ApsaraDB for OceanBase:Automatic authorization

Background information

OceanBase Developer Center (ODC) allows system administrators to define automatic authorization rules. System administrators can create, modify, view, and disable automatic authorization rules.

The automatic authorization feature automatically grants roles or permissions to users whose names, departments, or logon methods meet specific conditions when they are being created or log on for the first time, to avoid redundant authorization operations.

Create an automatic authorization rule

Assume that you want to create an automatic authorization rule named Grant system_admin for deptB, which automatically grants the system_admin role to a user whose username in memberOf.department contains deptB.

1. After you integrate OAuth2 in ODC and authenticate to log on to ODC, assume that the OAuth 2.0 system returns the following data structure:

   {
     "id": 1,
     "name": "username",
     "mail": "example@email.com",
     "memberOf": {
       "department": [
         {
           "name": "deptA",
           "description": "this is a department"
         },
         {
           "name": "deptB",
           "description": "this is a department"
         }
       ],
       "extra": "some other info"
     }
   }

   You can use different expressions to obtain the corresponding values from this data structure. The following example shows the expressions that you can use and the corresponding values returned by these expressions.

   Expression	Result
   id	1
   memberOf.department[0].name	deptA
   memberOf.department[*].name	["deptA", "deptB"]

2. Log on to web ODC with a third-party account. In the left-side navigation pane on the project collaboration page, choose User Permissions > Authorization Rules > Create Rule.

3. Specify the following parameters in the Create Rule panel.

   Parameter	Description
   Rule Name	The name of the rule, which must be unique.
   Status	Select Enabled or Disabled. By default, the status of the rule is Enabled. You can set it to Disabled as needed. A disabled rule cannot be accessed.
   Trigger Event	Select a trigger event. Only built-in events are available. Different events correspond to different trigger occasions.
   Matching Condition (Optional)	Click Add Condition and specify the following four fields: Object: stores the trigger condition and the information required for executing the action. It can be a complex nested object such as an array, a list, or a map, or a simple object such as a string or a number. Expression: the index of the target in the object. Different types of objects use different indexing methods. Operation: the supported operation, such as "Contain", "Match", or "Equal". Value: the target value. Note If you do not specify the matching condition, the action is unconditionally executed when the selected event is triggered.
   Actions (Optional)	Select Grant Role and/or Grant Connection Access and specify the role name and/or public connection name. Note If you do not specify the action, no action is executed regardless of whether the matching condition is met.
   Remarks (Optional)	The description of the rule.

4. After you specify the preceding information, click Save in the lower-right corner of the panel to create the rule.

5. After the rule is created, you can view the rule in the rule list.

View automatic authorization rules

List of automatic authorization rules

The following table describes the parameters in the list of automatic authorization rules.

View a rule

In the Actions column, click View. The Rule Information panel appears. The following information is displayed in the panel.

Edit a rule

Click Edit in the Actions column for an automatic authorization rule. The Edit Rule panel appears.

The Edit Rule panel displays all the fields you specified when you created the rule. You can modify the fields as needed.

References