The DataWorks Approval Center feature is used to manage permissions on data and manage high-risk operations. You can use this feature to specify the scope of requests and customize request processing procedures to meet the request processing requirements of your enterprise in different compliance scenarios.
Feature overview
When you develop and manage data in DataWorks, you can manage permissions on items, such as table data and DataService Studio APIs, in an efficient manner. You can specify request processing procedures based on your business requirements in Approval Center. If request processing policies for compute engine data need to be specified, you can use a default request processing procedure provided by DataWorks Security Center.
When you submit a request for specific permissions after you create a custom request processing procedure, DataWorks checks whether the permissions in the request hit the custom request processing procedure. If the custom request processing procedure is hit, the request is processed based on the procedure.
You can perform the following operations in DataWorks Approval Center:
Configure a custom request processing policy: You can specify the scope of requests and configure a custom request processing procedure to manage permissions on key data sources and manage high-risk operations. In addition, you can configure notification methods such as text messages, emails, or DingTalk chatbots.
Process requests: The user who submits or processes the request can approve or reject the request in Approval Center.
For more information about how to configure request processing policies, see Request processing policies for compute engine data, Request processing policies for DataService Studio, and Request processing policies for Data Integration tasks.
After custom request processing policies are configured, you can process the requests for permissions on tables, and APIs, functions, and service orchestration in DataService Studio based on the policies. You can also process the requests for permissions to save Data Integration nodes based on the policies. For more information, see Requesting and processing procedure for permissions on table fields, Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio, and Processing procedure for permissions on Data Integration nodes.
Requesting and processing procedure for permissions on table fields
The following figure shows the request processing procedure after a custom request processing policy is configured in Approval Center and a user submits a request for the permissions on table fields in Security Center.
In Security Center, when a user submits a request for the permissions on a specific field in a MaxCompute table, DataWorks determines the type of request processing procedure based on the field.
If the field on which the user requests permissions belongs to the data range that is specified in a custom request processing procedure, the request is processed based on the custom request processing procedure in Approval Center.
If the field on which the user requests permissions is out of the data range that is specified in a custom request processing procedure, the request is processed based on the default request processing procedure in Security Center.
If the request hits multiple custom request processing policies in Approval Center, DataWorks selects one custom request processing policy based on the value of the Priority of Policy for Tables parameter.
When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on MaxCompute projects or the sensitivity level and category of the data on which you request permissions. You can also specify information such as the approver and notification method. For more information about how to create a custom request processing policy for data in MaxCompute projects, see Request processing policies for compute engine data.
Requesting and processing procedure for permissions on APIs, functions, and service orchestration in DataService Studio
After a custom request processing procedure is created for DataService Studio, the custom request processing procedure is triggered if a specific operation is performed on an API, function, or service orchestration that is controlled by the procedure.
The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center.
When you perform a specific operation on an API, function, or service orchestration in DataService Studio, DataService Studio determines whether to use a custom request processing procedure to process the request based on whether you configured the custom request processing procedure for the workspace in which the operation is performed.
If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
If you did not configure the custom procedure for the workspace in which the operation is performed, the user can perform operations on APIs, functions, or service orchestration in DataService Studio without the need to request permissions.
After you configure a custom request processing procedure, DataWorks processes a request by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.
When you configure a custom request processing policy, you can specify the data range to which the custom request processing policy applies based on a project. You can also specify information such as the approver and notification method. For more information, see Request processing policies for DataService Studio.
Processing procedure for permissions on Data Integration nodes
Approval Center allows administrators to specify the Data Integration nodes on which the operation permissions must be processed based on a combination of a source and a destination. For example, you can request permissions to save a node on the Data Integration or DataStudio page. In a custom request processing policy that is configured for a Data Integration node, an administrator specifies the mysql_1 data source as a source and the odps_1 data source as a destination. When a developer saves the node, the custom request processing procedure is triggered. Then, the developer can proceed to the save operation only if the required permissions are granted to the developer in Security Center.
The following figure shows the request processing procedure after an applicant submits a request for the required permissions in Security Center.
When you save a Data Integration node on the DataStudio or Data Integration page, Approval Center processes the request based on whether a custom request processing procedure is configured for the workspace in which the operation is performed.
If you configured the custom procedure for the workspace in which the operation is performed, the request is processed based on the custom request processing procedure.
If you did not configure the custom procedure for the workspace in which the operation is performed, you can save the node without the need to request permissions.
After you configure a custom request processing procedure, DataWorks processes a request by using the default or custom request processing procedure based on whether the request hits the custom request processing procedure.
When you configure a custom request processing policy, you can specify a workspace and add the combination of a source and a destination to the workspace to specify the Data Integration nodes on which the operation permissions must be processed based on the custom request processing policy. You can also specify information such as the approver and notification method. For more information, see Create a request processing policy for Data Integration nodes.