Time-Based Checks
You can grant people access to resources for a specific length of time by adding an expiration time to their role or permission assignment.
Implement the logic
We add a rule to say that a user has a role if they have a role assignment that has not expired.
The has_role_with_expiry
fact is like the usual has_role
fact, but the fourth argument is the
expiration time, expressed as an integer representing seconds since the Unix epoch.
On a *nix system, date +%s
will give you the current Unix time in seconds.
@current_unix_time
is a constant you can use in rules that will resolve to
the current Unix time at the time your query is evaluated.
To implement access expiration, we compare the expiration time with the current time.
Test it out
To test this, we grant Alice the "member" role until 2033, while Bob's role expired in 2022.
Given those time-bound roles, Alice has access but Bob does not.