Acceptance criteria:
- Well-defined process for adding streams to the allowlist or making modifications ("well-defined" meaning data practitioners and engineers have a clear set of steps to follow)
- Clearly-defined/scoped roles – who can review/merge, who needs to sign-off/approve (e.g. Legal) and when
- Agreed-upon syntax for specifying retention policies for streams within the allowlist file (or files?)
- Update the sanitization job (that sanitizes event data from Event Platform streams according to retention policies specified with the allowlist system from T273789) to support arbitrary retention periods because sometimes Legal approves 180 days and sometimes 270 days
Unresolved questions:
- When (if at all) should users request allowlist change reviews from Security, given that the Security team is limiting how many reviews they perform?