Manage approval flows-Secure Access Service Edge(SASE)-阿里云帮助中心

Create an approval flow

Log on to the Secure Access Service Edge console.
In the left-side navigation pane, choose Endpoint Protection > Security Alerts.
On the Workflow Management page, click Create Workflow.

In the Create Approval Workflow panel, configure the following parameters.

Parameter

Description

Workflow Name

Enter a name for the approval flow.

The name must be 1 to 128 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

Approval Process Type

Select the approval flow type.

Built-in Approval Process: An approval flow for SASE services.
DingTalk Approval Process: An approval flow integrated with DingTalk.
WeCom Approval Process: An approval flow integrated with WeCom.

The required parameters depend on the selected Approval Process Type. Configure the parameters accordingly.

Built-in approval flow

Parameter

Description

Approval Workflow

Define the approval process by adding at least one and up to five approval levels.

The request is approved as soon as one approver approves it, and rejected as soon as one approver rejects it.

Application Review

Select one or more workflow templates. If you do not select a template for a specific policy type, you cannot associate that policy type with this workflow.

The workflow templates include the following types:

Domain Name Whitelist Template

This template is used for whitelist policies in Internet Access > Behavior Management.
Domain Name Blacklist Template

This template is used for blacklist policies in Internet Access > Behavior Management.
Software Blacklist Template

This template is used for blacklist policies in Software Management > Software Blacklist.
File Exfiltration Template

This template is used for file exfiltration detection policies in Data Loss Prevention > Detection Policies.
App Uninstall Policy Template

This template is used for uninstall policies in Endpoint Management > Uninstallation Approval.
Peripheral Control Template

This template is used for detection policies in Data Loss Prevention > Peripheral Management.

DingTalk approval flow

Parameter	Description
Client ID	The DingTalk application ID. How to obtain the Client ID and Client Secret Log on to the DingTalk Open Platform. In the top menu bar, choose Application Development. In the left-side navigation pane, choose DingTalk Apps and click the name of your application to go to the application details page. In the left-side navigation pane, choose Credentials and Basic Information. On the app credentials page, view the Client ID and Client Secret.
Client Secret	The DingTalk application secret.
aes_key	The encryption key for DingTalk event subscriptions. How to obtain the aes_key and token Log on to the DingTalk Open Platform. In the top menu bar, choose Application Development. In the left-side navigation pane, choose DingTalk Apps and click the name of your application to go to the application details page. In the left-side navigation pane, choose Event Subscriptions. On the Event Subscriptions page, set Push Method to HTTP Push. Then, click the reset button to obtain the Encryption aes_key and Signature token. Warning After you obtain the Encryption aes_key and Signature token, do not reset them again. Keep the page open because you must configure the Request URL later.
token	The signature token for DingTalk event subscriptions.
Request URL	The public URL for DingTalk to receive event subscriptions. Important Copy this URL to DingTalk Open Platform > Application Development > Enterprise internal applications > DingTalk Apps > Development Configuration > Event Subscriptions > Request URL.
Approval Process Configuration	Configure the association and field mapping between the SASE approval template and the DingTalk Approval Flow. Workflow Template: The built-in workflow template in SASE. Associate DingTalk Process ID: Enter the form ID of the DingTalk approval flow. How to find the form ID of a DingTalk approval flow Log on to the DingTalk admin console. In the Common Applications section in the lower-right corner of the page, click Approval. Alternatively, in the left-side navigation pane, choose Workbench > Application Management. In the application list, find OA Approval and click Enter in the Actions column to go to the OA Approval Management Backend page. In the left-side navigation pane, choose Form Management. In the Form Management list, view the form ID of the approval flow that you created. System Fields: The read-only, built-in system fields of the workflow template. Template Fields: The fields configured in the associated DingTalk flow. Note A SASE approval flow can be bound to multiple approval forms that are created in the same DingTalk application. You can click Add to configure different approval flows.

WeCom approval flow

To configure this flow type, an administrator must first authorize it by scanning a QR code with the WeCom client. You must then contact Alibaba Cloud support to complete the backend configuration. After the backend is configured, you can proceed with the approval flow settings below.

Parameter	Description
Approval Template Mapping	Configure the built-in SASE workflow template and enter the flow ID that corresponds to the WeCom approval template.
Field ID Mapping	Map the system fields of the SASE workflow template to the fields of the WeCom approval template.

Click OK.

Other operations

Copy a workflow: To copy an existing approval flow, click Copy in the Operation column.

Note
This operation is supported only for built-in approval flows.
Edit a workflow: To edit an approval flow, click Edit in the Operation column.
Delete a workflow: You can delete an approval flow only if it is not associated with any policies. To delete an eligible flow, click Delete in the Operation column.

Configure an approval flow

Create an approval flow

Built-in approval flow

DingTalk approval flow

WeCom approval flow

Other operations

Related documents