DocsICP FilingConsole
官方文档
首页

Automatic authorization

更新时间:
复制 MD 格式
产品详情
我的收藏

This document describes how to create and manage automatic authorization rules.

Background information

In OceanBase Developer Center (ODC), users with special permissions, such as system administrators, can define automatic authorization rules. This includes creating, modifying, viewing, and disabling these rules.

Automatic authorization is a feature that automatically grants specific roles or permissions to users who meet certain criteria. These criteria can be based on information such as the user's name, organization, or logon method. This feature helps eliminate repetitive authorization tasks when a new user is created or logs on for the first time.

This document provides an example of how to create an automatic authorization rule named `Grant system_admin for deptB`. This rule grants the `system_admin` role to a user if the `memberOf.department` attribute in their user information contains `deptB`.

Create an automatic authorization rule

  1. After you integrate OAuth2 with ODC and authenticate and log on to ODC, the OAuth2 authorization system returns a data structure. For example:

    {
 "id": 1,
 "name": "username",
 "mail": "example@email.com",
 "memberOf": {
 "department": [
 {
 "name": "deptA",
 "description": "this is a department"
 },
 {
 "name": "deptB",
 "description": "this is a department"
 }
 ],
 "extra": "some other info"
 }
}

    You can use different expressions to retrieve values from this data. For example:

    expression

    result

    id

    1

    memberOf.department[0].name

    deptA

    memberOf.department[*].name

    ["deptA", "deptB"]

  2. After you log on to the web version of ODC through a third-party service, in the navigation pane on the left of the project collaboration window, click User Permissions > Authorization Rules > New Rule.

  3. In the New Rule panel, specify the following information to create the rule.

    Item

    Description

    Rule Name

    Specify a unique name for the rule.

    Status

    Select Enable or Disable for the authorization rule.

    The rule is Enabled by default. You can change the status to Disabled. Disabled rules cannot be accessed.

    Triggering event

    Select a built-in system event. Each event corresponds to a different trigger time.

    Matching conditions (Optional)

    Click the Add Condition button and specify the following four fields to create a matching condition.

    • Object: The information required for the trigger condition and execution action. It can be a complex nested object, such as an array, list, or map, or a simple object, such as a string or number.

    • Expression: The index of the target in the object. The indexing method varies for different object types.

    • Operation: The supported operations are Contains, Matches, and Equals.

    • Value: The target value.

      Note

      • If you do not add matching conditions, the action is executed unconditionally when the event is triggered.

      • If you select Matches as the operation, the value must be a regular expression.

    Execution action (Optional)

    Select Grant Role or Grant Connection Access and configure the corresponding role name or public connection name.

    Note

    If you do not select an execution action, no action is performed.

    Description (Optional)

    Add a description for the rule. This field is not required.

  4. After you specify the information, click the Save button in the lower-right corner of the panel to create the rule.

  5. After the rule is created, you can view it in the list of automatic authorization rules.

View automatic authorization rules

Automatic authorization rule list

As shown in the figure above, the list of automatic authorization rules displays the following information.

Item

Description

Rule Name

The name of the rule.

Creator

The user who created the rule.

Click the search iconimage.png to search for and filter creators.

Status

The current status of the rule: Enabled or Disabled.

Click the filter iconimage.png to filter by status.

Creation Time

Displays the time of the most recent Edit operation on the rule.

You can sort the creation time in ascending or descending order.

Enabled Status

A switch to enable or disable the rule.

Actions

The actions you can perform on the rule: View, Edit, and Delete.

View a rule

In the Actions column of the list, click the View button to open the Rule Information panel. This panel displays the following information.

Item

Description

Rule Information

Displays the information that you specified when you created the rule, such as Rule Name, Triggering Event, Matching Conditions, Execution Action, Role, and Description.

Operation Information

Displays information such as Creator, Creation Time, and Update Time.

Edit a rule

In the Actions column of the list, click the Edit button to open the Edit Rule panel.

The Edit Rule panel displays the information that you specified when you created the rule, which you can modify as needed.

References

Previous:Users and rolesNext:Project collaboration management