When a user requests access to MaxCompute tables, resources, or functions, DataWorks needs to know who reviews that request and in what order. A request processing policy defines the data scope the policy covers, the notification channels for approvers, and the sequential approval chain the request must pass through.
Prerequisites
Before you begin, ensure that you have:
-
A DataWorks Enterprise Edition workspace
-
Workspace administrator access, or a RAM user with the
AliyunDataWorksFullAccesspolicy attached
How a request processing policy works
Each policy ties together three elements:
| Element | Description |
|---|---|
| Data range | The MaxCompute project, or the data category and sensitivity level in Data Security Guard, whose permission requests this policy governs |
| Notification methods | How approvers are alerted when a request arrives |
| Approval chain | An ordered sequence of approvers; the request advances to the next approver only after the current one approves |
When a data range is covered by both a MaxCompute project-based policy and a Data Security Guard-based policy, you can set a priority to control which policy takes effect.
Limitations
-
Only workspace administrators and RAM users with the
AliyunDataWorksFullAccesspolicy can create and manage request processing policies. -
Request processing policies for compute engine data are available only in DataWorks Enterprise Edition.
Create a request processing policy
Step 1: Open the Approval Center
-
Log on to the DataWorks console. In the top navigation bar, select the region you want.
-
In the left-side navigation pane, choose Data Development and O&M > Data Development. Select your workspace from the drop-down list, then click Go to Data Development.
-
Click the
icon in the upper-left corner and choose All Products > More > Approval Center. -
In the left-side navigation pane of the Approval Center, choose Policies > Compute Engine. The page lists all existing request processing policies. You can also edit or delete policies from this page.
-
Click Create Policy in the upper-right corner to open the Create Policy wizard.
Step 2: Enter basic information
Enter a Policy Name and a Purpose that describe the business scenario this policy covers.
Step 3: Specify the data range
The data range determines which permission requests this policy governs. Choose one of the following options.
Option 1: Scope by MaxCompute project
Select a MaxCompute project from the MaxCompute Project drop-down list. Permission requests for tables in that project are routed through this policy.
Constraints:
-
Each MaxCompute project can be associated with only one project-based policy. Associating a second policy causes a conflict error.
-
The drop-down list shows only projects where your current account holds the Admin or Super_Administrator role. If the list is empty, switch to an account with that role.
NoteA DataWorks workspace administrator is assigned the
role_project_adminrole in the workspace, not the Admin or Super_Administrator role in the associated MaxCompute project. To check your role, runwhoamion the DataStudio page to get your account information, then runshow grants for <your_account>to confirm whether you have the Admin or Super_Administrator role.
Option 2: Scope by data category and sensitivity level
Select a data category and sensitivity level from the Select Data Security Level drop-down list. Permission requests for tables matching that classification in Data Security Guard are routed through this policy.
Constraints:
-
Each sensitivity level can be associated with only one policy based on data category and sensitivity level. Associating a second policy causes a conflict error.
-
You can configure this scope using an Alibaba Cloud account or a RAM user. If you use a RAM user, both of the following conditions must be met:
-
The
AdministratorAccesspolicy is attached to the RAM user. -
The
AliyunDataWorksFullAccesspolicy is attached to the RAM user, and the RAM user has the Project Owner or Super_Administrator role in all MaxCompute projects.
-
Step 4: Configure notification methods
DataWorks supports four notification methods:
| Method | Setup notes |
|---|---|
| Text messages | Add approvers as alert contacts in DataWorks. See Configure and view alert contacts. |
| Emails | Add approvers as alert contacts in DataWorks. See Configure and view alert contacts. |
| DingTalk chatbot | In the Add Robot dialog box, set Security Settings to Custom Keywords and enter DataWorks as the keyword. Clear all other check boxes under Security Settings. If you skip this step or select additional check boxes, approvers will not receive DingTalk notifications. |
| Webhook URLs | — |
When a permission request is submitted, DataWorks notifies all approvers using the methods you configure here. You assign specific approvers in the next step.
Step 5: Configure the approval chain
In the Configure Processing Links step, add one or more approval nodes. For each node, assign an approver and a role.
Approval order: The request advances sequentially. The next approver is notified only after the current approver grants approval.
Multiple approvers on one node: If a node has multiple approvers sharing the same role, DataWorks notifies all of them. A single approval from any one of them is enough to advance the request to the next node.
Supported approver types:
| Approver type | Description |
|---|---|
| DataWorks workspace-level roles | Roles defined at the workspace level |
| DataWorks workspace member | Individual workspace members |
| Table owner | The owner of the requested table |
| Alibaba Cloud account | A specific Alibaba Cloud account |
| MaxCompute roles | Roles defined in the MaxCompute project |
To receive text message or email notifications, approvers must be added as alert contacts. See Configure and view alert contacts.
Set policy priorities
If you have both a MaxCompute project-based policy and a Data Security Guard-based policy, a single data range may match both. Set a priority to control which policy takes precedence.
