DataWorks Approval Center is a module for managing data authorization and controlling sensitive operations. It provides core functions, such as defining approval scopes and flows, to meet the internal compliance needs of various enterprises.
Features
While managing data development in DataWorks, you can control permissions for resources like table data and Data Service APIs. To do this, you can customize approval flows in the Approval Center. If a compute engine approval policy is involved, you can also use the default permission approval flow for data access control provided by the DataWorks Security Center.
After you customize an approval flow, when a user applies for a permission, DataWorks checks if the permission requires that flow and, if so, processes the request accordingly.
The DataWorks Approval Center supports the following features:
-
Define approval policies: Create control flows for critical data resources and sensitive operations by defining an approval scope and flow. Notifications can be sent by text message, email, or DingTalk.
-
Process approval requests: Initiators and approvers can manage requests in the Approval Center.
For more information about configuring a custom approval policy, see compute engine approval policy, DataService Studio approval policy, and extension program approval policy.
After you configure a custom approval policy, the processes for requesting and approving table and Data Service permissions are as shown in Table field permission request and approval flow and Data Service permission request and approval flow.
Table field permission flow
After a custom approval policy is configured in the Approval Center, the following figure shows the approval flow for table field permission requests submitted in the Security Center.
-
When a user requests permissions for a MaxCompute table field in the Security Center, DataWorks selects the appropriate approval flow based on the requested table field.
-
If the requested table field is within the scope of a custom approval policy, the request enters the custom approval flow defined in the Approval Center.
-
If the requested table field is outside the data scope of any custom approval policy, the request is processed by the default approval flow in the Security Center.
-
-
If a request matches multiple custom approval policies, DataWorks uses the policy priority set in the Approval Center to determine which policy to apply.
When configuring a custom approval policy, you can define the controlled data scope by project or by data classification, and specify details such as approvers and notification methods. You can also set the priority between these two scoping methods as needed. For details, see compute engine approval policy.
Data Service permission flow
After you create a Data Service approval flow, a user performing a controlled operation—such as deploying an API, function, or service orchestration—triggers the flow in a project covered by the policy.
The following figure shows the approval flow when a user requests permissions in the Security Center.
-
When a user submits an API, function, or service orchestration in the Security Center, the system checks if a custom approval flow is configured for the workspace to determine the required process and then returns the final result.
-
If the submission triggers a custom approval flow, it is processed by the flow defined in the Approval Center.
-
If the submission does not trigger a custom approval flow, the operation is approved automatically.
-
-
When a custom approval flow is triggered, DataWorks routes the request based on the approval policy configured in the Approval Center.
When you configure a custom approval policy, you can define the controlled scope by project and specify details such as approvers and notification methods. For more information, see DataService Studio approval policy.