Configure approval rules for data permissions - Dataphin

Data permission policies allow you to assign different approval rules based on data sensitivity levels. This enables approvers to focus on highly sensitive data and exempts public data from approval, thereby reducing the burden of permission reviews. This topic describes how to configure data permission policies.

Permission

Only security administrators can add, edit, or delete data permission policies.

Usage notes

You can add up to 50 approval rules.
For each rule, you can set whether permissions can be requested based on scope (project or data domain), environment, table type, security level, and permission type. If permissions can be requested, choose a built-in approval template, skip approval (system auto-approves), or use a custom approval template.
You can modify the approval flow, approval nodes, and approvers in an approval template. For more information, see View built-in approval templates, Create and manage approval templates.

Rule Description

If a data table does not match any approval rule, the system uses the default built-in template for that table type.

Add an approval rule

In the top menu bar on the Dataphin homepage, choose Management Hub > Governance Settings.
In the navigation pane on the left, choose Data Access > Data Permissions. On the Data Permissions page, click the Add Approval Rule button.

In the Add Approval Rule dialog box, configure the parameters.

Parameter	Description
Rule Scope	Select one of the following scopes: Project, Domain, or Datasource.
Project	When the rule scope is Project, choose All Projects or Specific Projects. All Projects: The rule automatically applies to all projects in the current tenant, including existing and future projects. Specific Projects: Select one or more projects to which this rule applies.
Section	When the rule scope is Domain, choose All Domains or Specific Domains. All Domains: The rule automatically applies to all domains in the current tenant, including existing and future domains. Specific Domains: Select one or more domains to which this rule applies. Note You must enable the Intelligent R&D edition to create domains. "All Domains" includes tables not assigned to any domain.
Datasource	When the rule scope is Datasource, choose All Datasources or Specific Datasources. Only datasources that support data preview can have approval rules configured. For supported datasources, see Operations supported by different ingestion source types. All Datasources: The rule automatically applies to all datasources in the current tenant, including existing and future datasources. Specific Datasources: Select one or more datasources to which this rule applies.
Environment	When the rule scope is Project or Domain, select Production or Development. The Basic environment is treated as Production.
Table Type	When the rule scope is Project, select from Physical Table, View, Meta Table (requires Real-Time R&D module), Mirror Table (requires Real-Time R&D module), and Materialized View. When the rule scope is Domain, select from Logical Table (requires Intelligent R&D edition) and Logical View (requires Intelligent R&D edition). When the rule scope is Datasource, select Datasource Table.
Permission Type	Available permissions vary by table type: Table types that support only Query Table Data include Logical Table, Logical View, Physical View, and Data Source Table. For Physical Table and Materialized View: Select, Write, Delete, and Alter are supported. For Meta Table and Mirror Table: Select and Write are supported. For all table types, you can Query Table Data, Modify Table Data, Delete Table, and Modify Table Schema.
Security Level	Choose All Levels or Specific Levels. To create data security levels, see Manage data classification. All Levels: The rule automatically applies to any new security levels added later. Specific Levels: Select one or more data classification levels. Important Data classification levels range from L1 (public) to L4 (top secret), plus any custom levels you define. If you select All Levels and later add a higher-sensitivity field (for example, L3) to a table that originally contained only L1 fields, the new field will automatically inherit the same permissions. To prevent unintended access, specify exact security levels. The Data Security module must be enabled to use security levels.
Permission Request	Controls whether a permission request requires approval. Choose Enable or Disable. If disabled, permission requests are automatically ignored. If enabled, select an approval template. Options include Project Administrator Approval, Domain Administrator Approval, Security Administrator Approval, Resource Owner Approval, and No Approval (System Auto-Approves). You can also use a custom approval template. For details, see Create and manage approval templates.

Click OK to complete the rule creation.

View the approval rule list

The Data Permissions Approval page shows configured rules, including scope (domain/project/datasource), environment, table type, permission type, security level, permission request status, and approval template.

You can perform the following actions on any rule.

Action	Description
Rule Sorting	Click the Sort button, drag the rule to its desired position, then click Done. Note Rules are evaluated from top to bottom. The first matching rule determines the approval process for a permission request.
Edit	Modify the rule configuration, just like when creating a new rule.
Delete	Deleted rules cannot be restored. Proceed with caution.