Skip to main content

Govern production database changes

Production database changes should be reviewed, traceable, and aligned with team standards. NineData Database DevOps helps teams centralize data source access, enforce SQL development policies, and route high-risk changes through approval workflows before execution.

Why Change Governance Matters

Without a controlled workflow, production changes often rely on direct database connections, shared accounts, chat messages, or ticket handoffs. This creates several risks:

  • Teams cannot reliably identify who executed a SQL statement.
  • Developers may run DDL or DML directly in production.
  • Naming, schema, and SQL standards are hard to enforce.
  • Permission changes caused by onboarding, role changes, or employee departures are difficult to maintain.
  • Incident review becomes slow because execution records are scattered across tools.

Use NineData to build a governed database change workflow:

  • Add production data sources to NineData and manage access from one platform.
  • Assign a data source owner so approval routing can follow business ownership.
  • Configure SQL development policies for development and production environments.
  • Disable direct production changes in SQL Console when changes must go through SQL tasks.
  • Configure approval workflows for SQL tasks.
  • Use task details and audit records to trace review and execution history.

Prerequisites

Before you configure the workflow, make sure that:

  • Production data sources have been added to NineData.
  • Each data source is assigned to the correct environment.
  • Administrators have permission to manage SQL development policies and approval processes.
  • The team has defined who should approve production changes.

Configure The Workflow

1. Add Production Data Sources

Add each production data source to NineData. After a data source is created, the creator becomes the default owner. The owner can later be used in approval routing.

Add a production data source

View the data source owner

2. Configure Development Standards And Approval Processes

NineData provides default standards and processes for development and production environments. Each data source is bound to the standards and process of its selected environment.

Default development standards and approval processes

If the default configuration does not match your governance model, update the policy and approval process. The example below disables SQL Console changes for production databases and configures a two-level approval process.

3. Disable Direct Production Changes In SQL Console

Open the SQL development policy that applies to the production environment. Edit the rules that control SQL Console DML and DDL operations, and remove the allowed operation types.

Edit SQL development policy rules

Rule NameSwitch
Edit Details
Allowed SQL Console Update Data TypeOnIn the Actions column, select Edit, find Allowed SQL Console Update Data, remove all operation types, and select OK.
edit_dml_rule
Allowed SQL Console Update Structure Operate TypeOnIn the Actions column, select Edit, find SQL Console Allowed Type, remove all operation types, and select OK.
edit_ddl_rule

4. Configure A Two-Level Approval Process

Open the approval process that applies to production SQL tasks. Add the approval levels and select the approvers.

Configure a two-level approval process

In this example, a developer can submit an SQL task only after the SQL passes the standard precheck. The task then requires first-level and second-level approval before execution.

For the first-level approver, you can use Data Source Owner instead of selecting a fixed person. When a user submits a task for a specific data source or database, NineData resolves the owner of that data source or database and routes the approval accordingly. This reduces approval-process maintenance when business owners change.

Validate The Workflow

  1. Confirm that direct DDL and DML operations are blocked in SQL Console for ordinary users. The console guides users to create an SQL task instead.

    SQL Console redirects users to an SQL task

  2. Submit an SQL task. NineData checks the SQL against the configured standards, then requests the required approvers.

    Submit an SQL task for approval

  3. After approval, the selected executor runs the SQL task. If automatic execution is enabled, NineData executes the task after the final approval.

    Execute an approved SQL task

  4. Use SQL Console or task details to verify the execution result.

    Verify the SQL execution result

Result

Production database changes now follow a controlled workflow. Users cannot bypass the configured SQL policy, approvals are recorded in the SQL task, and execution history can be reviewed during audits or incident analysis.

Next steps