Access Control
Transcend allows for granular role-based access control to restrict what your organization members can or cannot do on your organization's Transcend account. Every route that we expose has the ability to be managed from the Users →, Teams → and Scopes → pages. This means the administrator of your account can dictate which views the users in your Transcend account can see, as well as which changes they can make. We call these access controls scopes.
Throughout our docs, we will indicate when a section is referring to some set of scopes. Look for messages like this to determine how you can configure access control for certain features.
We break down every view we show, and action we allow into scopes. An administrator of your Transcend account can assign these scopes to individual members, or to teams of members within your organization. You can see the set of scopes and which users have access to those scopes on the Scopes → tab under "Administration" settings.
Scopes can also be assigned to API keys. The API keys can be given that same privileges as any member in your organization.
You can manage the assignment of scopes under individual users in the Users → section within Administration. You can manage the assignment of scopes to teams by going to the Teams → section within Administration.
A full list of available user scopes is available below. Note: some scopes grant access to other scopes. For example, the ability to "View Email Templates" is automatically granted when permissions are given to "Manage Email Templates". This scope dependency is described by the "Dependencies" column.
| Title | Description | Type | Products | Dependencies |
|---|---|---|---|---|
| View Only | Access is granted to all of the scopes of type "View". | View | Admin |
|
| Full Admin | Full administrative access. All scopes are granted. | Modify | Admin |
|
| Rotate Hosted Sombra keys | Ability to perform a key rotation on the encryption keys used within your account. | Modify | Admin | |
| Manage Global Attributes | Under the infrastructure tab, manage your custom attributes and select which views those attributes should display in. | Modify | Admin |
|
| Manage Access Controls | Manage what employees in your organization can access within Transcend. | Modify | Admin |
|
| Manage Billing | Manage billing details for your organization. | Modify | Admin | |
| Manage SSO | Manage SSO configuration for members of your organization. | Modify | Admin |
|
| Manage API Keys | Create, update and delete API keys for programmatic access to your Transcend organization. | Modify | Admin |
|
| Manage Organization Information | Edit the top-level organization settings details. | Modify | Admin | |
| Manage Email Domains | Manage the domains from which Transcend can send emails on behalf of your organization. | Modify | Admin |
|
| View Customer Data in Privacy Requests | Give permissions for an employee to view the data in an access request. | View | Admin, Privacy Requests | |
| View Customer Data in Data Mapping | Give permissions for an employee to view the sampled data in the data mapping product. | View | Admin, Data Mapping | |
| View API Keys | View the API keys on your account and see what scopes are assigned to them. | View | Admin | |
| View Audit Events | View any audit events made throughout the platform. This includes any of the "Audit Trail" tabs across the Admin Dashboard. | View | Admin | |
| View SSO | View the SSO configuration for your organization. | View | Admin | |
| View Scopes | View the potential access control scopes that can be assigned to members in the organization. | View | Admin |
|
| View Employees | View the list of employees within your organization. | View | Admin | |
| View Email Domains | View the domains from which Transcend can send emails on behalf of your organization. | View | Admin | |
| View Global Attributes | View the attribute definition key/value pairs. | View | Admin | |
| View Legal Hold | View the individuals that have been placed on legal holds. | View | Privacy Requests | |
| Manage Legal Holds | Manage and edit the individuals that have been placed on legal holds. | Modify | Privacy Requests |
|
| Manage Request Security | ReSign expired request encryption contexts, and data silo contexts. | Modify | Admin, Privacy Requests | |
| Manage Request Compilation | Make changes to the compilation process of a request. This involves changing the status of data silos in your Data Map, as well as editing profiles and files. | Modify | Privacy Requests |
|
| Manage Assigned Privacy Requests | Make changes to the compilation process of a request for requests assigned to your or your team. This involves changing the status of data silos in your Data Map, as well as editing profiles and files. | Modify | Privacy Requests |
|
| Submit New Data Subject Request | Submit a new privacy requests. | Modify | Privacy Requests |
|
| Manage Data Subject Request Settings | Make changes to the request actions that your organization allows, as well as what data subjects you will serve. | Modify | Privacy Requests |
|
| Manage Email Templates | Manage the email communication templates that your organization uses to communicate with your data subjects. | Modify | Privacy Requests |
|
| Manage Request Identity Verification | Manage how your organization will verify the identities of new privacy requests, and how that identity will be enriched for all of your data silos to lookup that person. | Modify | Privacy Requests |
|
| Publish Privacy Center | Launch the Privacy Center on your own domain, and publish new changes. | Modify | Privacy Requests, Privacy Center |
|
| Manage Data Map | Edit the configurations on your data silos and determine what information should be included in a request. | Modify | Privacy Requests, Data Mapping |
|
| Manage Privacy Center Layout | Make changes to the privacy center configuration and policies. | Modify | Privacy Requests, Privacy Center |
|
| Request Approval and Communication | The ability to approve and manage the state of privacy requests, and communicate with the data subject. | Modify | Privacy Requests |
|
| View Data Subject Request Settings | View the privacy request actions settings and data subject categories that your organization supports. | View | Privacy Requests | |
| View the Request Compilation | View the status of requests as they compile across your Data Map. | View | Privacy Requests |
|
| View Identity Verification Settings | View the settings for data subject request identity verification. | View | Privacy Requests | |
| View Incoming Requests | View the stream of incoming requests, and any details submit through the form or later enriched. | View | Privacy Requests |
|
