Background information
ODC V4.2.0 has built-in approval processes that implement database security control in team collaboration scenarios. Each approval process has a risk level. In ODC, operations that hit the same risk level trigger the same approval process.
ODC V4.2.0 allows system administrators and users with external integration management permissions to configure integration with external approval systems. When editing an approval process, you can add an approval node to reference an integrated external approval system. In this way, you can combine external approval nodes with the built-in ODC approval process.
This topic describes how to configure and manage approval integration.
Execution process
The ODC system administrator or a user with external integration management permissions enables approval integration and configures request/response API information for access to external approval systems based on configuration templates provided by ODC, and creates an external approval integration configuration.
The ODC system administrator creates a task approval process and selects the external system integration node as an approval node.
The ODC system administrator edits a risk level and selects the created approval process.
An ODC member initiates a task ticket. If the approval role of the approval task process node is external system integration, ODC calls the API of the external approval system to create an approval process. The approval result is automatically synchronized to the ODC approval process.
Configuration
Configuration method
You can edit the YAML file online to configure approval integration. The YAML file allows you to configure the following information:
HTTP connection parameters
APIs for creating a process, querying process status, and terminating a process
Encryption parameters
The following table describes the fields supported by the YAML file.
| Level-1 parameter | Level-2 parameter | Level-3 parameter | Level-4 parameter | Type | Default value | Description |
|---|---|---|---|---|---|---|
| http | connectTimeoutSeconds | - | - | Integer | 5 | The connection timeout period of the HTTP request. Unit: seconds. |
| http | socketTimeoutSeconds | - | - | Integer | 30 | The socket timeout period of the HTTP request. Unit: seconds. |
| api | start (used to initiate a new approval ticket request to the external approval system) | method | - | Enum | POST | The HTTP request method. Valid values: GET, POST, PUT, and PATCH. |
| api | start (used to initiate a new approval ticket request to the external approval system) | url | - | String | <NULL> | The HTTP request address. |
| api | start (used to initiate a new approval ticket request to the external approval system) | headers | - | Map<String, String> | <NULL> | The HTTP request header. |
| api | start (used to initiate a new approval ticket request to the external approval system) | queryParameters | - | Map<String, String> | <NULL> | The HTTP request parameter. |
| api | start (used to initiate a new approval ticket request to the external approval system) | body | type | ENUM | <NULL> | The format of the HTTP request body. Valid values: FORM_DATA and RAW. |
| api | start (used to initiate a new approval ticket request to the external approval system) | body | content | Object | <NULL> | The content of the HTTP request body. |
| api | start (used to initiate a new approval ticket request to the external approval system) | requestEncrypted | - | Boolean | false | Specifies whether the HTTP request body is encrypted. |
| api | start (used to initiate a new approval ticket request to the external approval system) | requestSuccessExpression | - | String | <NULL> | An expression that parses the response body and determines whether a request is successfully executed. The expression conforms to the Spring Expression Language (SPEL) syntax specification. |
| api | start (used to initiate a new approval ticket request to the external approval system) | extractInstanceIdExpression | - | String | <NULL> | An expression that parses the external approval system process ID based on the response body. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | method | - | Enum | POST | The HTTP request method. Valid values: GET, POST, PUT, and PATCH. |
| api | status (used to initiate an approval status query request to the external approval system) | url | - | String | <NULL> | The HTTP request address. |
| api | status (used to initiate an approval status query request to the external approval system) | headers | - | Map<String, String> | <NULL> | The HTTP request header. |
| api | status (used to initiate an approval status query request to the external approval system) | queryParameters | - | Map<String, String> | <NULL> | The HTTP request parameter. |
| api | status (used to initiate an approval status query request to the external approval system) | body | type | ENUM | <NULL> | The format of the HTTP request body. Valid value: FORM_DATA. |
| api | status (used to initiate an approval status query request to the external approval system) | body | content | Object | <NULL> | The content of the HTTP request body. |
| api | status (used to initiate an approval status query request to the external approval system) | requestEncrypted | - | Boolean | false | Specifies whether the HTTP request body is encrypted. |
