This topic introduces the concept of approval nodes, approval processes, and security rules.
Approval nodes
- System nodes
Data Management (DMS) provides the following dynamic nodes, which cannot be edited or deleted.
- Admin: the DMS administrator. If the system has multiple DMS administrators, a ticket can be approved by any one of them.
- DBA: the database administrator of an instance, which is the administrator or DBA who registers the instance by default or can be assigned to another DBA role in the system. A ticket can be approved by the DBA of the managed resource.
- DBA Roles: A ticket can be approved by DBAs in DMS, including the DBAs of resources.
- Owner: a data owner of a database. The data owner of a database or table can be configured by the DBA when the DBA registers an instance and collects the data dictionary. In addition, the admin can configure a user as the data owner. A user can also request to become the data owner of a database or table.
- Custom nodesNote DMS also supports custom nodes, which can be edited and deleted as needed.
You can customize nodes and their approvers.
Approval templates
You can customize the approval processes in approval templates.
- System templates
DMS provides the following templates, which cannot be edited or deleted.
- Admin: A ticket can be approved only by an administrator.
- DBA: A ticket can be approved only by a DBA.
- Owner: A ticket can be approved only by a data owner.
- Owner->DBA: A ticket needs to be approved by a data owner and a DBA in turn.
- Owner->DBA->Admin: A ticket needs to be approved by a data owner, a DBA, and an administrator in turn.
- Custom processesNote DMS also supports custom templates, which can be edited and deleted as needed.
You can combine system nodes and custom nodes to form an approval process.
Security rules
SQL console
- Specifies whether you can run data manipulation language (DML) statements. You can set a threshold for the number of rows. If the threshold is exceeded, DML statements cannot be run.
- Specifies whether you can run data definition language (DDL) statements. You can set a threshold for the size of a table. If the threshold is exceeded, DDL statements cannot be run.
- Specifies whether you can perform high-risk DDL operations, such as deleting tables and deleting fields.
- Specifies whether you can run other SQL statements.
Data changes
- Specifies whether you can run DML statements. You can set a threshold for the number of affected rows. If the threshold is exceeded, DML statements cannot be run.
- Specifies whether you can run DDL statements. You can set a threshold for the size of a table. If the threshold is exceeded, DDL statements cannot be run.
- Specifies whether you can perform high-risk DDL operations, such as deleting tables and deleting fields.
- Specifies whether you can run other SQL statements.
If you select Enable for the preceding rules, you must select an approval process and approval process flow based on your business needs.
Data export
Specifies whether approval is required for data export tickets.
Permission application
- Permissions on databases, tables, or columns
You can configure an approval process flow to control the approval process.
- Permissions on databases or tables
- Permissions on sensitive columns
- Permissions on confidential columns
- Data owner
You can configure an approval process flow to control the approval process.
- Approval process when a data owner already exists
- Approval process when no data owner exists
- Sensitivity level
You can configure an approval process flow to control the approval process.
- Lower the security level from confidential to sensitive.
- Lower the security level from confidential to internal.
- Lower the security level from sensitive to internal.