for example at 18:00:00-07:00 (end of day in San Francisco), which would map into 01:00:00 UTC as final limit for service delivery, translating back to New York as 21:00:00-04:00.
I presume that requests will be generated in local time, also referencing local time.
Can we push the central time based decisions as far under the XACML PDP, or is it better to apply multiple polices on a per office and time-zone base, like using a separate policy for each city like: San Francisco, São Paulo and New York? Yet a similar concern is regarding the support of Asian time zones that show fraction of hours. Is a documentation available that clarifies time math related doubts under XACML?
Sample Rule for Time Window Decisions
<Rule Effect="Deny" RuleId="DenyOutsideOfficeHours">
<Target></Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">08:00:00-03:00</AttributeValue>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">18:00:00-03:00</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access to resource is limited to office hours between 08:00 to 18:00 GMT-3</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
