All Products
Search

This Product

    :Automatic authorization rules

    Document Center

    :Automatic authorization rules

    Last Updated:Apr 11, 2023

    Background

    OceanBase Developer Center (ODC) allows system administrators to define automatic authorization rules. System administrators can create, modify, view, and disable automatic authorization rules in the public resource console.

    The automatic authorization feature automatically grants roles or permissions to users whose names, departments, or logon methods meet specific conditions when they are being created or log on for the first time, to avoid redundant authorization operations.

    This topic describes how to create and manage automatic authorization rules in the public resource console.

    1

    Create an automatic authorization rule

    Procedure

    2

    1. In the upper-right corner of the Automatic Authorization Rules page, click Create Rule. The Create Rule panel appears.

    2. Specify the following parameters in the Create Rule panel.

      Parameter

      Description

      Rule Name

      The name of the rule, which must be unique.

      Status

      Select Enabled or Disabled.

      By default, the status of the rule is Enabled. You can set it to Disabled as needed. A disabled rule cannot be accessed.

      Trigger Event

      Select a trigger event. Only built-in events are available. Different events correspond to different trigger occasions.

      Matching Condition (Optional)

      Click Add Condition and specify the following four fields:

      • Object: stores the trigger condition and the information required for executing the action. It can be a complex nested object such as an array, a list, or a map, or a simple object such as a string or a number.

      • Expression: the index of the target in the object. Different types of objects use different indexing methods.

      • Operation: the supported operation, for example, "Contain", "Match", or "Equal".

      • Value: the target value.

      Note

      If you do not specify the matching condition, the action is unconditionally executed when the selected event is triggered.

      Actions (Optional)

      Select Grant Role and/or Grant Connection Access and specify the role name and/or public connection name.

      Note

      If you do not specify the action, no action is executed regardless of whether the matching condition is met.

      Remarks (Optional)

      The description of the rule.

    3. After you specify the preceding parameters, click Create in the lower-right corner of the panel.

    Example

    After you integrate ODC in OAuth 2.0 and log on to ODC, assume that the OAuth 2.0 system returns the following data structure:

    {
  "id": 1,
  "name": "username",
  "mail": "example@email.com",
  "memberOf": {
    "department": [
      {
        "name": "deptA",
        "description": "this is a department"
      },
      {
        "name": "deptB",
        "description": "this is a department"
      }
    ],
    "extra": "some other info"
  }
}

    You can use different expressions to obtain corresponding values from the data structure. Example:

    Expression

    Result

    id

    1

    memberOf.department[0].name

    deptA

    memberOf.department[*].name

    ["deptA", "deptB"]

    The administrator can configure an automatic authorization rule for a user when the user logs on to ODC from OAuth 2.0 for the first time. The example in the following figure shows how to create an authorization rule named Grant system_admin for deptB. If memberOf.department contains any element named deptB, the user is granted the system_admin role.

    3

    Manage automatic authorization rules

    4

    On the Automatic Authorization Rules page, information is displayed in a list, and you can perform the following operations:

    • Click the refresh icon to manually refresh the list.

    • Search for rules by using the search box in the upper-right corner of the list.

    • Adjust the column width of the rule list.

    Rule list

    The information of rules is provided by columns, which are described in the following table. A filter is provided in the Status column for you to filter rules by status.

    Parameter

    Description

    Rule Name

    The name of the rule.

    Created By

    The name of the user who created the rule.

    You can click the search icon Search to search for rules created by a specific user.

    Status

    The current status of the rule. Valid values: Enabled and Disabled.

    You can click the filter icon Filter to filter rules by status.

    Created At

    The last time when the rule was edited.

    You can sort rules in ascending or descending order of creation time.

    Actions

    The actions you can take. Valid values: ViewEditDisable/Enable, and Delete.

    View a rule

    Click View in the Actions column of a rule to go to the Rule Information panel. The following information is displayed in the panel.

    Information

    Description

    Rule information

    Displays the information you specified when you created the rule, such as Rule NameTrigger EventMatching ConditionActionsRole, and Remarks.

    Operation information

    Displays fields such as Created By and Created At.

    Edit a rule

    Click Edit in the Actions column of a rule to go to the Edit Rule panel.

    The Edit Rule panel displays all the fields you specified when you created the rule. You can modify the fields as needed.