| api | status (used to initiate an approval status query request to the external approval system) | requestSuccessExpression | - | String | <NULL> | An expression that parses the response body and determines whether a request is successfully executed. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | processPendingExpression | - | String | <NULL> | An expression that parses the response body and determines whether the approval ticket is in the pending status. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | processApprovedExpression | - | String | <NULL> | An expression that parses the response body and determines whether the approval ticket is in the approved status. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | processRejectedExpression | - | String | <NULL> | An expression that parses the response body and determines whether the approval ticket is in the rejected status. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | processTerminatedExpression | - | String | <NULL> | An expression that parses the response body and determines whether the approval ticket is in the terminated status. The expression conforms to the SPEL syntax specification. |
| api | status (used to initiate an approval status query request to the external approval system) | responseEncrypted | - | Boolean | false | Specifies whether the HTTP response body is encrypted. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | method | - | Enum | POST | The HTTP request method. Valid values: GET, POST, PUT, and PATCH. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | url | - | String | <NULL> | The HTTP request address. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | headers | - | Map<String, String> | <NULL> | The HTTP request header. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | queryParameters | - | Map<String, String> | <NULL> | The HTTP request parameter. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | body | type | ENUM | <NULL> | The format of the HTTP request body. Valid value: FORM_DATA. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | body | content | Object | <NULL> | The content of the HTTP request body. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | requestEncrypted | - | Boolean | false | Specifies whether the HTTP request body is encrypted. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | requestSuccessExpression | - | String | <NULL> | An expression that parses the response body and determines whether a request is successfully executed. The expression conforms to the SPEL syntax specification. |
| api | cancel (used to initiate a ticket cancel request to the external approval system) | responseEncrypted | - | Boolean | false | Specifies whether the HTTP response body is encrypted. |
| approvalTimeoutSeconds | - | - | - | Integer | 86400 | The approval timeout period. Unit: seconds. When the specified period expires, ODC actively terminates the approval instance. |
| advanced | hyperlinkExpression | - | - | String | <NULL> | An expression that constructs the URL address that redirects the external approval system to view ticket details. |
Template variable
ODC provides template variables for users to input configuration parameters. They are referenced by embedding the template variable in a String parameter using the format ${parameter_name}.
Supported template variables and descriptions are as follows:
| Parameter Name | Type | Scope | Description |
|---|---|---|---|
| odc.site.url | String | Approval integration | The address for external access to the ODC website starts with http/https and includes the VIP address/domain/port. The address should not end with a slash (/). This variable value is configured by the user in the system parameters table. |
| process.instance.id | String | Approval integration (used for querying external approval status or canceling external approvals) | Process instance ID created by the external approval system. |
| task.type | String | Approval integration | Task type. |
| task.details | String | Approval integration | Task details (content is a JSON string converted from the request parameters when the task is initiated). |
| user.id | Long | Approval integration | ODC User ID. |
| user.name | String | Approval integration | ODC User name. |
| user.account | String | Approval integration | ODC User Account Name. |
| connection.name | String | Approval integration | Source data name. |
| connection.tenant | String | Approval integration | Tenant name of the source data. |
| connection.properties.${key} | String | Approval integration | Parameters of the source data (parameters set in Map<String, String> format when the database is connected, where ${key} can be any key in the connection parameter Map). |
| sql.content | String | Approval Integration (valid only for database change tasks) | SQL content to be checked. |
| sql.content.json.array | String | Approval Integration (valid only for database change tasks) | SQL content to be checked (organized as a JSON array after splitting into multiple SQL statements by delimiter). |
| database.owner.ids | String | Approval integration | User ID list of the database owner, in JSON array format. |
| database.owner.accounts | String | Approval integration | Username list of the database owner, in JSON array format. |
| database.owner.names | String | Approval integration | Name list of the database owner, in JSON array format. |
| database.name | String | Approval integration | Database name. |
| environment.name | String | Approval integration | Environment name. |
| task.description | String | Approval integration | Task description. |
| risk.level | String | Approval integration | Risk level. |
| project.owner.ids | String | Approval integration | User ID list of the project owner, in JSON array format. |
| project.owner.accounts | String | Approval integration | Username list of the project owner, in JSON array format. |
| project.owner.names | String | Approval integration | Name list of the project owner, in JSON array format. |
