A privilege details what is secured by that privilege. When creating a privilege, you can secure either an entire module or secure based on URL patterns.
A URL pattern is part of the full URL for a web service or group of web services. If you have a module called ‘ev’ then you can secure all services in that module using the URL pattern ‘/ev/*’.
- Allow services in the twillio module to be completely open (i.e. no authentication)
- Protect the 'utils' and 'ev' modules
- Allow the OAuth client ‘ADMIN_CLIENT’ access to any services in the 'utils' and 'ev' modules
- Allow the OAuth client ‘EV_CLIENT’ access to services in the 'ev' module
Note: Prior to creating any privileges, all of your ORDS web services will be publicly accessible.
Based on the above, we will need to create two roles ‘ADMIN_ROLE’ and ‘EV_USER_ROLE’.
Privilege 1 - EV_DATA_ACCESS
While creating this privilege, we will at the same time, link the privilege to both the 'EV_USER_ROLE' and the 'ADMIN_ROLE' roles. An OAuth client associated with either of these roles will be able to call the charge points web service:
This is what the privilege looks like from SQL Developer:
While creating this privilege, we will only link the privilege to the 'ADMIN_ROLE' role. Only OAuth clients associated with this role will be able to call the 'dbinfo' web service:
OAuth Client 1 - EV_CLIENT
This script creates the OAuth client EV_CLIENT using the grant type ‘client_credentials’. It then grants the newly created client access to the EV_USER_ROLE. At this point the EV_CLIENT can call web services in the ‘ev’ module.
This script creates the OAuth client ADMIN_CLIENT using the grant type ‘client_credentials’. It then grants the newly created client access to both the EV_USER_ROLE and the ADMIN_ROLE. At this point the ADMIN_CLIENT can call web services in the ‘ev’ and ‘utils’ modules.
Click here for more on OAuth security in ORDS.
Jon Dixon (Co-Founder JMJ Cloud)