The DataWorks Approval Center feature is used to manage permissions on data and manage high-risk operations. You can use this feature to specify the scope of requests and customize request processing procedures to meet the request processing requirements of your enterprise in different compliance scenarios.

Feature overview

When you develop and manage data in DataWorks, you can manage permissions on table data and data service APIs in an efficient manner. You can use the default permission requesting and processing procedure in Security Center or customize permission processing procedures in Approval Center.

When you submit a request for specific permissions after you create a custom request processing procedure, DataWorks checks whether the permissions in the request hit the custom request processing procedure. If the custom request processing procedure is hit, the request is processed based on the procedure.

You can perform the following operations in DataWorks Approval Center:
  • Customize a request processing policy: You can specify the scope of requests and customize request processing procedures to manage permissions on key data sources and manage high-risk operations. In addition, you can configure notification methods such as text messages, emails, or DingTalk chatbots.
  • Process requests: The person who submits or processes the request can approve or reject the request in Approval Center.
For more information about how to configure request processing policies, see Approval policies for MaxCompute data, Approval policies for data services, and Create a request processing policy for Data Integration nodes.

After custom request processing policies are configured, you can process the requests for permissions on tables, and APIs, functions, and service orchestration in DataService Studio based on the policies. You can also process the requests for permissions to save Data Integration nodes based on the policies. For more information, see Requesting and processing procedure for permissions on table fields, Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio, and Processing procedure for permissions on Data Integration nodes.

Requesting and processing procedure for permissions on table fields

The following figure shows the request processing procedure after a custom request processing policy is configured in Approval Center and an applicant submits a request for the permissions on table fields in Security Center. Request permissions on specific table fields
  • In Security Center, when a user submits a request for the permissions on a specific field in a MaxCompute table, DataWorks determines the type of request processing procedure based on the field.
    • If the field on which you request permissions belongs to the data range that is specified in a custom request processing procedure, the request is processed based on the custom request processing procedure in Approval Center.
    • If the field on which you request permissions is out of the data range that is specified in a custom request processing procedure, the request is processed based on the default request processing procedure in Security Center.
  • If your request hits multiple custom request processing policies in Approval Center, DataWorks selects one custom request processing policy based on the value of the Priority of Policy for Tables parameter.

    When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on MaxCompute projects or the sensitivity level and category of the data on which you request permissions. You can also configure information such as the approver and notification method. For more information about how to create a custom request processing policy for data in MaxCompute projects, see Approval policies for MaxCompute data.

Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio

After a custom request processing procedure is created for DataService Studio, the custom request processing procedure is triggered if a specific operation is performed on an API, function, or service orchestration that is controlled by the procedure.

The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center. Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio
  • When you perform a specific operation on an API, function, or service orchestration in DataService Studio, DataService Studio determines whether to use a custom request processing procedure to process the request based on whether you configured the custom procedure for the workspace in which the operation is performed.
    • If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
    • If you did not configure the custom procedure for the workspace in which the operation is performed, you can perform operations on APIs, functions, or service orchestration in DataService Studio without the need to request permissions.
  • After a custom request processing procedure is configured, DataWorks determines whether a request is processed by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.

    When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on a project. You can also configure information such as the approver and notification method. For more information, see Approval policies for data services.

Processing procedure for permissions on Data Integration nodes

Approval Center allows administrators to determine the Data Integration nodes on which the operation permissions must be processed based on a combination of a source and a destination. For example, you can request permissions to save a node on the Data Integration or DataStudio page. In a custom request processing policy that is configured for a Data Integration node, an administrator specifies the mysql_1 data source as a source and the odps_1 data source as a destination. When a developer saves the node, the custom request processing procedure is triggered. The developer can proceed to the save operation only after the required permissions are granted to the developer in Security Center.

The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center. Request processing procedure
  • When you save a Data Integration node on the DataStudio or Data Integration page, Approval Center determines how to process the request based on whether you configure a custom request processing procedure for the workspace in which the operation is performed.
    • If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
    • If you did not configure the custom procedure for the workspace in which the operation is performed, you can save the node without the need to request permissions.
  • After a custom request processing procedure is configured, DataWorks determines whether a request is processed by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.

    When you configure a custom request processing policy, you can specify a workspace and add a source and a destination as a combination to the workspace to determine the Data Integration nodes on which the operation permissions must be processed based on the custom request processing policy. You can also configure information such as the approver and notification method. For more information, see Create a request processing policy for Data Integration nodes.