Some thoughts. Attributes fall into three buckets: - Attributes of an user or a resource - Attributes passed in with the Check request - Environmental attributes such as time In order to support #1 in an elegant fashion, we would need a way to talk about instances of objects (and not just relations). Force fitting attributes of objects on to relations seems like an ugly hack. At the moment, I can't think of any use case in our domain that would need #2 If the time zone can be set as an attribute of the object, then the caveat can express the time based condition on the user's or the resource's frame of reference.