Some thoughts. Attributes fall into three buckets:
- Attributes of an user or a resource
- Attributes passed in with the Check request
- Environmental attributes such as time
In order to support #1 in an elegant fashion, we would need a way to talk about instances of objects (and not just relations). Force fitting attributes of objects on to relations seems like an ugly hack.
At the moment, I can't think of any use case in our domain that would need #2
If the time zone can be set as an attribute of the object, then the caveat can express the time based condition on the user's or the resource's frame of reference.