Secure Access Service Edge:Integrate approval workflows with DingTalk: Best practices

Prerequisites

Before you begin, make sure you have:

• An active SASE subscription. If you haven't activated the service, purchase it or apply for a 7-day free trial

• Downloaded and installed the SASE App

• Configured a DingTalk identity source and enabled the authentication status

• Created a user group using the DingTalk organizational structure

Step 1: Create a DingTalk application and enable approval permissions

Create a custom application on the DingTalk Open Platform, then grant it the OA Approval permissions needed to link with SASE.

1. Log on to the DingTalk Open Platform and select Application Development from the top menu bar.

2. In the left navigation pane, select DingTalk Application, then click Create Application.

3. In the Create Application panel, configure the following fields.

   Field	Description	Example
   Application name (required)	The name of the DingTalk application	SASE-DingTalk Approval Application
   Application description (required)	A brief description of the application	Used to create DingTalk approval workflows and sync with SASE
   Application icon	The application icon. The system provides a default icon. To use a custom icon, upload a JPG or PNG file that is at least 240x240 px, has a 1:1 aspect ratio, is within 2 MB, and has no border radius. See DingTalk Application Icon Design Specifications.

4. Click Save to open the application details page.

5. In the left navigation pane, choose Development Configuration > Permission Management.

6. On the Permission Management page, request OA Approval permissions in bulk:

   1. Select an appropriate Permission Scope.

   2. In the permission classification list on the left, select OA Approval, then select the check box at the top of the list to select all permissions. The required permissions are: Approval Flow Data Management, Workflow Instance Write, Workflow Template Write, Workflow Template Read, and Workflow Instance Read.

   3. In the upper-right corner of the list, click Batch Request.

Step 2: Create a DingTalk approval workflow

1. Log on to the DingTalk admin console.

2. Open OA Approval. In the lower-right corner of the page, go to Common Applications and select Approval. Alternatively, in the left navigation pane, choose Workbench > Application Management. Find OA Approval in the application list and click Enter in the Actions column.

   

3. Click Create Approval Form. In the dialog box, select Process Form.

   

4. Use the configuration wizard to set up the form across three tabs:

   1. Basic settings: Configure Form Name, Group, Who Can Initiate, and Form Administrator. The system includes built-in form groups. To add a new group, click New Group, enter a group name, and click the icon.

   2. Form design: Add the fields for the approval form. These fields will be mapped to SASE fields in a later step.

      1. Click Form Design in the wizard.

      2. In the controls area on the left, click a form control and configure its properties, such as Title and Placeholder Text.

   3. Process design: Set the Initiator, Approver, and Carbon Copy Recipient for the workflow.

      1. Click Process Design in the wizard.

      2. Click the Approver box.

      3. In the Approver panel, set the Approval Type, Approver, and Approval Method, then click Save.

   

5. Click Publish in the upper-right corner.

Step 3: Create a SASE approval workflow

Before completing this step, make sure you have the DingTalk Event Subscription page open — you need it in both this step (to generate credentials) and the next step (to paste the Request URL). Do not close or refresh that page between steps.

1. Log on to the Secure Access Service Edge console.

2. In the navigation pane, choose Approval Center > Workflow Management, then click Create Workflow.

   

3. In the Create Approval Workflow panel, configure the following parameters. DingTalk application credentials To get the Client ID and Client Secret: on the DingTalk Open Platform, go to Application Development > DingTalk Application, click your application name, then select Credentials And Basic Information in the left navigation pane. To get the aes_key and token: on the DingTalk Open Platform, navigate to your application, select Event Subscription in the left navigation pane, set Push Method to HTTP Push, then click the reset button to generate the Encryption Aes_key and Signature Token. Approval process configuration In the Approval Process Configuration section, map SASE workflow templates to the DingTalk approval form. Example mapping: Workflow template = app uninstall policy; Associate DingTalk Process ID = PROC-EB35CAE7-\*\*\*\*\*\*-\*\*\*\*\*19C5833D0C17; System field = Reason for filing; Template field = DingTalk approval reason for filing.

   • Workflow Template: A built-in SASE workflow template.

   • Associate DingTalk Process ID: The ID of the DingTalk approval form. To find the form ID: in the DingTalk admin console, go to OA Approval, then select Form Management in the left navigation pane. The form ID is listed in the Form Management table.

