Automatic authorization|OceanBase Cloud| docs|Distributed Database

Automatic authorization

Last Updated：2025-06-24 11:54:40 Updated

This topic describes how to create and manage automatic authorization rules.

Background information

OceanBase Developer Center (ODC) allows system administrators to define automatic authorization rules. System administrators can create, modify, view, and disable automatic authorization rules.

The automatic authorization feature automatically grants roles or permissions to users whose names, departments, or login methods meet specific conditions when they are being created or log in for the first time, to avoid redundant authorization operations.

This topic describes how to create an automatic authorization rule named grant system_admin for deptB, which automatically grants the system_admin role to a user whose username in memberOf.department contains deptB.

Create an automatic authorization rule

Integrate OAuth 2.0 with ODC and authorize login to ODC. Assume that the OAuth 2.0 system returns the following data structure:

{
  "id": 1,
  "name": "username",
  "mail": "example@email.com",
  "memberOf": {
    "department": [
      {
        "name": "deptA",
        "description": "this is a department"
      },
      {
        "name": "deptB",
        "description": "this is a department"
      }
    ],
    "extra": "some other info"
  }
}

You can use different expressions to obtain corresponding values from this data structure. The following table shows sample expressions and the corresponding values returned.

Expression	Result
id	1
memberOf.department[0].name	deptA
memberOf.department[*].name	["deptA", "deptB"]

Log in to Web ODC with a third-party account. In the left-side navigation pane of the project collaboration window, choose Users > Automatic Authorization > Create Rule.

Specify the following parameters in the Create Rule panel.

Parameter	Description
Rule Name	The name of the rule, which must be unique.
Status	Select Enabled or Disabled. By default, the status of the rule is Enabled. You can set it to Disabled as needed. A disabled rule cannot be accessed.
Trigger Event	Select a trigger event. Only built-in events are available. Different events correspond to different trigger occasions.
Matching Condition (Optional)	Click Add and specify the following four fields: Object: stores the trigger condition and the information required for executing the action. It can be a complex nested object such as an array, a list, or a map, or a simple object such as a string or a number. Expression: the index of the target in the object. Different types of objects use different indexing methods. Operation: the supported operation, such as "Contain", "Match", or "Equal". Value: the target value. Note If you do not specify the matching condition, the action is unconditionally executed when the selected event is triggered. If you select Match for the Operation field of the Matching Condition parameter, the value must be a regular expression.
Actions (Optional)	Select Grant Role and/or Grant Project Roles and specify the role name and/or project role name. Note If you do not specify the action, no action is executed regardless of whether the matching condition is met.
Remarks (Optional)	The description of the rule.

After you specify the preceding information, click Create in the lower-right corner of the panel.
After the rule is created, you can view the rule in the rule list.

View automatic authorization rules

Go to the list of automatic authorization rules

The following table describes the columns that provide information of automatic authorization rules in the list.

Column	Description
Rule Name	The name of the rule.
Created By	The name of the user who created the rule. You can click the search icon to search for rules created by a specific user.
Created At	The time when the rule was last edited. You can sort rules in ascending or descending order of creation time.
Enabling Status	The status of the rule. Valid values: Enabled and Disabled. You can click the filter icon to filter rules by status.
Operation	You can view, edit, and delete rules.

View details of a rule

In the Operation column, click View. The Rule Information panel appears. The following information is displayed in the panel.

Information	Description
Rule information	Displays the information you specified when you created the rule, such as Rule Name, Trigger Event, Matching Condition, Actions, Role, Grant Project Role, and Remarks.
Operation information	Displays information in fields such as Created By, Created At, and Updated At.

Edit a rule

In the Operation column, click Edit. The Edit Rule panel appears.

The Edit Rule panel displays all the fields you specified when you created the rule. You can modify the fields as needed.

Delete a rule

In the Operation column, click Delete to delete an automatic authorization rule.

References

Users and roles