Data Management Service (DMS) allows you to configure instance-level security rules to customize different approval processes for different database instances and database operations. However, instance-level security rules may have the following restrictions in the actual business environment:
- A database instance has only one database administrator (DBA). However, multiple DBA roles may participate in an approval process at the same time. This avoids the delay of ticket processing if a single approver cannot respond in time.
- If multiple business parties share the same database instance, each business party may need to approve tickets for their respective business operations in an approval process.
This topic describes the procedure for customizing an approval process by getting multiple DBA roles involved in an approval process. You can follow this procedure to customize an approval process in other scenarios.
Log on to the DMS console as the DMS administrator or DBA.
In the top navigation bar, choose System Management > Security > Approval Processes.
Create an approval node.
On the Approval Processes page, click the Approval Node tab on the left and click Create Approval Node in the upper-left corner of the tab.
Set parameters in the dialog box that appears to configure the approval node.
Node Name: the name of the approval node. The name must be globally unique.
Remarks: the description of the approval node, which helps distinguish the node from the others.
Approver: the approvers on the current node. Select the cloud accounts of relevant approvers. You can enter a keyword to select an account from the auto-completion list.
In this example, three approvers are selected.
Create an approval template.
Click the Approval Template tab on the left and click Create Approval Template in the upper-left corner of the tab.
Set parameters in the dialog box that appears to configure the approval template.
Template Name: the name of the approval template. The name must be globally unique.
Remarks: the description of the approval template, which helps distinguish the template from the others.
Approval Node: Click Add Node and select the required approval nodes. In this example, the system node Owner and the node created in the previous step are selected so that multiple DBA roles can participate in the approval process.
The approval process is implemented based on the value of Approval Order in ascending order.
After the approval template is created, you can view the ID of the approval template.
Apply the new approval process.
This example describes how to edit the security rule Medium risk approval process for the data change approval process. You can follow this procedure to apply an approval process in other scenarios.
- In the top navigation bar, choose System Management > Security > Security Rules.
- On the Security Rules page, find the target security rule set and click Edit in the Actions column.
- Click the SQL Correct tab on the left.
- On the SQL Correct tab, set Checkpoints to Risk Approval Rules.
- Find Medium risk approval process and click Edit in the Actions column.
- In the dialog box that appears, change the template ID in the Rule DSL section.
- Click Submit.
If the data change tickets submitted subsequently match the corresponding rules, multiple DBA roles can receive ticket approval notifications and participate in the approval process at the same time.
- We recommend that you bind a DingTalk account to each cloud account that uses DMS. In this way, approvers can receive ticket approval notifications in real time and approve tickets.
- Avoid assigning only one approver to an approval node. We recommend that you assign at least two approvers to each approval node and assign at least two data owners for a database.
- Currently, you can assign a maximum of three data owners for a database. If multiple business parties share the same database instance, you can enable all business parties to participate in an approval process by following the preceding procedure: Create an owner node by adding the cloud accounts of the data owners of multiple business parties. Then, add the new node instead of the built-in approval node Owner to an approval template.
- If you have more questions about approval processes, join the DingTalk group (ID: 21991247) to contact the DMS team.