Configure approval policies
An approval policy defines the approval workflow for requesting permissions on data assets and performing sensitive operations. DataWorks maintains separate policy lists for each approval type, including MaxCompute, Hologres, Data Service, and extension. When a request matches a policy, DataWorks initiates the defined approval workflow and notifies the approvers based on the notification settings. This topic describes the overall capabilities of the approval policy module, how to access it, the list of approval types, and common actions on the list page.
Accessing the approval policy page
DataWorks provides two entry points to the approval policy page:
New data security module: In the left-side navigation pane of your DataWorks workspace, choose Request & Approval > Approval Policy. Use the Approval Type drop-down list at the top of the page to switch between different policy lists.
Legacy Data Protection Umbrella module (for tenants that have not upgraded to the new data security module): Choose All Products > Data Governance > Approval Center > Approval Policy Management, and then use the left-side navigation pane to switch between approval types.
The new data security page uses a URL parameter (?type=...) to reflect the selected approval type. You can use this URL to directly link to a specific policy list.
All logged-in users can view the approval policy list. However, the Create, View, Edit, and Delete buttons require a DataWorks Enterprise Edition subscription. If you do not have Enterprise Edition, these buttons are replaced with an "Upgrade to Enterprise Edition" link.
Approval types
The Approval Type drop-down list at the top of the page displays up to eight types. The options that appear depend on the compute engines enabled for your tenant. You can create custom policies for four of these types, while the other four are system policies, for which you cannot create new ones:
Approval type | Visibility condition | Creatable | Related document |
MaxCompute | Always displayed (default filter option) | Yes | Compute engine approval policies |
Hologres | Displayed only if Hologres is enabled for the tenant. | Yes | Compute engine approval policies |
Data Lake Formation (DLF) | Displayed only if Data Lake Formation (DLF) is enabled for the tenant. | No (system policy) | N/A |
DLF-Legacy | Displayed only if DLF 1.0 is enabled for the tenant. | No (system policy) | Compute engine approval policies (description only) |
Lindorm | Always displayed | No (system policy) | N/A |
Data Service | Always displayed | Yes | Data Service approval policies |
Extension | Always displayed | Yes | Extension approval policies |
Data Asset Governance | Always displayed | No (system policy) | N/A |
The options in the Create policy drop-down menu differ from the filter options in the list. You can only create policies for four types: MaxCompute, Hologres, Data Service, and extension. For the other four types (DLF-Legacy, DLF, Lindorm, and Data Asset Governance), the corresponding menu items are disabled. When you hover over them, a tooltip displays the message "This approval type does not support creating new policies." System policies are pre-configured by DataWorks. Tenants can view, enable, disable, and adjust the match order of system policies, but cannot create new ones.
List page capabilities
Capability | Description |
Filter by approval type | Use the Approval Type drop-down list at the top of the page. The selected filter is synchronized with the URL parameter |
List columns | The list includes the following columns: Match order, Policy ID, Policy name, Approval type, Approval scope, Rule purpose, Status, and Actions. |
Copy policy ID or name | Click the copy icon next to a value in the Policy ID or Policy name column. A toast message appears upon successful copy. |
Enable or disable a policy | Use the switch in the Status column. You must confirm this change. If you do not have Enterprise Edition, this switch is replaced with an "Upgrade to Enterprise Edition" button. |
Adjust match order | You can drag and drop rows to adjust the match order. The system evaluates policies sequentially from top to bottom and stops at the first match. A smaller number in the Match order column indicates a higher priority. This number (1, 2, 3...) represents the display order for the current type, not the internal priority value used by the backend. |
View, edit, or delete | Use the options in the Actions column. The Delete button is not available for system policies (see Special handling for system policies). When you delete a policy of the extension type, a special message appears that directs you to the Risk Identification Rules page. |
Display rules for the Approval scope column | If the approval scope of a system policy is empty, the column displays All, which means the policy applies to all data. If the scope of a user-created policy is not configured, the column displays a hyphen (-). This is unlikely to occur because the scope is a required field in the creation form. |
List limit | The list displays a maximum of 100 policies at a time and does not have pagination. If you expect the number of policies for a single type to exceed this limit, contact Alibaba Cloud Technical Support. |
Special handling for system policies
System policies are pre-configured by DataWorks. Tenants can only adjust notification channels and auto-approval rules. You cannot modify the policy scope or approval nodes. The specific limitations are as follows:
The Delete button does not appear in the Actions column.
If the approval scope is empty, the column displays All, which means the policy applies to all data.
When you edit a system policy, the policy name and rule description in the Basic Information section are read-only.
When you edit a system policy, the Effective scope and Configure approval nodes sections are not rendered. You can only adjust notification settings. For the MaxCompute type, you can also configure auto-approval rules.
Approver types
When you edit a non-system policy, you can choose one of the following five approver types for each approval node. For some types, the system automatically locates the owner based on the engine or resource.
Approver type | Description | Applicable approval types |
RAM user | Assign a specific RAM user as the approver. | All |
MaxCompute role | Assign a role in a MaxCompute project as the approver. | MaxCompute |
Tenant role | Assign a tenant-level role, such as a tenant administrator, as the approver. | All |
DataWorks workspace role | Assign a workspace role, such as a workspace administrator, as the approver. | All |
DataWorks workspace member | Assign any member within a workspace as the approver, regardless of their role. | All |
In some scenarios, the system automatically identifies the resource owner as the approver. In these cases, you cannot assign a specific person in the UI. The value is shown only as a label for the approval node:
Table/Project administrator (Automatically located based on the table or project owner in engines such as MaxCompute and Hologres).
DLF/DLF-Next administrator (Automatically located based on the DLF engine).
Lindorm administrator (Automatically located based on the Lindorm engine).
Alibaba Cloud resource owner (Automatically located based on the resource owner).
Related documents
Compute engine approval policies: Explains how to create and configure policies for the MaxCompute and Hologres types, including their effective scope, auto-approval rules, and approval nodes.
Data Service approval policies: Explains how to configure approvals required before you publish Data Service APIs.
Extension approval policies: Explains approvals triggered by extensions. This must be used in conjunction with Security Center > Risk Identification Rules.