Automatic authorization|V4.2.4| docs|Distributed Database

Automatic authorization

Last Updated：2024-05-31 08:20:36 Updated

This topic introduces how to create and manage automatic authorization rules.

Background information

OceanBase Developer Center (ODC) allows system administrators to define automatic authorization rules. System administrators can create, modify, view, and disable automatic authorization rules.

The automatic authorization feature automatically grants roles or permissions to users whose names, departments, or logon methods meet specific conditions when they are being created or log on for the first time, to avoid redundant authorization operations.

Create an automatic authorization rule

Assume that you want to create an automatic authorization rule named Grant system_admin for deptB, which automatically grants the system_admin role to a user whose username in memberOf.department contains deptB.

After you integrate OAuth2 in ODC and authenticate to log on to ODC, assume that the OAuth 2.0 system returns the following data structure:

{
  "id": 1,
  "name": "username",
  "mail": "example@email.com",
  "memberOf": {
    "department": [
      {
        "name": "deptA",
        "description": "this is a department"
      },
      {
        "name": "deptB",
        "description": "this is a department"
      }
    ],
    "extra": "some other info"
  }
}

You can use different expressions to obtain the corresponding values from this data structure. The following example shows the expressions that you can use and the corresponding values returned by these expressions.

Expression	Result
id	1
memberOf.department[0].name	deptA
memberOf.department[*].name	["deptA", "deptB"]

Log on to web ODC with a third-party account. In the left-side navigation pane on the project collaboration page, choose User Permissions > Authorization Rules > Create Rule.

Specify the following parameters in the Create Rule panel.

Parameter	Description
Rule Name	The name of the rule, which must be unique.
Status	Select Enabled or Disabled. By default, the status of the rule is Enabled. You can set it to Disabled as needed. A disabled rule cannot be accessed.
Trigger Event	Select a trigger event. Only built-in events are available. Different events correspond to different trigger occasions.
Matching Condition (Optional)	Click Add Condition and specify the following four fields: Object: stores the trigger condition and the information required for executing the action. It can be a complex nested object such as an array, a list, or a map, or a simple object such as a string or a number. Expression: the index of the target in the object. Different types of objects use different indexing methods. Operation: the supported operation, such as "Contain", "Match", or "Equal". Value: the target value. Note If you do not specify the matching condition, the action is unconditionally executed when the selected event is triggered.
Actions (Optional)	Select Grant Role and/or Grant Connection Access and specify the role name and/or public connection name. Note If you do not specify the action, no action is executed regardless of whether the matching condition is met.
Remarks (Optional)	The description of the rule.

After you specify the preceding information, click Save in the lower-right corner of the panel to create the rule.
After the rule is created, you can view the rule in the rule list.

View automatic authorization rules

List of automatic authorization rules

The following table describes the parameters in the list of automatic authorization rules.

Information	Description
Rule Name	The name of the rule.
Created By	The name of the user who created the rule. You can click the search icon to search for rules created by a specific user.
Status	The status of the rule. Valid values: Enabled and Disabled. You can click the filter icon to filter rules by status.
Created At	The time when the rule was last edited. You can sort rules in ascending or descending order of creation time.
Status	The status of the rule. You can enable or disable a rule.
Actions	You can view, edit, and delete rules.

View a rule

In the Actions column, click View. The Rule Information panel appears. The following information is displayed in the panel.

Information	Description
Rule information	Displays the information you specified when you created the rule, such as Rule Name, Trigger Event, Matching Condition, Actions, Role, and Remarks.
Operation information	Displays information in fields such as Created By, Created At, and Updated At.

Edit a rule

Click Edit in the Actions column for an automatic authorization rule. The Edit Rule panel appears.

The Edit Rule panel displays all the fields you specified when you created the rule. You can modify the fields as needed.