DataWorks supports permission request and approval workflows for tables and columns. Each table has an Approval Owner—the person responsible for approving data access requests. When an Approval Owner's Alibaba Cloud account becomes invalid, pending approval requests are blocked. This topic describes how to detect and resolve Approval Owner anomalies for MaxCompute tables using the Approver Governance feature in Data Map.
Approval Owner Governance is currently in Beta. Try it out and share your feedback.
Limitations
Approval Owner Governance is supported only for MaxCompute tables.
Prerequisites
Before you begin, make sure that you have:
Administrator permissions on the DataWorks workspace whose tables you want to manage
Access to the DataWorks console
Access Approver Governance
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Governance > Data Map. On the page that appears, click Go to Data Map.
In the left-side navigation pane, click My Data. The My Data > Owned by Me page appears by default.
In the left-side navigation pane, click My Tools > Approver Governance. The Approver Governance page appears.
View abnormal Approval Owners
The Approver Governance page lists all Approval Owner anomalies detected across workspaces where you have administrator permissions.
Column | Description |
Table name | The table name. Click the name to navigate to the Details page. |
Project | The associated MaxCompute project. A suffix indicates the environment (for example, _dev for the development environment). |
Environment | The DataWorks workspace environment: Development or Production. |
Abnormal approver | The role with the anomaly. Two role types can trigger an anomaly: Approver (the permission approver and business-level table owner; the default is the table creator; visible in Data Map > Table Details Page > Basic Information) and Table Owner (the technical table owner; queryable via the |
Exception cause | The criteria used to identify anomalies, in descending priority: (1) The production environment Approval Owner differs from the development environment owner. (2) The Approval Owner's Alibaba Cloud account (in development or production) no longer exists. (3) The Approval Owner (in development or production) is not a member of the current tenant. |
Recommended owner | The system-recommended new owner based on the anomaly cause and recommendation strategy. |
Recommendation reason | The strategy used to determine the recommended owner. See How the system recommends an owner. |
Storage | The volume of data stored in the table. |
Created at | The time when the table was created. |
Updated at | The time when the table was last updated. |
Actions | Transfer and Add to Whitelist. |
Batch operation | Transfer and Add to Whitelist. |
How the system recommends an owner
The system applies the following strategies in descending priority to recommend an Approval Owner:
For a production table, use the Approval Owner of the valid development table.
Use the owner of the task that produces the current table.
Use the Approval Owner of the corresponding development table, derived from the task owner generating the production table.
Use the default security policy configured in Security Center.
Use the entity recipient defined in Security Center workspace-level transfer rules.
Use the workspace administrator. This strategy applies if Security Center is not deployed or activated, or if transfer rules are not configured for the target workspace in Security Center.
Transfer abnormal Approval Owners
Permissions required: You must have administrator permissions on the workspace containing the tables you want to transfer. The target owner must be a member of the table's workspace, or the transfer will fail.
On the Approver Governance page, select one or more tables and click Transfer.
In the Transfer dialog box, select a transfer type:
Transfer type
When to use
Notes
Recommended
Quickly fix anomalies using system suggestions
Preview the recommended owner in the list before confirming
Custom
Assign a specific person as the new owner
The target owner must be a member of the table's workspace
Click Confirm.
To view the transfer status and details, go to My Tools > Transfer Logs.
Manage whitelist
Tables in the whitelist are excluded from anomaly detection.
Add to whitelist: On the Approver Governance page, select the tables to exempt and click Add to Whitelist.
View whitelist: On the Approver Governance page, click Manage Whitelist to view the details of the tables in the whitelist.
Remove from whitelist: On the Approver Governance page, click Manage Whitelist. In the Manage Whitelist dialog box, click Remove from Whitelist to restore tables to the pending list.
View transfer logs
On the My Data page, click My Tools > Transfer Logs.
Review the transfer details:
Column
Description
Transfer task ID
A unique ID generated for each transfer operation, which can involve one or more tables.
Operator
The person who performed the transfer.
Status
The transfer task status. Valid values: Success, Failed, and Transferring.
Start time
The time when the transfer task started.
End time
The time when the transfer task ended.
Actions
View Details
Click View Details in the Actions column for the target transfer task. In the Transfer Log Details dialog box, view information about the transferred tables.
FAQ
The message "Execution timed out. Please try again." appears during a transfer operation.
For large numbers of tables, transfer them in batches or use Entity ownership transfer.