How to configure approval processes - Data Management - Alibaba Cloud Documentation Center

In Data Management (DMS), security rules and approval processes are interconnected. You can select different approval processes for different user behaviors. This topic describes how to configure approval processes.

Prerequisites

You must be an administrator or a database administrator (DBA). For more information, see View my system roles.

Concepts

Approval node

An approval node is a stage in an approval process. You can add one or more approvers to an approval node.
Note
If an approval node has multiple approvers, the process moves to the next node as soon as one of them approves the ticket.

DMS provides four default approval nodes.

Approval node	Description
Admin	A DMS administrator approves the ticket. Note For more information about how to make a user an administrator, see Edit a user.
DBA	The DBA of the resource on which you perform the operation approves the ticket. Note You can set the DBA for an instance by editing its advanced settings on the Data Assets > Instances page.
DBA Roles	A user with the DBA role approves the ticket. This includes the DBA of the resource on which you perform the operation. Note For more information about how to assign the DBA role to a user, see Edit a user.
Owner	The owner of the resource on which you perform the operation approves the ticket. Note For more information about how to apply for instance owner or database owner permissions, see Manage access control permissions.

In addition to the default approval nodes, you can add, edit, and delete custom approval nodes. For more information, see Create an approval node.
Each approval node has a unique node ID.

Approval template
- An approval template consists of one or more approval nodes.
- In addition to the default approval templates, you can add, edit, and delete custom approval templates. For more information, see Create an approval node.
- Each approval template has a unique template ID. For example, an approval template with the ID 851 can consist of approval nodes with the IDs 512 and 511.
- You can associate an approval template with a security rule by entering the template ID in the rule.
Approval priority
You can configure approval processes for both basic configuration items and checkpoints in security rules.
Note
In DMS, the approval process for a checkpoint has a higher priority than the one for a basic configuration item. The process for a basic configuration item is used only if no process is configured for the checkpoint.

Approval-free

In DMS, the approval template ID for an approval-free process is -1. You can also use the following actions to create an approval-free process. For more information about actions, see DSL syntax for security rules.

Action	Description
@act.do_not_approve	Does not require approval.
@act.choose_approve_template -1	Sets the approval template ID to -1, which means approval-free.
@act.choose_approve_template_with_reason -1 “No approval required”	Sets the approval template ID to -1 (approval-free) and returns the message "No approval required" in the corresponding process.

Step 1: Create an approval node

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Approval Processes.
Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Approval Processes in the top navigation bar.
In the navigation pane on the left, click the Approval Node tab.
Click Add Approval Node.

Enter the required information.

Parameter	Description
Node Name	The name of the approval node.
Comment	The remarks of the approval node.
Approver	The approver for this node. You can add multiple approvers. If there are multiple approvers, the ticket is approved for this node after one approver responds.

Click Submit.

Step 2: Create an approval template

Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Approval Processes.
Note
If you use the console in simple mode, click the icon in the upper-left corner of the console, and select All Functions > Security and Specifications > Approval Flow.
In the navigation pane on the left, click the Approval Template tab.
Click Add Approval Template.

Enter the required information.

Parameter	Description
Template Name	The name of the approval template.
Comment	The remarks of the approval template.
Approval Node	Click Add Node to add an approval node. The approval nodes are processed in ascending order. For example, 0 is the first approval node and 1 is the second approval node.

Click Submit.

Next step

Apply the approval template to a security rule for an instance in Security Collaboration mode. For more information, see Apply an approval template to a security rule.

Other information

DMS provides flexible approval methods for ticket approvers.

Approve: Approve the ticket to continue the process.
Reject: Reject the ticket to end the approval process.
Revoke: The ticket submitter can revoke a ticket that is pending approval.
Change owner: The current approver can transfer the approval to another user.
Add pre-approval node: You can add a new custom approval node before the current approval node.
Add post-approval node: You can add a new custom approval node after the current approval node.

Note

You can select approvers for a new approval node only from existing DMS users. For more information about how to add users to DMS, see User Management.

FAQ

Q: In a DMS approval process, can I prevent users from approving their own tickets?
A: Yes. Instances in Security Collaboration mode support custom approval processes. To prevent users from approving their own tickets, perform these steps:
1. In the top menu bar of the DMS console, click Operations Management.
2. From the drop-down list, select Configuration Management.
3. On the Configuration Management tab, enter "remove" in the search bar to find the configuration item named Whether to automatically remove the submitter from the approval node of the approval flow (effective when there are multiple approvers).
4. In the Actions column, click Edit. Set the parameter value to Y and click Confirm Change.
After you complete the configuration, if a ticket submitter is also an approver in the approval flow, the system automatically removes them from the list of approvers for that ticket. This prevents self-approval.
Q: In DMS, how can I set a specific approval process for one database and an approval-free process for another?
A: You can configure advanced settings such as custom approval processes only when the instance is in Security Collaboration mode.
1. Enable Security Collaboration mode
  1. In the instance list, right-click the target instance.
  2. Choose Control Mode > Security Collaboration > mysql default to switch the mode.
    Note
    After you switch the mode, all database change operations require approval.
2. (Optional) Add an approval rule
  You can configure fine-grained approval policies as needed. To create an approval rule, see Configure approval processes.
3. Configure the approval rule
  1. In the top menu bar of the DMS console, choose Security and Disaster Recovery (DBS) > Security Rules.
  2. On the Specification Management tab, select the corresponding ruleset based on the database engine type.
  3. Find the destination rule and click Edit in the Actions column to go to the Details page.
  4. In the navigation pane on the left, choose SQL Change. In the Checkpoints section, select Risk Approval Rule.
  5. Click Add Rule and enter a DSL script to configure the rule.
  6. Example:
    To create a rule where the aes database uses the specified approval template 173956, and other databases are approval-free:
```
if    
    'aes' in @fac.ref_schema_names
then
    @act.choose_approve_template 173956
else    
    @act.do_not_approve
end
```
    You can extend the DSL expression as needed. For more information about the syntax, see DSL syntax for security rules.