Configure an approval process-Data Management-阿里云帮助中心

In Data Management (DMS), security rules are associated with approval processes. You can configure different approval processes based on various user actions. This topic describes how to configure an approval process.

Prerequisites

You must have the administrator or DBA system role. To view your system role, see View my system role.

Key concepts

Approval node

An approval node represents a single stage in an approval process. You can add one or more approvers to an approval node.
Note
If any approver in an approval node responds, the approval process proceeds to the next node.

The system provides four default approval nodes:

Approval node	Description
Admin	An administrator approves the ticket. Note To assign the administrator role to a user, see Edit a user.
DBA	The DBA for the relevant resource approves the ticket. Note On the Data Assets > Instances page, you can set the DBA for an instance in its advanced settings.
DBA Roles	Any user with the DBA system role, including the DBA for the specific resource, can approve the ticket. Note To assign the DBA role to a user, see Edit a user.
owner	The owner of the relevant resource approves the ticket. Note To apply for owner permissions for an instance or database, see Manage access control permissions.

In addition to the default approval nodes, you can create, edit, and delete custom approval nodes. For more information, see Create an approval node.
Each approval node has a unique ID.

Approval template
- An approval template consists of one or more approval nodes.
- In addition to the default approval templates, you can create, edit, and delete custom approval templates. For more information, see Create an approval template.
- Each approval template has a unique ID. For example, an approval template with the ID 851 might be composed of approval nodes with the IDs 512 and 511.
- You can specify the ID of an approval template in a security rule to associate the rule with that template.
Approval priority
For different modules, you can configure approval processes in both the basic configuration items of a security rule and at specific checkpoints.
Note
DMS uses the default approval process only when no process is specified for the checkpoint.

Approval-free

In DMS, the ID for an approval-free template is -1. You can also achieve an approval-free workflow by using the following actions. For more information about these actions, see DSL syntax for security rules.

Action	Description
@act.do_not_approve	No approval is required.
@act.choose_approve_template -1	Sets the approval template ID to -1 (approval-free).
@act.choose_approve_template_with_reason -1 "No approval required"	Sets the approval template ID to -1 (approval-free) and returns the message "No approval required" in the process.

Step 1: Create an approval node

Log in to DMS 5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Approval Processes.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Approval Processes in the top navigation bar.
In the left-side navigation pane, click the Approval Node tab.
Click Create Approval Node.

Enter the required information based on the following table.

Parameter	Description
Node Name	The name of the approval node.
Remarks	The remarks for the approval node.
Approver	The approver for this node. You can add multiple approvers. If you add multiple approvers, a response from any of them completes this stage.

Click Submit.

Step 2: Create an approval template

Log in to DMS 5.0.
In the top navigation bar, choose Security and Specifications > Approval Process.
Note
If you are using the console in simple mode, click the icon in the upper-left corner and choose All Functions > Security and Specifications > Approval Process.
In the left-side navigation pane, click the Approval Template tab.
Click Create Approval Template.

Enter the required information based on the following table.

Parameter	Description
Template Name	The name of the approval template.
Remarks	The remarks for the approval template.
Approval Node	Click Add Node to add an approval node. Nodes are processed in ascending order of their sequence number. For example, a node with sequence number 0 is processed before a node with sequence number 1.

Click Submit.

Next steps

Apply the approval template to a security rule that is bound to an instance in Security Collaboration mode. For more information, see Apply an approval template to a security rule.

Available approval actions

DMS provides several flexible actions for handling approval tickets.

Approve: Approve the ticket to allow the process to continue.
Reject: Terminates the approval process.
Revoke: Allows the ticket submitter to withdraw a pending ticket.
Transfer: Allows the current approver to delegate the approval to another user.
Add pre-approval node: Add a custom approval node before the current node.
Add post-approval node: Add a custom approval node after the current node.

Note

You can select approvers for a new approval node only from users who are already added to DMS. For information about how to add users to DMS, see User management.

FAQ

Q: Can I configure the DMS approval process to prevent users from approving their own tickets?
A: Security Collaboration instances support custom approval processes. To prevent users from approving their own tickets, follow these steps:
1. In the top menu bar of DMS, click O&M Management.
2. From the drop-down list, select Configuration Management.
3. On the Configuration Management tab, enter exclude in the search box to find the configuration item named Automatically exclude submitter from approval node (effective when multiple approvers exist).
4. In the Actions column, click Edit. Set the parameter value to Y, and then click Confirm.
After the configuration is complete, if a ticket submitter is also an approver in the approval process, the system automatically removes the submitter from the list of approvers for that ticket. This prevents self-approval.
Q: How do I configure a specific approval process for a database and set up approval-free changes in DMS?
A: Advanced settings, such as custom approval processes, are available only after you enable the Security Collaboration mode for the instance.
1. Enable the Security Collaboration mode
  1. In the instance list, right-click the target instance.
  2. Select Control Mode > Security Collaboration > mysql default to switch the mode.
    Note
    After you switch the mode, all database changes are subject to an approval process.
2. (Optional) Add an approval rule
  Configure fine-grained approval policies as needed. For more information about how to create an approval rule, see Set an approval process.
3. Configure the approval rule
  1. In the top menu bar of DMS, select Security and Disaster Recovery (DBS)> Security Rules.
  2. On the Specification Management tab, select the appropriate rule set for the data engine type.
  3. Find the target rule, and click Edit in the Actions column to open the Details page.
  4. In the navigation pane on the left, select SQL change. In the Checkpoints section, select Risk Approval Rule.
  5. Click Add Rule, and then enter the DSL script for configuration.
  6. Example:
    The following example shows a rule that uses approval template 173956 for the aes database and makes changes to all other databases approval-free:
```
if    
    'aes' in @fac.ref_schema_names
then
    @act.choose_approve_template 173956
else    
    @act.do_not_approve
end
```
    You can extend the DSL expression as needed. For more information about the syntax, see Security Rule DSL Syntax.