From 723c94a193ca7469cfa13df77b12d2f79529ffd4 Mon Sep 17 00:00:00 2001 From: adela Date: Fri, 6 Mar 2026 17:13:07 +0100 Subject: [PATCH 1/4] update approval flow tuts --- ...ement-with-risk-adjusted-approval-flow.mdx | 41 +++++++------------ 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx b/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx index 53534f4bf..e9d58894d 100644 --- a/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx +++ b/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx @@ -1,7 +1,7 @@ --- -title: 'Database Change with Risk-Based Approval Flow' +title: 'Database Change with Custom Approval Flow' author: Adela -updated_at: 2023/06/01 16:15 +updated_at: 2026/03/04 16:15 tags: Tutorial integrations: General category: 'UI-Driven Workflow' @@ -13,14 +13,13 @@ import TerminalDockerRunVolume from '/snippets/install/terminal-docker-run-volum Bytebase provides a basic yet configurable rollout mechanism by default. This means that manual rollout is skipped for **Test** environments and required for **Prod** environments. -However, for more complicated enterprise-level cases, users may need different approval flows to handle database changes according to different potential risks. For example, DDL in Prod environments is considered high risk, while DML in Test environments is low risk. Additionally, users may need to involve roles other than **DBA/Developer/Project Leader**, such as **Testers**. +However, for more complicated enterprise-level cases, users may need different approval flows to handle database changes according to different conditions. For example, DDL that drops tables should require multi-level approval, while creating a new table may only need DBA review. Additionally, users may need to involve roles other than **DBA/Developer/Project Leader**, such as **Testers**. -This tutorial will walk you through how to create custom approval flows based on self-defined risk rules and how to add new roles to be involved. +This tutorial will walk you through how to create custom approval flows with condition-based rules and how to add new roles to be involved. ## Feature included - Custom approval -- Risk center - Custom roles ## Prerequisites @@ -74,24 +73,14 @@ This tutorial will walk you through how to create custom approval flows based on ![bb-issue-no-approval-flow](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-issue-no-approval-flow.webp) -## Step 4 - Configure a Custom Approval and Run a Schema Change +## Step 4 - Configure Custom Approval Rules and Run a Schema Change - +1. Login as **Admin**. Click **CI/CD > Custom Approval** on the left bar. Under the **Change Database** section, click **Add Rule** to create approval rules with conditions: -To learn the best practice, check out [Risks Best Practice](/tutorials/risks-best-practice/). + - Rule 1: Title: `DDL ALTER in Prod`; Condition: `statement.sql_type == "ALTER_TABLE" && resource.environment_id == "prod"`; Approval Flow: `Project Owner -> DBA` + - Rule 2: Title: `DDL CREATE in Prod`; Condition: `statement.sql_type == "CREATE_TABLE" && resource.environment_id == "prod"`; Approval Flow: `DBA` - - -1. Login as **Admin**. Click **CI/CD > Custom Approval** on the left bar. Choose `Project Owner → DBA` for **DDL** > **High Risk** and `DBA` for **DDL** > **Moderate Risk**. - - ![bb-custom-approval](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-custom-approval.webp) - -1. Either click **the related risk rules** or **CI/CD > Risks** on the left bar. Add two new rules - - - Name: `DDL ALTER`; Risk Level: `High`; Type: `DDL`; Condition: `sql_type == 'ALTER_TABLE'` - - Name: `DDL CREATE`; Risk Level: `Moderate`; Type: `DDL`; Condition: `sql_type == 'CREATE_TABLE'` - - ![bb-risks](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-risks.webp) + Rules are evaluated top to bottom - the first matching rule wins. You can drag to reorder them. 1. Logout and login as **Developer**. Go into the project, select both databases and click **Edit Schema**. Paste the same SQL as before and click **Create**. @@ -103,7 +92,7 @@ To learn the best practice, check out [Risks Best Practice](/tutorials/risks-bes ); ``` -1. This time, the issue is detected as **Moderate** risk, so it will be reviewed by **DBA** workflow. +1. This time, the CREATE TABLE statement matches the second rule, so it will be reviewed by the **DBA** approval flow. ![bb-issue-moderate](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-issue-moderate.webp) @@ -113,7 +102,7 @@ To learn the best practice, check out [Risks Best Practice](/tutorials/risks-bes ALTER TABLE employee ADD COLUMN age INT NOT NULL; ``` -1. This time, the issue is detected as **High** risk, so it will be reviewed by **Project Owner -> DBA** workflow. +1. This time, the ALTER TABLE statement matches the first rule, so it will be reviewed by the **Project Owner -> DBA** approval flow. ![bb-issue-high](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-issue-high.webp) @@ -125,13 +114,13 @@ What if there is other roles in the team, for example, a **Tester** . Bytebase h ![bb-roles-tester](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-roles-tester.webp) -1. Click **CI/CD > Custom Approval**, and click **Approval Flows** tab. Click **Create** and fill in the form like this. +1. Click **CI/CD > Custom Approval**. Under the **Change Database** section, click **Add Rule** and create a new approval flow with `Tester -> DBA` as the approval nodes. ![bb-new-approval-flow](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-new-approval-flow.webp) 1. Create a new user with the role **Tester**. -1. Go to **CI/CD > Custom Approval**, and select `Tester->DBA` as the Moderate Risk approval flow. +1. Go to **CI/CD > Custom Approval**, and edit the CREATE TABLE rule to use the `Tester -> DBA` approval flow instead. 