| View Assigned Privacy Requests | View the stream of incoming requests assigned to you and your team. You will be able to see any request details submitted through the form or later enriched. | View | Privacy Requests |
|
| View Privacy Center Layout | View the full configuration of the privacy center. | View | Privacy Requests, Privacy Center | |
| View Email Templates | View the default email templates templates used to communicate with your data subjects. | View | Privacy Requests, Privacy Center | |
| Connect Data Silos | Connect new data silos to your Data Map. | Modify | Privacy Requests, Data Mapping |
|
| Manage Data Inventory | Ability to manage and edit everything in the data mapping product. Includes the data inventory, ROPE, and content classification views. | Modify | Data Mapping |
|
| Manage Assigned Data Inventory | Manage the data inventory rows in your organization's Data Map that are assigned to you or your team. | Modify | Data Mapping |
|
| Manage Assigned Integrations | Manage the integrations in your organization's Data Map that are assigned to you or your team. | Modify | Privacy Requests, Data Mapping |
|
| View Data Map | View your organization's Data Map and see the configuration settings for each action your support. | View | Privacy Requests, Data Mapping |
|
| View Assigned Integrations | View the integrations in your organization's Data Map that are assigned to you or your team. | View | Privacy Requests, Data Mapping |
|
| View Assigned Data Inventory | Ability to view the resources in the data mapping product that are assigned to your or your team. | View | Data Mapping |
|
| View Data Inventory | Ability to view all of the data mapping product. Includes the data inventory, ROPA, and content classification views. | View | Data Mapping |
|
| Manage Consent Manager | Manage & deploy the consent manager changes to your websites. | Modify | Consent Manager |
|
| Manage Consent Manager Developer Settings | Manage the developer settings for the Consent Manager. This does not allow for clicking the "Set Changes Live" button. | Modify | Consent Manager |
|
| Manage Consent Manager Display Settings | Manage the display settings for the consent manager. This includes messages, styles and other UI settings. | Modify | Consent Manager |
|
| Deploy Consent Manager | Ability to publish changes to the production and test bundle. This changes the code contents of airgap.js and attempts to invalidate the CDN. | Modify | Consent Manager |
|
| Manage Assigned Consent Manager | Manage Data Flows & Cookies assigned to you or your team. | Modify | Consent Manager |
|
| Manage Data Flows | Ability to manage and delete Data Flows and Cookies within the Consent Manager product. | Modify | Consent Manager |
|
| View Opt Out Status | Check the opt out status of a particular user. | View | Privacy Requests, Consent Manager | |
| View Data Flows | View Data Flows (tracking purpose maps, site scans) | View | Consent Manager |
|
| View Assigned Consent Manager | View Data Flows and Cookies assigned to you or your team. | View | Consent Manager |
|
| View Consent Manager | View the consent manager configuration. | View | Consent Manager |
|
| View Assessments | View the assessments and assessment templates. | View | Assessments, Data Mapping | |
| Manage Assessments | Manage and edit assessments and assessment templates | Modify | Assessments, Data Mapping |
|
| Approve Assessments | Approve the assessments and assessment templates | Modify | Assessments, Data Mapping |
|
| Manage Action Item Collections | Manage and edit action item collections | Modify | Admin |
Every employee, partner, or person that should have a login to your Transcend account is known as a member. By default, each member has no scopes. They cannot see any incoming Requests or private configurations for your organization. The only changes they can make are to their personal account settings.
In order for your members to start doing things like configuring your Privacy Center or Integrations or responding to Data Subject Requests you must assign them scopes.
You can manage and invite new "Users" on the Administration -> Users tab.
If you need to revoke access of a user in your Transcend instance, you can you click the trash icon next to the selected user on the Administration -> Users tab. If you are using Single Sign On, the easiest way to revoke access is to deactivate the user within your single sign on provider. This will prevent the user from having the ability to log into Transcend.
If you have a need to programmatically remove a user from Transcend, you can leverage the EU Hosting GraphQL API or US Hosting GraphQL API with the following mutation:
mutation {removeUser(input: { email: "INSERT_EMAIL@transcend.io" }) {clientMutationId}}
As a CURL, this would be the following for EU hosting (default hosting option):
curl 'https://api.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n clientMutationId\n }\n}\n"}'
or the following for US hosting option:
curl 'https://api.us.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n clientMutationId\n }\n}\n"}'
in the commands above, please replace:
INSERT_API_KEY: a Transcend API key with the scopeManage Access ControlsINSERT_EMAIL@transcend.io: the email address of the user to remove
It's common for similar groups of members to be assigned the same set of scopes. For this reason, we allow you to create teams of members, and assign scopes to everyone in that team. If you remove a member from a team, that member will lose the scopes it had from that team unless the member was also individually assigned those scopes. You can create, edit, and modify membership to teams in the "Administration" section under Teams →.
You can manage and invite new "Users" on from your profile icon in the bottom left, then "Administration", then Users → tab, and you can add the user to a specific team when they are invited, or retroactively.
When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.
You can enable the following SSO attribute mappings
| Attribute | Transcend Mapping |
|---|---|
Employee Details.Title | title |
Employee Details.Department | department |
In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").
You can make changes to the mapping between your SSO provider and Transcend Teams on the Teams → tab under Administration.
When a user is just in time provisioned and their SSO attributes do not map them to a team, the default behavior is that the user will have no scopes applied to them. If you want to set a default set of scopes for newly provisioned users, you can set a "Default Team" under Administration -> Single Sign On →. This team will be assigned to users that have no other teams provisioned to them. The newly created user will inherit the scopes of that team.