Approval Center allows you to configure custom request processing policies, request permissions, and query permission request records. This way, you can easily manage permissions or processing policies on objects such as tables, DataService Studio APIs, and extensions. You can also query request records and request processing records of different types of permissions.
Feature overview
When you develop and manage data in DataWorks, you can easily manage permissions on objects such as tables and DataService Studio APIs. You can use the default request processing procedure in Security Center or a custom request processing procedure in Approval Center.
When you submit a request for specific permissions after you create a custom request processing procedure, DataWorks checks whether the permissions in the request hit the custom request processing procedure. If the custom request processing procedure is hit, the request is processed based on the procedure.
You can perform the following operations in DataWorks Approval Center:
Configure a custom request processing policy: You can specify the scope of requests and configure a custom request processing procedure to manage permissions on key data sources and manage high-risk operations. In addition, you can configure notification methods such as text messages, emails, or DingTalk chatbots.
Process requests: The user who submits or processes the request can approve or reject the request in Approval Center.
For more information about how to configure custom request processing policies, see Request processing policies for compute engine data, Request processing policies for DataService Studio, Create a request processing policy for Data Integration nodes, and Request processing policies for extensions.
After you configure custom request processing policies, you can process the requests for permissions on tables, and APIs, functions, and service orchestration in DataService Studio based on the policies. You can also process the requests for permissions to save Data Integration nodes based on the policies. For more information, see Requesting and processing procedure for permissions on table fields, Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio, Processing procedure for permissions on Data Integration nodes, and Processing procedure for permissions on extensions.
Requesting and processing procedure for permissions on table fields
The following figure shows the request processing procedure after a custom request processing policy is configured in Approval Center and a user submits a request for the permissions on table fields in Security Center.
In Security Center, when a user submits a request for the permissions on a specific field in a MaxCompute table, DataWorks determines the type of request processing procedure based on the field.
If the field on which you request permissions belongs to the data range that is specified in a custom request processing procedure, the request is processed based on the custom request processing procedure in Approval Center.
If the field on which you request permissions is out of the data range that is specified in a custom request processing procedure, the request is processed based on the default request processing procedure in Security Center.
If the request hits multiple custom request processing policies in Approval Center, DataWorks selects one custom request processing policy based on the value of the Priority of Policy for Tables parameter.
When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on MaxCompute projects or the sensitivity level and category of the data on which you request permissions. You can also specify information such as the approver and notification method. For more information about how to create a custom request processing policy for data in MaxCompute projects, see Request processing policies for compute engine data.
Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio
After a custom request processing procedure is created for DataService Studio, the custom request processing procedure is triggered if a specific operation is performed on an API, function, or service orchestration that is managed by the procedure.
The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center.
When you perform a specific operation on an API, function, or service orchestration in DataService Studio, DataService Studio determines whether to use a custom request processing procedure to process the request based on whether you configured the custom request processing procedure for the workspace in which the operation is performed.
If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
If you did not configure the custom procedure for the workspace in which the operation is performed, you can perform operations on APIs, functions, or service orchestration in DataService Studio without the need to request permissions.
After you configure a custom request processing procedure, DataWorks processes a request by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.
When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on a project. You can also specify information such as the approver and notification method. For more information, see Request processing policies for DataService Studio.
Processing procedure for permissions on Data Integration nodes
Approval Center allows administrators to specify the Data Integration nodes on which the operation permissions must be processed based on a combination of a source and a destination. For example, you can request permissions to save a node on the Data Integration or DataStudio page. In a custom request processing policy that is configured for a Data Integration node, an administrator specifies the mysql_1 data source as a source and the odps_1 data source as a destination. When a developer saves the node, the custom request processing procedure is triggered. Then, the developer can proceed to the save operation only if the required permissions are granted to the developer in Security Center.
The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center.
When you save a Data Integration node on the DataStudio or Data Integration page, Approval Center processes the request based on whether a custom request processing procedure is configured for the workspace in which the operation is performed.
If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
If you did not configure the custom procedure for the workspace in which the operation is performed, you can save the node without the need to request permissions.
After you configure a custom request processing procedure, DataWorks processes a request by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.
When you configure a custom request processing policy, you can specify a workspace and add the combination of a source and a destination to the workspace to specify the Data Integration nodes on which the operation permissions must be processed based on the custom request processing policy. You can also specify information such as the approver and notification method. For more information, see Create a request processing policy for Data Integration nodes.
Processing procedure for permissions on extensions
Security Center provides risk identification and response capabilities based on extensions. You can directly use the extensions provided by DataWorks to manage high-risk operations. You can also use DataWorks Open Platform to develop and deploy an extension as a risk identification rule to identify risks in more complex scenarios. This extends the capabilities of your internal risk management platform to DataWorks, which is a cloud-based big data platform. For more information, see Request processing policies for extensions.
If the custom extension returns Not Passed, a blocking operation is performed by default. This indicates that if the extension is triggered to identify risky operations and Not Passed is returned, the risky operation performed by the current user is directly blocked. For example, User A downloads data and the extension that is used to check for data download operations is triggered. If the extension returns Not Passed, the data download operation performed by User A is terminated.
If the extension returns Warning and you have added a request processing response policy, the request processing procedure that is associated with the extension is automatically triggered.