Managing Event Data Access

Applications may publish and subscribe to events that contain sensitive information such as customer data. By managing event data access you can:

• Govern the ability of applications to publish and consume events by requiring applications to request approval to publish or consume specific events.
• Manage who has permissions to review event access requests at the application domain level.

If an application publishes or consumes an event that it does not have approval for, a banner appears at the top of the Application Details page. For an application to require event access approval the following conditions must be met:

• The event's Access Approval is set to Requires Approval.
• The application and the event that requires approval are located in different application domains.
• The application publishes the event that requires approval or the application attracts the event through a consumer with an appropriate subscription.

This section includes the following tasks:

• Providing the Event Access Approver Role to a User
• Requesting Event Access
• Reviewing Event Access Requests
• Notifications

Event Access Approval Workflow

The following steps describe the workflow for managing event access from creating an event that requires approval to approving or declining event data access requests.

1. A user creates an event that includes sensitive information and specifies that access to the event data requires approval. For more information, see Creating an Event.
2. When another user adding or editing an application in a different application domain publishes or adds a subscription to a consumer for an event that requires approval, a banner appears in the application to inform them of the access requirement. For more information, see Creating Applications.
3. The user creating or updating the application sends access requests for the referenced events that require approval. For more information, see Requesting Event Access.
4. Users with permission to approve event access requests in the event's application domain receive a notification about the pending requests.
5. The reviewer approves or declines the requests. For more information, see Reviewing Event Access Requests.
6. The user who sent the requests receives notification of the decision.
7. If access to all the referenced events are approved, the application can be added to an environment.

Providing the Event Access Approver Role to a User

Administrators, Event Portal Managers and Event Portal Users with Application Domain Manager access to an application domain can give users with the Event Portal User role permission to approve event access requests in the application domain.

To give a user the event access approver role perform these steps:

1. Log in to the Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your SAP BTP region. For more information, see Logging In to the Cloud Console.
2. On the navigation bar, select Designer .
3. On the Application Domain page, click More Actions for the application domain you want to give the user access to and then select Set User Access.
4. In the User Access dialog select the Approval Access tab.
5. Perform one of the following actions:
• If your organization doesn't have user groups enabled, click Add User.
  
• If your organization has user groups enabled, click Add and select either Add User Group or Add User.

6. In the Name list, type or select the name of the user you want to give the role to. Only users with the Event Portal User role whom you have not already set the event access approver role for appear in the list.
7. To remove access , click Remove in the row for the user.
8. Click Save.
9. Repeat steps 3-8 to give event access approver role to another user.

The user or user group now has the event access approver role and can Reviewing Event Access Requests

For more information about Event Portal user access in application domains, see Managing User Access to Event Portal.

Requesting Event Access

If an application publishes or consumes an event in another application domain that requires approval, a request to access the event must be sent from the application, and be approved by an event access approver before the application can be added to an environment.

An event access request banner shows above the application details when the application needs approval to use one ore more events. Event Portal displays the banner after you declare that you want to publish an event or you set a topic subscription in a consumer that attracts an event that requires approval.

To request event access in an application perform these steps:

1. Open Designer.
2. On the Application Domains page, click the application domain containing the application that references the event requiring approval.
3. To open the application details page do one of the following:
• Click Components to switch to the list view, and select the application you want to request event access for from the list.
• Click the icon for the application you want to request event access for in the graph view. In the panel that opens click Open Application.

4. In the Request Event Access banner click Manage Requests.

   
5. (Optional) Click an event to expand the section and write a comment to be included with the request for that event.
6. Click Send Requests to send the access requests for all the listed events to the approvers for this application domain.
   
   
   
7. Once the requests have been sent click the Pending Requests tab at the top of the page to view the pending requests.

Your requests have now been sent to the event access approvers. Once an approver makes their decision, declined requests will return to the Action Required tab with any message the event access approver has added. Approved requests will be counted in the Pending Requests tab.

Reviewing Event Access Requests

If you have at least event access approver access, you can approve, decline, or revoke previously approved event access requests from the Event Access Requests page. Revoking access only changes the request to declined from approved. If access is revoked while the application is actively publishing or subscribing to the event, no changes are made to the operational event broker.

To manage event access requests perform these steps:

1. Open Designer.
2. Click More Actions in the top right corner of the page and select Event Access Requests.
3. In the Awaiting Review tab click the event that you want to review, and click Review in the panel that opens.
4. In the Review Event Access Request dialog select Approve or Decline.
5. (Optional) If you decline the request add a message for the requestor.
6. Click Send Review.
7. If you want to view the event access requests that you have made a decision on click the Closed Requests tab and select the event you want to view.
8. If you want to approve a previously declined event access request you can click Approve in the dialog that opens. Likewise, if you want to revoke the access of a previously approved event access request you can click Revoke Access.

Notifications

By default users requesting event access for an application are notified in the Cloud Console and by email when the approval status of a request changes.

Users who can review event access requests are notified in the Cloud Console and by email by default when a new event access request is created and needs to be reviewed.

For information about managing your notification settings, see System Notifications.