I think you should consider writing a separate XACMLAuthorizationModule that makes the decisions based on the information available from the subject, JDK (time/date/ip) etc.
In our case, we use it mainly for Java EE which is RBAC.
You know how to plug in your own authorization module at the security domain level. correct?
I would refrain from changing the EJBXACMLUtil/web...util because they are the core JBoss codebase.
It is best to write your own XACML authz module that uses our XACML api.