Transcend allows for granular role-based access control to restrict what your organization members can or cannot do on your organization's Transcend account. Every route that we expose has the ability to be managed from the Member Scopes tab →. This means the administrator of your account can dictate which views the users in your Transcend account can see, as well as which changes they can make. We call these access controls scopes.

Throughout these docs, we will indicate when a section is referring to some set of scopes. Look for messages like this to determine how you can configure access control for certain features.

We break down every view we show, and action we allow into scopes. An administrator of your Transcend account can assign these scopes to individual members, or to teams of members within your organization.

Scopes can also be assigned to API keys. The API keys can be given that same privileges as any member in your organization.

You can manage the assignment of "Scopes" under individual users in the Users & Permissions → section within Administration.

A full list of available user scopes:

Connect Data SilosConnect new data silos to your Connected Services.
Publish Privacy CenterLaunch the Privacy Center on your own domain, and publish new changes to your deployed instance.
Submit New Data Subject RequestSubmit new data subject requests programmatically through our API.
Manage Access ControlsManage what employees in your organization can access within Transcend.
Manage API KeysCreate, update and delete API keys for programmatic access to your Transcend organization.
Manage BillingManage billing details for your organization.
Manage Consent ManagerManage & deploy Consent Manager.
Manage Data FlowsManage & deploy Consent Manager Data Flows (tracking purpose maps, site scans, cookies).
Manage Data InventoryManage the data inventory information for your organization.
Manage Data Map for Privacy RequestsEdit the configurations on your data silos and determine what information should be included in a privacy request.
Manage Data Subject Request SettingsMake changes to the request actions that your organization allows, as well as what data subjects you will serve.
Manage Email DomainsManage the domains from which Transcend can send emails on behalf of your organization.
Manage Email TemplatesManage the email communication templates that your organization uses to communicate with your data subjects.
Manage Organization InformationEdit the top-level organization settings details.
Manage Privacy Center LayoutMake changes to the Privacy Center configuration and policies.
Manage Request CompilationMake changes to the compilation process of a request. This involves changing the status of data silos in your Connected Services, as well as editing profiles and files.
Manage Request Identity VerificationManage how your organization will verify the identities of new data subject requests, and how that identity will be enriched for all of your data silos to lookup that person.
Manage Request SecurityReSign expired request encryption contexts, and data silo contexts.
Rotate Hosted Sombra keysRotate Hosted Sombra keys.
Manage SSOManage SSO configuration for members of your organization.
Request Approval and CommunicationApprove and manage the state of data subject requests, and communicate with the data subject.
View API KeysView the API keys on your account and see what scopes are assigned to them.
View Data FlowsView Data Flows (tracking purpose maps, site scans).
View Data InventoryCheck data inventory information for your organization.
View Data MapView your organization's Connected Services and see the configuration settings for each action your support.
View Data Subject Request SettingsView the DSR actions settings and data subject categories that your organization supports.
View Email DomainsView the domains from which Transcend can send emails on behalf of your organization.
View Email TemplatesView the default email templates templates used to communicate with your data subjects.
View EmployeesView the employees within your organization.
View Opt Out StatusCheck the opt out status of data subjects of your organization.
View Privacy Center LayoutView the full configuration of your Privacy Center.
View the Request CompilationView the status of privacy requests as they compile across your data.
View Identity Verification SettingsView the settings for data subject request identity verification.
View Incoming RequestsView the stream of incoming privacy requests, and any details submit through the form or later enriched.
View ScopesView the potential access control scopes that can be assigned to members in the organization.

Every employee, partner, or person that should have a login to your Transcend account is known as a member. By default, each member has no scopes. They cannot see any incoming Requests or private configurations for your organization. The only changes they can make are to their personal account settings.

In order for your members to start doing things like configuring your Privacy Center or Connected Services or responding to Data Subject Requests you must assign them scopes.

You can manage and invite new "Users" on the Users and Scopes → tab.

Typically, groups of members should be assigned the same set of scopes. For this reason, we allow you to create teams of members, and assign scopes to everyone in that team. If you remove a member from a team, that member will lose the scopes it had from that team unless the member was also individually assigned those scopes.

You can manage and invite new "Users" on from your profile icon in the bottom left, then "Administration", then Users & Permissions → tab.

When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.

You can enable the following SSO attribute mappings

AttributeTranscend Mapping
Employee Details.Titletitle
Employee Details.Departmentdepartment

In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").

Map SSO Group to Transcend Team.