You can customize approval processes for MaxCompute tables, resources, and functions.

Background information

You can specify the data range to which an approval process applies based on a MaxCompute project or data classification in Data Security Guard. For more information, see the Specify the data range section.

Usage notes

Only workspace administrators and the RAM users with the AliyunDataWorksFullAccess permission can create and manage approval policies.

Create an approval policy

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. After you select the region in which the workspace that you want to manage resides, find the workspace and click Data Analytics in the Actions column.
  4. On the DataStudio page, click the Icon icon in the upper-left corner and choose All Products > Data governance > Approval Center.
  5. In the left-side navigation pane of the page that appears, choose Policies > Compute Engine.
    On the page that appears, you can view a list of created approval policies and edit and delete approval policies.
  6. Click Create Policy in the upper-right corner. Complete the Create Policy wizard.

Enter the basic information

Configure Basic Information sectionSet the Policy Name and Purpose parameters based on the actual scenario to which the approval policy applies.

Specify the data range

You must specify the data range to which this approval policy applies based on the actual scenario. After this approval policy is created, the applications for the permissions on the data in this data range must be processed based on this approval policy.

If a MaxCompute compute engine is used, you can specify the data range of an approval policy in a workspace by a MaxCompute project or data classification in Data Security Guard.

Configure Effective Scope for Policy sectionWhen you specify the data range, take note of the following items:
  • Specify the data range based on a MaxCompute project
    • You must select an appropriate MaxCompute project from the MaxCompute Project drop-down list. This way, when applications are submitted to apply for the permissions on the tables in this MaxCompute project, this approval policy is used to process the applications.
    • A MaxCompute project can be associated with only one MaxCompute project-based approval policy. Otherwise, a policy conflict error is reported.
    • You can select a MaxCompute project in which the current account assumes the administrator or super administrator role. If no MaxCompute project is displayed in the drop-down list, the current account may not have the required permissions. In this case, you must use an account that is assigned the Admin or Super_Administrator role.
      Note A DataWorks administrator is assigned the role_project_admin role in DataWorks workspaces, but not the Admin or Super_Administrator role in MaxCompute projects.

      To check the role of the current account, run the whoami command on the DataStudio page in DataWorks to obtain the account information. Then, run the show grants for Your current account command to check whether the current account is assigned the Admin or Super_Administrator role in a MaxCompute project.

  • Specify the data range based on data classification in Data Security Guard
    • You must select a data security level from the Select Data Security Level drop-down list. This way, when applications are submitted to apply for the permissions on the tables at this data security level, this approval policy is used to process the applications.
    • A data security level can be associated with only one data classification-based approval policy. Otherwise, a policy conflict error is reported.
    • You can specify the data range by using an Alibaba Cloud account or as a RAM user. If you specify the data range as a RAM user, the following conditions must be met:
      • The AdministratorAccess policy is attached to the RAM user.
      • The RAM user is granted the AliyunDataWorksFullAccess permission and assigned the project owner or super administrator role of all MaxCompute projects.

Configure the notification methods

Three notification methods are supported: text messages, emails, and DingTalk chatbots. Configure Notification Method sectionAfter you configure the notification methods, notifications are sent to approvers based on the configured notification methods when a permission application is submitted for approval.
Note In the Configure Processing Links step, you can specify approvers on each approval node.
  • To ensure that the approvers can receive approval notifications by using text messages or emails, you must add the approvers as alert contacts of DataWorks.
  • To ensure that the approvers can receive notifications by using a DingTalk chatbot, select Custom Keywords when you set the Security Settings parameter in the Add Robot dialog box. Then, enter DataWorks in the Custom Keywords field. Make sure that the other check boxes are cleared when you set the Security Settings parameter.

    If you do not add DataWorks as a custom keyword or you select other check boxes when you set the Security Settings parameter, the approvers cannot receive notifications by using the DingTalk chatbot.

Configure the approval nodes

Configure Processing Links sectionWhen you configure the approval nodes, take note of the following items:
  • The approval nodes are sequentially connected. After you configure the approval policy, the approval process specified in the approval policy sequentially flows from node to node. After an approver on an approval node gives approval, the approvers on the next approval node receive a notification and then start approval.
  • You can specify different roles as approvers on different approval nodes. The following roles are supported: DataWorks workspace roles, DataWorks workspace member, table owner, Alibaba Cloud account, and MaxCompute roles.
    Note
    • When an application is submitted for approval, DataWorks sends notifications to the approvers on the approval nodes based on the notification methods configured in the preceding step. You must add the approvers as alert contacts of DataWorks.
    • If multiple users that assume the same role are specified as approvers on an approval node, notifications are sent to all the approvers. In this case, if one of the approvers on an approval node gives approval, the application is forwarded to the next approval node.

Set priorities for approval policies

If both MaxCompute project-based and data classification-based approval policies are configured, a specific data range may hit both types of approval policies. In this case, you can set priorities for the two types of approval policies. Priority