> ## Documentation Index > Fetch the complete documentation index at: https://docs.planasonix.com/llms.txt > Use this file to discover all available pages before exploring further. # UDF reviews > Review and approve custom user-defined functions before deployment. **User-defined functions (UDFs)** extend Planasonix with custom logic—SQL UDFs in the warehouse, script nodes, or engine plugins depending on your deployment. Because UDFs execute **arbitrary code** or **elevated SQL** in governed environments, **UDF reviews** gate what reaches production. ## Enterprise feature The **UDF reviews** workflow is an **Enterprise** control. It adds **submission**, **diff review**, **approval**, and **audit trails** on top of standard pipeline permissions. Without it, UDF changes may follow your normal Git or canvas promotion process only. If you do not see the tab, your organization has not purchased the add-on or an admin disabled the module. ## Review workflow A developer or analytics engineer packages the UDF with **description**, **inputs/outputs**, **data classification**, and **test evidence** (sample invocations or unit results). Static scanners flag **network calls**, **filesystem access**, and **dynamic SQL** patterns where policies forbid them. Fix or justify before human review. Reviewers compare **versions**, read **risk notes**, and confirm alignment with [data contracts](/governance/data-contracts) and **PII** handling. Approvers bind the UDF to **environments** (for example dev → staging → prod). Production deployment is blocked until required signatures are recorded. Full review: purpose, dependency list, and performance expectations for large partitions. Delta-focused: what changed, backward compatibility, and whether existing pipelines need revalidation. Expedited path with **post-incident** review; requires **break-glass** role and automatic ticket creation. ## Approval process Typical roles: * **Author** – submits and responds to comments * **Technical reviewer** – validates correctness, tests, and resource usage * **Security or governance** – approves when custom code touches sensitive domains * **Release manager** – promotes after change windows and comms The UI shows **status** (`draft`, `in review`, `approved`, `rejected`, `revoked`) and **immutable history** for auditors. Tie approvals to **tickets** in your ITSM tool via webhook or manual ID fields so compliance can trace every production UDF to a change record. ## Security considerations for custom code UDFs that can open outbound sockets or write to arbitrary stages could leak rows. Block or sandbox capabilities your policy does not allow; prefer pure functions that operate on in-memory arguments. A UDF running as a **high-privilege warehouse role** can read tables the author should not see. Use **least-privilege** roles dedicated to pipeline execution and **row access policies** where available. Pin **dependencies** and scan **third-party libraries** the same way you scan application services. Re-review when dependencies update. Unbounded loops, cartesian explosions, or huge aggregates inside a UDF can starve warehouses. Require **LIMIT** in exploratory queries and **cost guards** in production. Revoking a UDF does not automatically rewrite historical runs. Plan how you **reprocess** or **quarantine** outputs that depended on a withdrawn function. ## Related topics Where UDFs and extensions surface in the graph. Encode expectations UDFs must honor.