| odc.task.url | String | Approval integration | Access address of the task. |
Configuration template
# This is a template for integrating a custom approval system.
# You must fill in all required fields according to the requirements to adapt to your approval system.
# Approval timeout in seconds
# ODC will actively terminate the external process instance if this value is exceeded
approvalTimeoutSeconds: 86400
# HTTP configurations
http:
# HTTP connection timeout in seconds
connectTimeoutSeconds: 5
# HTTP socket timeout in seconds
socketTimeoutSeconds: 30
# API configurations
api:
# API configurations used to start a process instance
start:
# The request method. Valid values: GET, POST, PUT, and PATCH.
method: ~
# Request URI
url: ~
# The request header in the <key: value> format.
headers:
# Sample of headers
Content-Type: application/json;charset=UTF-8
Accept: application/json
# Request query parameters in the <key: value> format.
queryParameters: ~
# Request body
body:
# The type of request body. Valid values: FORM_DATA and RAW.
type: RAW
# The content of request body in the <String> or <key: value> format. <String> is supported for the RAW type and <key: value> is supported for the FORM_DATA type.
# Sample of request content in the RAW type
content: |-
{
"userId": "${user.id}",
"userName": "${user.name}",
"taskType": "${task.type}",
"connection": "${connection.name}",
"tenant": "${connection.tenant}"
}
# Mark whether the request body is encrypted
requestEncrypted: false
# Expression to judge whether the request is successful based on the response body analysis, using the SPEL syntax
requestSuccessExpression: '[success] == true'
# Mark whether the response body is encrypted
responseEncrypted: false
# Expression to extract ID of process instance created by the external system based on the response body analysis, using the SPEL syntax
extractInstanceIdExpression: '[content][processInstanceId]'
# API configurations used to query the status of a process instance
# Usage of the parameter with the same name is consistent with that described above
status:
method: ~
url: ~
headers: ~
queryParameters: ~
body:
type: FORM_DATA
# Sample of request content in type of FORM_DATA
content:
processInstanceId: ${process.instance.id}
authKey: this-is-an-example
requestEncrypted: false
requestSuccessExpression: '[success] == true'
responseEncrypted: false
# Expression to judge that the process instance is waiting for approval based on the response body analysis, using the SPEL syntax
processPendingExpression: '[content][processInstanceStatus] == "RUNNING"'
# Expression to judge that the process instance is approved based on the response body analysis, using the SPEL syntax
processApprovedExpression: '[content][outResult] == "APPROVED"'
# Expression to judge that the process instance is rejected based on the response body analysis, using the SPEL syntax
processRejectedExpression: '[content][outResult] == "REJECTED"'
# Expression to judge that the process instance is terminated based on the response body analysis, using the SPEL syntax
processTerminatedExpression: '[content][processInstanceStatus]=="TERMINATED"'
# API configurations used to cancel a process instance
# Usage of the parameter with the same name is consistent with that described above
cancel:
method: ~
url: ~
headers: ~
queryParameters: ~
body:
type: RAW
# Sample of request content in the RAW type
content: |-
{
"processInstanceId": "${processInstanceId}"
}
requestEncrypted: false
requestSuccessExpression: '[success] == true'
responseEncrypted: false
# Advanced parameters
advanced:
# Expression to build URL for jumping to external system to view ticket details
hyperlinkExpression: http://localhost:5678/instanceDetails/?procInsId=${process.instance.id}
Prerequisites
You are the system administrator or have the external integration management permissions.
Create approval integration
In the project collaboration window, choose
External Integration >Approval Integration >Create Approval Integration .In the
Create Approval Integration panel, specify the following parameters.Parameter Description Name The name of the approval integration configuration. Status Specifies whether to enable the approval integration configuration. Settings Edit the YAML file online to configure approval integration. For more information, see Configuration .Click
Save . The approval integration configuration is created.In the approval integration list, you can enable, view, edit, and delete approval integration settings.
Edit the approval process and reference the approval integration configuration.
Manage approval integration
In the approval integration list, click
References
[Risk levels, identification rules, and approval processes](../700.database-change-management/ 300.risk-level-risk-identification-rules-and-approval-process.md)