In DMS, security rules and approval processes are interrelated. If the built-in ticket approval templates do not meet your business needs, you can create a custom approval process. This ensures that all database change tickets submitted for a production environment use your custom approval process.
Overview
-
Create an approval node
Add the DMS users who approve tickets to an approval node.
-
Create an approval template
Define a custom ticket approval workflow.
-
Apply the approval template to the security rule associated with the instance
To activate the custom approval template, apply it to the instance's associated security rule.
Prerequisites
-
You are a DBA or an administrator. For more information, see View my system role.
-
The instance uses the Security Collaboration control mode.
Usage notes
-
An instance can be associated with only one security rule, which can be the default rule or a custom rule.
-
We recommend that you configure at least two approvers in a ticket approval process to prevent incorrect approvals or delays.
-
Instance-level security rules allow you to set different approval processes for instances or databases, but they can be limiting in practice. For example:
-
A database instance has only one DBA. To avoid bottlenecks with a single approver, you may need to assign approval duties to multiple users with the DBA role.
-
A database instance is shared by databases that belong to multiple business units. You may need to include each business unit in the approval process to handle tickets for their respective databases.
-
Step 1: Create an approval node
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
On the Approval Node tab, click Create Approval Node and configure the parameters in the dialog box.
For this example, create two approval nodes for the test administrator
db_docand the test userdmsuser.The dialog box includes three required fields: Name, Remarks, and Approver. After you complete the configuration, click Submit.
NoteYou can add one or more approvers to an approval node. If an approval node has multiple approvers, any one of them can approve the request.
-
Click Submit.
After submission, the two approval nodes you created appear in the list: Test User (ID 4505448, Database
db_doc, Usernamedmsuser_test) and Test Admin (ID 4505433, Databasedb_doc, Usernamedb_doc). Their Type is Custom, and you can Edit or Delete them.
Step 2: Create an approval template
-
On the Approval Template tab, click Create Approval Template and configure the parameters in the dialog box.
For this example, name the template Test User->Test Admin and add the remark Define the approval flow: first approved by the test user, then by the test admin. Then, add the approval nodes in the following order: Test User, Test Admin.
-
Click Submit.
-
After the template is created, record the new Template ID.
In this example, the Template ID is 4399383.
The new approval template has an approval flow of Test User->Test Admin. Its Type is Custom, its Associated Object is
db_doc, and the number of Approval Levels is 2. This indicates that tickets require approval first from the test user and then from the test admin.
Step 3: Apply the template to the security rule
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
On the Security Rules page, find the target rule and click Edit in the Actions column.
-
On the security rule details page, click SQL Correct.
-
Set Checkpoint to risk approval rule, and then click Edit next to Medium-risk approval process.
-
In the Rule DSL text box, replace the existing approval process ID with the new one: 4399383.
Example Rule DSL code:
if @fac.risk_level=='middle' then select_approve_template(4399383) end. After you make the change, click Submit. -
Click Submit.
-
On the rule details page, Enable the medium-risk approval process rule.
-
Associate the risk approval rule with a risk identification rule.
In the , configure the rule to apply the custom approval process to the required databases.
In the navigation pane on the left, click SQL Correct, select the Risk Identification Rules tab. In the row for the Production environment, default is medium risk rule, click Edit in the Actions column.
The following sample Rule DSL for the Production environment, default is medium risk rule indicates that when you perform a data import operation on a database in the production environment, DMS marks the operation as medium-risk. In this case, the newly created Test User->Test Admin approval template handles the approval.
if @fac.env_type in ['product'] then @act.mark_risk 'middle' 'Medium risk: production environment' end -
Verify that the configuration is successful.
For example, submit a data import ticket for a database in the production environment. During the ticket approval stage, if the approval process in the approval dialog box matches your configuration, the configuration is correct. For more information, see Data import.
For example, the Preview Details dialog box shows an approval process with three approval nodes: Submit Application (submitted by user db_doc), Test User (approved by user dmsuser_test), and Test Admin (approved by user db_doc).
Next steps
After you customize a ticket approval process, you may also need to configure how approvers receive approval notifications, such as by SMS, DingTalk, or email. For more information, see user management and Use DingTalk or Lark to send notifications.
FAQ
Q: How can I specify different approvers for different databases?
A: Set different resource owners for each database, and then add the 'Owner' system node to the approval template.