Approval flows let enterprise administrators control which SASE policies take effect by requiring designated approvers to review and authorize requests before they are applied. When a policy change is submitted, the designated approvers receive a notification and act on the request — approving or rejecting it — through the SASE console, DingTalk, or WeCom. SASE supports three approval flow types: built-in flows managed within the console, and flows integrated with DingTalk or WeCom so that approvers can act from the tools they already use.
Prerequisites
Before you begin, ensure that you have:
Access to the Secure Access Service Edge console
(For DingTalk integration) A DingTalk application with Client ID, Client Secret, aes_key, and token credentials ready
(For WeCom integration) Administrator authorization completed via WeCom QR code scan, and Alibaba Cloud customer service has finished the backend configuration
Create an approval flow
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Terminal Protection > Security Alerts.
On the Workflow Management page, click Create Workflow.
In the Create Approval Workflow panel, enter a Workflow Name. The name must be 1 to 128 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Under Approval Process Type, select the type of approval flow and configure the parameters for that type. See the sections below for type-specific parameters.
Type Description Built-in Approval Process Managed entirely within SASE. Suitable for standard SASE service policies. DingTalk Approval Process Routes approval requests through your DingTalk application. WeCom Approval Process Routes approval requests through your WeCom application. Requires backend configuration by Alibaba Cloud customer service before use. Click OK.
Built-in approval flow
| Parameter | Description |
|---|---|
| Approval Workflow | Set the approver flow. Add at least one level of approvers, up to five levels. For the first level, add up to five approvers — if any first-level approver approves the request, the flow is approved; if any approver rejects the request, the flow is rejected. |
| Application Review | Select one or more flow templates to associate with this approval flow. If no template is selected, the corresponding policy cannot be associated with this flow. |
The following flow templates are available for Application Review:
| Template | Associated policy location |
|---|---|
| Domain Name Whitelist Template | Internet Access > Behavior Management (whitelist policies) |
| Domain Name Blacklist Template | Internet Access > Behavior Management (blacklist policies) |
| Software Disabling Template | Software Management > Software Blacklist (disabling policies) |
| File Exfiltration Template | Data Loss Prevention > Detection Policies (file exfiltration detection policies) |
| App Uninstall Policy Template | Terminal Management > Uninstall Approval (registration policies) |
| Peripheral Control Template | Data Loss Prevention > Peripheral Management (detection policies) |
DingTalk approval flow
| Parameter | Description |
|---|---|
| Client ID | The ID of your DingTalk application. See Get the Client ID and Client Secret. |
| Client Secret | The secret of your DingTalk application. See Get the Client ID and Client Secret. |
| aes_key | The encryption credential for DingTalk event subscriptions. See Get the aes_key and token. |
| token | The signature for DingTalk event subscriptions. See Get the aes_key and token. |
| Request URL | The public URL for DingTalk to push event subscription callbacks. Copy this URL to the Request URL field on the DingTalk Open Platform under Application Development > Internal Corporate Apps > DingTalk Apps > Development Configuration > Event Subscriptions. |
| Approval Process Configuration | Maps SASE flow templates to DingTalk approval flows. Configure the Workflow Template, Associate DingTalk Process ID, System Fields, and Template Fields for each mapping. Click Add to configure additional approval flows under the same DingTalk application. |
A single SASE approval flow can be attached to multiple approval forms created under the same DingTalk application.
Get the Client ID and Client Secret
Log on to the DingTalk Open Platform. In the top menu bar, choose Application Development.
In the navigation pane on the left, choose DingTalk Apps. Click the name of the application you created to open its details page.
In the navigation pane on the left, choose Credentials And Basic Information. On the App Credentials page, copy the Client ID and Client Secret.
Get the aes_key and token
Log on to the DingTalk Open Platform. In the top menu bar, choose Application Development.
In the navigation pane on the left, choose DingTalk Apps. Click the name of the application you created to open its details page.
In the navigation pane on the left, choose Event Subscriptions.
On the Event Subscriptions page, set Push Method to HTTP Push, then click the reset button to generate the Encryption Aes_key and Signature Token.
After you obtain the Encryption Aes_key and Signature Token, do not reset them again. Do not close or refresh the current page — you still need to configure the Request URL.
Configure the Approval Process Configuration
Under Approval Process Configuration, set the following fields for each mapping:
| Field | Description |
|---|---|
| Workflow Template | The built-in SASE flow template to associate. |
| Associate DingTalk Process ID | The form ID of the DingTalk approval flow. See View the DingTalk approval flow form ID. |
| System Fields | Built-in system fields from the SASE flow template. These fields cannot be edited. |
| Template Fields | Fields configured in the associated DingTalk flow. |
View the DingTalk approval flow form ID
Log on to the DingTalk admin console.
In the Common Applications section, choose Approval. Alternatively, go to Workbench > Application Management, find OA Approval in the list, and click Enter to open the OA Approval Back-end Management page.
In the navigation pane on the left, choose Form Management.
In the Form Management list, find the form ID of the approval flow.
WeCom approval flow
After you select the WeCom approval flow, the administrator must use the WeCom client to scan a QR code for authorization, and then contact Alibaba Cloud customer service to complete the backend configuration. Configuration is only available after the backend setup is complete.
| Parameter | Description |
|---|---|
| Approval Template Mapping | Map the built-in SASE flow template to a WeCom approval template and enter the corresponding flow ID. |
| Field ID Mapping | Map the system fields of the SASE flow template to the fields of the WeCom approval template. |
More operations
| Operation | Steps |
|---|---|
| Copy a flow | In the Actions column, click Copy to clone an existing approval flow. Only built-in approval flows can be copied. DingTalk and WeCom flows do not support this operation. |
| Edit a flow | In the Actions column, click Edit to modify an approval flow. |
| Delete a flow | In the Actions column, click Delete. Before deleting, disassociate the flow from all policies — a flow cannot be deleted while associated with a policy. |
Limitations
Copy is supported only for built-in approval flows. DingTalk and WeCom approval flows cannot be copied.
An approval flow cannot be deleted while it is associated with a policy. Disassociate the flow from all policies before deleting it.
WeCom approval flows require backend configuration by Alibaba Cloud customer service before they can be used. Allow additional setup time when planning a WeCom integration.
What's next
To view statistics for all flows in your organization, see View flow instance statistics.
To apply a built-in flow template to peripheral device policies, see Ensure data security by managing peripheral devices.
For an end-to-end walkthrough of connecting a DingTalk approval flow, see Best practices for integrating a DingTalk approval flow.