This topic introduces the concept of approval nodes, approval processes, and security rules.

Approval nodes

  • System nodes

    Data Management (DMS) provides the following dynamic nodes, which cannot be edited or deleted.

    • Admin: the DMS administrator. If the system has multiple DMS administrators, a ticket can be approved by any one of them.
    • DBA: the database administrator of an instance, which is the administrator or DBA who registers the instance by default or can be assigned to another DBA role in the system. A ticket can be approved by the DBA of the managed resource.
    • DBA Roles: A ticket can be approved by DBAs in DMS, including the DBAs of resources.
    • Owner: a data owner of a database. The data owner of a database or table can be configured by the DBA when the DBA registers an instance and collects the data dictionary. In addition, the admin can configure a user as the data owner. A user can also request to become the data owner of a database or table.
  • Custom nodes
    Note DMS also supports custom nodes, which can be edited and deleted as needed.

    You can customize nodes and their approvers.

Approval templates

You can customize the approval processes in approval templates.

  • System templates

    DMS provides the following templates, which cannot be edited or deleted.

    • Admin: A ticket can be approved only by an administrator.
    • DBA: A ticket can be approved only by a DBA.
    • Owner: A ticket can be approved only by a data owner.
    • Owner->DBA: A ticket needs to be approved by a data owner and a DBA in turn.
    • Owner->DBA->Admin: A ticket needs to be approved by a data owner, a DBA, and an administrator in turn.
  • Custom processes
    Note DMS also supports custom templates, which can be edited and deleted as needed.

    You can combine system nodes and custom nodes to form an approval process.

Security rules

By default, the system provides three levels of security rules: low, medium, and high. The rules can be edited as needed but cannot be deleted. The following section lists the control capabilities supported by specific modules.
Note DMS also supports custom rules, which can be edited and deleted as needed. You can configure an approval process by using custom rules. This allows you to implement flexible management and perform an operation audit on your business. An instance can be associated with a security rule. This way, you can achieve flexible and on-demand business management. Depending on your business needs, you can strictly control the test environment but loosely control the production environment of the back-end system.

SQL console

  • Specifies whether you can run data manipulation language (DML) statements. You can set a threshold for the number of rows. If the threshold is exceeded, DML statements cannot be run.
  • Specifies whether you can run data definition language (DDL) statements. You can set a threshold for the size of a table. If the threshold is exceeded, DDL statements cannot be run.
  • Specifies whether you can perform high-risk DDL operations, such as deleting tables and deleting fields.
  • Specifies whether you can run other SQL statements.

Data changes

  • Specifies whether you can run DML statements. You can set a threshold for the number of affected rows. If the threshold is exceeded, DML statements cannot be run.
  • Specifies whether you can run DDL statements. You can set a threshold for the size of a table. If the threshold is exceeded, DDL statements cannot be run.
  • Specifies whether you can perform high-risk DDL operations, such as deleting tables and deleting fields.
  • Specifies whether you can run other SQL statements.

If you select Enable for the preceding rules, you must select an approval process and approval process flow based on your business needs.

Data export

Specifies whether approval is required for data export tickets.

If you enable this rule, you can set or modify the threshold for data export. You can also configure approval processes and approval process flows for different thresholds.
Note If the data that you want to export contains rows with sensitive data, you can configure an approval process with rules that ignore the rows. If you want to export sensitive data, you can configure a specific approval process.

Permission application

  • Permissions on databases, tables, or columns

    You can configure an approval process flow to control the approval process.

    • Permissions on databases or tables
    • Permissions on sensitive columns
    • Permissions on confidential columns
  • Data owner

    You can configure an approval process flow to control the approval process.

    • Approval process when a data owner already exists
    • Approval process when no data owner exists
  • Sensitivity level

    You can configure an approval process flow to control the approval process.

    • Lower the security level from confidential to sensitive.
    • Lower the security level from confidential to internal.
    • Lower the security level from sensitive to internal.