1. Logout and login as **Developer**. Go into the project, select both databases and click **Edit Schema**. Paste the same SQL as before and click **Create**. @@ -143,10 +132,10 @@ What if there is other roles in the team, for example, a **Tester** . Bytebase h ); ``` -1. This time, the issue is detected as **Moderate** risk, so it will be reviewed by **Tester -> DBA** workflow. +1. This time, the CREATE TABLE statement matches the rule and will be reviewed by the **Tester -> DBA** approval flow. ![bb-issue-tester-dba](/content/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow/bb-issue-tester-dba.webp) ## Summary -Now you have tried database change with risk-adjusted custom approval flow, and also create your own custom roles as well. Bytebase provides more enterprise-level features regarding data security and data access control. If you're interested in that, follow [Just-in-Time Database Access](/tutorials/just-in-time-database-access-part1/). +Now you have tried database change with condition-based custom approval flow, and also create your own custom roles as well. Bytebase provides more enterprise-level features regarding data security and data access control. If you're interested in that, follow [Just-in-Time Database Access](/tutorials/just-in-time-database-access-part1/). From 1d34d784ccdd38a070d7eae52e8e305f9594633b Mon Sep 17 00:00:00 2001 From: adela Date: Fri, 6 Mar 2026 17:18:24 +0100 Subject: [PATCH 2/4] update related tuts --- docs/tutorials/deploy-schema-migration.mdx | 2 +- docs/tutorials/first-schema-change.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tutorials/deploy-schema-migration.mdx b/docs/tutorials/deploy-schema-migration.mdx index f316b6378..6bd57af03 100644 --- a/docs/tutorials/deploy-schema-migration.mdx +++ b/docs/tutorials/deploy-schema-migration.mdx @@ -101,7 +101,7 @@ Bytebase offers **Community**, **Pro**, and **Enterprise** [plans](https://www.b ### Level 3: Manual rollout with custom approval (Enterprise) -If you want the approval flow to be dynamic based on context, such as the type of SQL statements, follow this tutorial: [Database Change with Risk-Based Approval Flow](/tutorials/database-change-management-with-risk-adjusted-approval-flow/). +If you want the approval flow to be dynamic based on context, such as the type of SQL statements, follow this tutorial: [Database Change with Custom Approval Flow](/tutorials/database-change-management-with-risk-adjusted-approval-flow/). ### Summary diff --git a/docs/tutorials/first-schema-change.mdx b/docs/tutorials/first-schema-change.mdx index 442b5cfc7..838b2ae59 100644 --- a/docs/tutorials/first-schema-change.mdx +++ b/docs/tutorials/first-schema-change.mdx @@ -77,4 +77,4 @@ You've completed your first schema change. Continue with: - [Move Schema Changes from Test to Prod](/tutorials/how-to-move-schema-change-from-test-to-prod/) - for environment transitions - [Deploy with Rollout Policy](/tutorials/deploy-schema-migration/) - for manual rollouts -- [Risk-Based Approval Flow](/tutorials/database-change-management-with-risk-adjusted-approval-flow/) - for adding approvers +- [Custom Approval Flow](/tutorials/database-change-management-with-risk-adjusted-approval-flow/) - for adding approvers From 154e11343dafb5d8bb9abf84d9ff297cdaa6f971 Mon Sep 17 00:00:00 2001 From: adela Date: Fri, 6 Mar 2026 17:23:57 +0100 Subject: [PATCH 3/4] update --- docs/tutorials/just-in-time-database-access-amazon-aurora.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/just-in-time-database-access-amazon-aurora.mdx b/docs/tutorials/just-in-time-database-access-amazon-aurora.mdx index 456f5fb68..7d767e3cc 100644 --- a/docs/tutorials/just-in-time-database-access-amazon-aurora.mdx +++ b/docs/tutorials/just-in-time-database-access-amazon-aurora.mdx @@ -193,7 +193,7 @@ In Bytebase **Enterprise Plan**, you can request a JIT access to the production ![bb-assign-license](/content/docs/tutorials/just-in-time-database-access-amazon-aurora/bb-assign-license.webp) - To elaborate on custom approval, take a look at the following diagram. By defining a custom approval flow along with risk policy, Bytebase will automatically trigger the approval flow when the corresponding risk level is met. In our case, we define a high risk policy for `Request Querier Role` which triggers when the environment is `Prod`. + To elaborate on custom approval, take a look at the following diagram. By defining a custom approval flow with CEL conditions, Bytebase will automatically trigger the approval flow when the condition is met. In our case, we define an approval rule for `Request Role` which triggers when the environment is `Prod`. ![request-query](/content/docs/tutorials/just-in-time-database-access-amazon-aurora/request-query.webp) From 8757d452a431ad66810222a6cff3618a9b17e23c Mon Sep 17 00:00:00 2001 From: Adela Date: Mon, 9 Mar 2026 17:01:24 +0100 Subject: [PATCH 4/4] Update docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...abase-change-management-with-risk-adjusted-approval-flow.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx b/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx index e9d58894d..54e0086e6 100644 --- a/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx +++ b/docs/tutorials/database-change-management-with-risk-adjusted-approval-flow.mdx @@ -138,4 +138,4 @@ What if there is other roles in the team, for example, a **Tester** . Bytebase h ## Summary -Now you have tried database change with condition-based custom approval flow, and also create your own custom roles as well. Bytebase provides more enterprise-level features regarding data security and data access control. If you're interested in that, follow [Just-in-Time Database Access](/tutorials/just-in-time-database-access-part1/). +Now you have tried database change with condition-based custom approval flow, and also created your own custom roles. Bytebase provides more enterprise-level features regarding data security and data access control. If you're interested in that, follow [Just-in-Time Database Access](/tutorials/just-in-time-database-access-part1/).