In Data Management (DMS), security rules and approval processes work together. Assign different approval processes to different user behaviors to control who must approve a ticket before an operation proceeds.
Prerequisites
Before you begin, ensure that you have:
Administrator or database administrator (DBA) role. For details, see View my system roles
Key concepts
Approval node
An approval node is one stage in an approval process. Each node has one or more approvers. When a node has multiple approvers, the process advances to the next node as soon as any one approver approves.
DMS includes four built-in approval nodes:
| Approval node | Who approves |
|---|---|
| Admin | A DMS administrator |
| DBA | The DBA of the resource being operated |
| DBA Roles | Any user with the DBA role, including the resource DBA |
| Owner | The owner of the resource being operated |
To assign the DBA role to a user, see Edit a user. To set the DBA for an instance, edit its advanced settings on the Data Assets > Instances page. To apply for owner permissions, see Manage access control permissions.
In addition to the built-in nodes, you can add, edit, and delete custom approval nodes. Each approval node has a unique node ID.
Approval template
An approval template chains one or more approval nodes into a sequence. Nodes are processed in ascending order — node 0 runs first, then node 1, and so on.
Each template has a unique template ID. For example, template 851 might chain nodes 512 and 511. To apply a template to a security rule, enter its template ID in the rule configuration.
DMS includes built-in approval templates. You can also add, edit, and delete custom templates.
Approval priority
Security rules support approval processes at two levels: basic configuration items and checkpoints. When both are configured, the checkpoint process takes priority. The basic configuration item process applies only if no checkpoint process is set.
Approval-free processes
To skip approval entirely, set the template ID to -1. Three DSL actions produce an approval-free process:
| Action | Effect |
|---|---|
@act.do_not_approve | Does not require approval. |
@act.choose_approve_template -1 | Sets the template ID to -1 |
@act.choose_approve_template_with_reason -1 "No approval required" | Sets the template ID to -1 and returns "No approval required" in the ticket |
For DSL syntax details, see DSL syntax for security rules.
Step 1: Create an approval node
Log on to the DMS console V5.0.
In the upper-left corner, move the pointer over the
icon and choose All Features > Security and disaster recovery (DBS) > Approval Processes.In normal mode, choose Security and disaster recovery (DBS) > Approval Processes from the top navigation bar.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
In the left navigation pane, click the Approval Node tab.
Click Add Approval Node.
Fill in the node details:
Parameter Description Node Name Name of the approval node Comment Remarks for the approval node Approver One or more approvers. If multiple approvers are added, the node advances after any one approves. Click Submit.
Step 2: Create an approval template
Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Approval Processes.
In simple mode, click the
icon in the upper-left corner and choose All Functions > Security and Specifications > Approval Flow.In the left navigation pane, click the Approval Template tab.
Click Add Approval Template.
Fill in the template details:
Parameter Description Template Name Name of the approval template Comment Remarks for the approval template Approval Node Click Add Node to add nodes. Nodes run in ascending order: 0 is first, 1 is second. Click Submit.
What's next
Apply the approval template to a security rule for an instance in Security Collaboration mode. For details, see Apply an approval template to a security rule.
Approver actions
DMS provides the following actions for ticket approvers:
| Action | Description |
|---|---|
| Approve | Approves the ticket and advances the process |
| Reject | Rejects the ticket and ends the approval process |
| Revoke | Ticket submitter withdraws a pending ticket |
| Change owner | Transfers the current approval to another user |
| Add pre-approval node | Inserts a custom approval node before the current node |
| Add post-approval node | Inserts a custom approval node after the current node |
Approvers for new nodes must be existing DMS users. To add users to DMS, see User Management.
FAQ
Can I prevent users from approving their own tickets?
Yes, but only for instances in Security Collaboration mode. Go to the top menu bar and click Operations Management, then select Configuration Management from the drop-down list. Search for "remove" to find the configuration item Whether to automatically remove the submitter from the approval node of the approval flow (effective when there are multiple approvers). Click Edit in the Actions column, set the value to
Y, and click Confirm Change.After saving, DMS automatically removes ticket submitters from their own approval node if they appear as an approver — preventing self-approval.
How do I use one approval process for a specific database and approval-free for all others?
This requires the instance to be in Security Collaboration mode. If it isn't, right-click the instance, then choose Control Mode > Security Collaboration > mysql default.
Switching to Security Collaboration mode requires approval for all subsequent database change operations.
Once the mode is enabled, configure a checkpoint rule using a DSL script. In the top menu bar, choose Security and Disaster Recovery (DBS) > Security Rules. On the Specification Management tab, select the ruleset for the target database engine type, find the rule, and click Edit. In the left pane, choose SQL Change > Checkpoints > Risk Approval Rule, click Add Rule, and enter a DSL script.
The following example routes the
aesdatabase to approval template173956and skips approval for all other databases:if 'aes' in @fac.ref_schema_names then @act.choose_approve_template 173956 else @act.do_not_approve endExtend this expression as needed. For syntax details, see DSL syntax for security rules.