String can be used as attribute data type in a variety of scenarios where text-based information is needed to make access control decisions. Here are a few examples:

  • Location: If you need to control access based on geographical location, you might have a location attribute (e.g., “USA”, “EU”, “Asia”) stored as a string.
  • Device Type: If access control decisions need to consider the type of device being used, a device type attribute (e.g., “mobile”, “desktop”, “tablet”) could be stored as a string.
  • Time Zone: If access needs to be controlled based on time zones, a time zone attribute (e.g., “EST”, “PST”, “GMT”) could be stored as a string.
  • Day of the Week: In a scenario where access to certain resources is determined by the day of the week, the string data type can be used to represent these days (e.g., “Monday”, “Tuesday”, etc.) as attributes!
entity user {}

entity organization {

	relation admin @user

	attribute location string[]

	permission view = check_location(location) or admin
}

rule check_location(location string[]) {
	context.data.current_location in location
}

View Access On Weekends

In this example, to be able to view the repository it must not be a weekend, and the user must be a member of the organization.

This schema works correctly in versions above v1.1. If you are using an earlier version, please refer to the version differences here.
entity user {}

entity organization {

    relation member @user

    attribute valid_weekdays string[]

    permission view = is_weekday(valid_weekdays) and member
}

entity repository {

    relation organization  @organization

    permission view = organization.view
}

rule is_weekday(valid_weekdays string[]) {
    context.data.day_of_week in valid_weekdays
}

The permissions in this model state that to ‘view’ the repository, the user must fulfill two conditions: the current day (according to the context data day_of_week) must not be a weekend (determined by the is_weekday rule), and the user must be a member of the organization that owns the repository.

Relationships:

  • organization:1#member@user:1

Check Evolution Sub Queries Organization View → organization:1$is_weekday(valid_weekdays) → true → organization:1#member@user:1 → true

Request keys before hash

  • check*{snapshot}*{schema*version}*{context}\_organization:1$is_weekday(valid_weekdays) → true
  • check*{snapshot}*{schema*version}*{context}\_post:1#member@user:1 → true