DataWorks Approval Center is a functional module that is used to manage approval processes for data permissions and sensitive behavior. You can define approval scopes and processes in Approval Center to meet different approval requirements in different scenarios.

Features

When you develop and manage data in DataWorks, you can manage permissions on table data and data service APIs with ease. You can use the default approval process provided by Security Center or customize an approval process in Approval Center to manage permissions.

When a permission application is submitted after custom approval processes are configured, DataWorks automatically checks whether the permissions to be applied for hit a custom approval process. If a custom approval process is hit, DataWorks forwards the application based on the custom approval process.

You can perform the following operations in DataWorks Approval Center:
  • Define an approval policy: You can specify the scope of approval objects and define an approval process to customize a process of managing key data sources and sensitive behavior. In addition, you can configure notification methods such as text messages, emails, or DingTalk chatbots.
  • Process permission applications: You can process permission applications that you submit and process permission applications as an approver in approval processes in Approval Center.
For more information about custom approval policies, see Approval policies for MaxCompute data and Approval policies for data services.

After a custom approval policy is configured, you can process the applications for table permissions or data service permissions based on the approval policy. For more information, see Applications for table field permissions and approval processes and Applications for data service permissions and approval processes.

Applications for table field permissions and approval processes

After approval policies for MaxCompute data are configured in Approval Center, a user submits an application for the permissions on a specific table field in Security Center. Then, the application is processed based on the flowchart shown in the following figure. Apply for permissions on a specific table field
  • When a user applies for the permissions on a specific field in a MaxCompute table, DataWorks identifies the type of approval process to be used based on the field.
    • If the field belongs to the data range specified in a custom approval policy, the custom approval process of the approval policy is hit. Then, DataWorks processes the permission application based on the custom approval process configured in Approval Center.
    • If the field does not belong to the data range specified in a custom approval policy, DataWorks processes the permission application based on the default approval process provided by Security Center.
  • If a custom approval process is used to process the permission application, DataWorks determines the type of approval policy to be used based on the priorities of approval policies configured in Approval Center.

    When you configure a custom approval policy, you can specify the data range to which the approval policy applies based on a MaxCompute project or data classification in Data Security Guard. You can configure information such as approvers and notification methods. You can also set priorities for MaxCompute project-based and data classification-based approval policies as needed. For more information, see Approval policies for MaxCompute data.

Applications for data service permissions and approval processes

After approval policies for data services are configured, a custom approval process can be triggered if a data service operation is performed. Data service operations include publishing APIs, managing functions, and using service orchestration.

When an application is submitted for data service permissions in Security Center, the application is processed based on the flowchart shown in the following figure. Flowchart for processing applications for data service permissions
  • An application is submitted for permissions on data service operations such as publishing APIs, managing functions, or using service orchestration. Then, DataService Studio determines whether a custom approval process is used to process the permission application based on whether a custom approval policy is configured in the current workspace.
    • If the custom approval process of a custom approval policy configured in Approval Center is hit, the permission application is processed based on the custom approval process.
    • If no custom approval process is hit, you can perform data service operations without the need to apply for permissions.
  • If a custom approval process is used, DataWorks forwards the permission application based on the approval policy configured in Approval Center.

    When you configure a custom approval policy, you can specify the data range to which the approval policy applies based on a workspace. In addition, you can configure information such as approvers and notification methods. For more information, see Approval policies for data services.