   • System Fields: A built-in, read-only field in the SASE workflow template.

   • Template Fields: A field from the associated DingTalk approval form.

   Warning

   After generating the Encryption Aes_key and Signature Token, do not reset them again. Keep the Event Subscription page open — you need to paste the Request URL from SASE into it in Step 4.

   A SASE approval workflow can be associated with multiple approval forms under the same DingTalk application. Click Add to configure additional mappings.

   Parameter	Description	Example
   Workflow Name	The name of the approval workflow	SASE App uninstall approval workflow
   Approval Process Type	The type of approval workflow. Options: Built-in Approval Workflow, DingTalk Approval Workflow	DingTalk Approval Workflow
   Client ID	The ID of the DingTalk application	ding**********zrvwc
   Client Secret	The secret of the DingTalk application	wRQD7BHcK************AyL1bAJDA
   aes_key	The encryption key for DingTalk event subscriptions	CzSr3F8************Tc3Zz2
   token	The signature token for DingTalk event subscriptions	3hszVY***********aY4K3p9tB4
   Request URL	The public URL that DingTalk uses to push event notifications to SASE. Copy this URL to the Request URL field on the DingTalk Event Subscription page.	https://default-pre-auth-server.cloudsecsase.com/*/*

4. Click OK.

Step 4: Configure DingTalk event subscriptions

Return to the Event Subscription page in DingTalk (the same page where you generated the aes_key and token).

1. In the Request URL field, paste the Request URL from your SASE approval workflow, then click Save. To find the Request URL in SASE: in the Secure Access Service Edge console, go to Approval Center > Workflow Management, click Edit in the Actions column of the workflow, and copy the URL from the Edit Approval Workflow panel.

   

2. After saving, scroll to the Approval Events section at the bottom of the page and turn on the Approval Instance Started, Ended switch.

3. Under Approval Instance Started, Ended, click Subscription Settings.

4. In the Subscription Content dialog box, click Add, enter an event address in the Subscription Address field, then click OK. Use the following address format:

   A monthly quota applies to subscription event processing. Check your Webhook and Stream usage on the DingTalk Open Platform homepage.

   /v1.0/event/bpms_instance_change/processCode/{processCode}/type/{type}

   For example: /v1.0/event/bpms_instance_change/processCode/PROC-XXXXX/type/*

Step 5: Configure the anti-uninstallation policy

1. Log on to the Secure Access Service Edge console.

2. In the navigation pane, choose Terminal Management > Terminal Registration.

3. On the Uninstallation Approval tab, click Anti-uninstallation Policy.

4. In the Client Anti-uninstallation Policy panel, configure the following parameters, then click OK.

   Warning

   In Approval Process Configuration, select an approval workflow that is associated with the DingTalk system.

   Parameter	Description	Example
   Client Configuration Switch	Enable Client Anti-uninstallation and optionally Client Auto-start and Anti-logoff	Enable Client Anti-uninstallation
   Effective Scope	The user group to which this policy applies	DingTalk user group
   Whitelist	Users on the whitelist can uninstall the SASE client without being restricted by the anti-uninstall policy.	Manager Liu
   Approval Process Configuration	Whether to require employees to submit an approval request before uninstalling. Select the approval workflow to use.	Filing workflow: Allow employees to file for approval; Select the workflow you created in Workflow Management
   Prompt Display Configuration	The title, body text, and button labels for the pop-up that appears when a user in the effective scope tries to uninstall the SASE App. Supports Chinese and English.	Title: Your SASE App is about to be uninstalled; Content: After uninstallation, this device cannot be used for work and will lose access to the internal network; Primary button: File for Approval; Secondary button: Got It

Step 6: Verify the integration

1. Log on to the SASE App using a DingTalk identity source.

2. Uninstall the SASE App.

3. In the uninstall dialog box, click File For Approval.

4. On the Security Software Uninstall Prohibited page, enter a reason and click Initiate Filing.

5. The approver views and processes the OA approval request in the DingTalk application.

The administrator can also view approval details and act on requests in the SASE console at Approval Center > Workflow Instance.

The approval result syncs to the DingTalk client regardless of whether the request is approved or rejected.

If the request is approved, the user can proceed with uninstalling the SASE App.