Access Control

Transcend allows for granular role-based access control to restrict what your organization members can or cannot do on your organization's Transcend account. Every route that we expose has the ability to be managed from the Member Scopes tab →. This means the administrator of your account can dictate which views the users in your Transcend account can see, as well as which changes they can make. We call these access controls scopes.

Throughout these docs, we will indicate when a section is referring to some set of scopes. Look for messages like this to determine how you can configure access control for certain features.

We break down every view we show, and action we allow into scopes. An administrator of your Transcend account can assign these scopes to individual members, or to teams of members within your organization.

Scopes can also be assigned to API keys. The API keys can be given that same privileges as any member in your organization.

You can manage the assignment of "Scopes" under individual users in the Users & Permissions → section within Administration.

A full list of available user scopes is available below. Note: some scopes grant access to other scopes. For example, the ability to "View Email Templates" is automatically granted when permissions are given to "Manage Email Templates". This scope dependency is described by the "Dependencies" column.

TitleDescriptionTypeProductsDependencies
View OnlyAccess is granted to all of the scopes of type "View".ViewAdmin
  • All Scopes of Type=View
Full AdminFull administrative access. All scopes are granted.ModifyAdmin
  • All Scopes
Rotate Hosted Sombra keysAbility to perform a key rotation on the encryption keys used within your account.ModifyAdmin
    Manage Global AttributesUnder the infrastructure tab, manage your custom attributes and select which views those attributes should display in.ModifyAdmin
    • VIew Global Attributes
    Manage Access ControlsManage what employees in your organization can access within Transcend.ModifyAdmin
    • View Employees
    • View Scopes
    Manage BillingManage billing details for your organization.ModifyAdmin
      Manage SSOManage SSO configuration for members of your organization.ModifyAdmin
      • View SSO
      Manage API KeysCreate, update and delete API keys for programmatic access to your Transcend organization.ModifyAdmin
      • View API Keys
      Manage Organization InformationEdit the top-level organization settings details.ModifyAdmin
        Manage Email DomainsManage the domains from which Transcend can send emails on behalf of your organization.ModifyAdmin
        • View Email Domains
        View API KeysView the API keys on your account and see what scopes are assigned to them.ViewAdmin
          View SSOView the SSO configuration for your organization.ViewAdmin
            View ScopesView the potential access control scopes that can be assigned to members in the organization.ViewAdmin
            • View Employees
            View EmployeesView the list of employees within your organization.ViewAdmin
              View Email DomainsView the domains from which Transcend can send emails on behalf of your organization.ViewAdmin
                VIew Global AttributesView the attribute definition key/value pairs.ViewAdmin
                  View Legal HoldView the individuals that have been placed on legal holds.ViewPrivacy Requests
                    Manage Legal HoldsManage and edit the individuals that have been placed on legal holds.ViewPrivacy Requests
                    • View Legal Hold
                    Manage Request SecurityReSign expired request encryption contexts, and data silo contexts.ModifyAdmin, Privacy Requests
                      Manage Request CompilationMake changes to the compilation process of a request. This involves changing the status of data silos in your Data Map, as well as editing profiles and files.ModifyPrivacy Requests
                      • View Incoming Requests
                      • View the Request Compilation
                      Submit New Data Subject RequestSubmit a new privacy requests.ModifyPrivacy Requests
                      • View Data Subject Request Settings
                      • View Identity Verification Settings
                      Manage Data Subject Request SettingsMake changes to the request actions that your organization allows, as well as what data subjects you will serve.ModifyPrivacy Requests
                      • View Data Subject Request Settings
                      Manage Email TemplatesManage the email communication templates that your organization uses to communicate with your data subjects.ModifyPrivacy Requests
                      • View Email Templates
                      Manage Request Identity VerificationManage how your organization will verify the identities of new privacy requests, and how that identity will be enriched for all of your data silos to lookup that person.ModifyPrivacy Requests
                      • View Identity Verification Settings
                      Publish Privacy CenterLaunch the Privacy Center on your own domain, and publish new changes.ModifyPrivacy Requests, Privacy Center
                      • Manage Privacy Center Layout
                      Manage Data MapEdit the configurations on your data silos and determine what information should be included in a request.ModifyPrivacy Requests, Data Mapping
                      • View Data Map
                      Manage Privacy Center LayoutMake changes to the privacy center configuration and policies.ModifyPrivacy Requests, Privacy Center
                      • View Privacy Center Layout
                      Request Approval and CommunicationThe ability to approve and manage the state of privacy requests, and communicate with the data subject.ModifyPrivacy Requests
                      • View Incoming Requests
                      • View the Request Compilation
                      • Manage Request Compilation
                      View Data Subject Request SettingsView the privacy request actions settings and data subject categories that your organization supports.ViewPrivacy Requests
                        View the Request CompilationView the status of requests as they compile across your Data Map.ViewPrivacy Requests
                        • View Incoming Requests
                        View Identity Verification SettingsView the settings for data subject request identity verification.ViewPrivacy Requests
                          View Incoming RequestsView the stream of incoming requests, and any details submit through the form or later enriched.ViewPrivacy Requests
                          • VIew Global Attributes
                          • View Data Subject Request Settings
                          View Privacy Center LayoutView the full configuration of the privacy center.ViewPrivacy Requests, Privacy Center
                            View Email TemplatesView the default email templates templates used to communicate with your data subjects.ViewPrivacy Requests, Privacy Center
                              Connect Data SilosConnect new data silos to your Data Map.ModifyPrivacy Requests, Data Mapping
                              • View Data Map
                              • Manage Data Map
                              • View Email Templates
                              Manage Data InventoryManage the data inventory information for your organization.ModifyData Mapping
                              • View Data Inventory
                              View Data MapView your organization's Data Map and see the configuration settings for each action your support.ViewPrivacy Requests, Data Mapping
                              • VIew Global Attributes
                              View Data InventoryAbility to view the data silos, datapoints, data categories and processing purposes in your data inventory.ViewData Mapping
                              • View Data Map
                              • VIew Global Attributes
                              Manage Consent ManagerManage & deploy the consent manager changes to your websites.ModifyConsent Manager
                              • View Consent Manager
                              • Manage Data Flows
                              • View Data Flows
                              Manage Data FlowsManage & Deploy Data Flows (tracking purpose maps, site scans, cookies)ModifyConsent Manager
                              • View Data Flows
                              View Opt Out StatusCheck the opt out status of a particular user.ViewPrivacy Requests, Consent Manager
                                View Data FlowsView Data Flows (tracking purpose maps, site scans)ViewConsent Manager
                                • View Consent Manager
                                View Consent ManagerView the consent manager configuration.ViewConsent Manager

                                  Every employee, partner, or person that should have a login to your Transcend account is known as a member. By default, each member has no scopes. They cannot see any incoming Requests or private configurations for your organization. The only changes they can make are to their personal account settings.

                                  In order for your members to start doing things like configuring your Privacy Center or Integrations or responding to Data Subject Requests you must assign them scopes.

                                  You can manage and invite new "Users" on the Users and Scopes → tab.

                                  Typically, groups of members should be assigned the same set of scopes. For this reason, we allow you to create teams of members, and assign scopes to everyone in that team. If you remove a member from a team, that member will lose the scopes it had from that team unless the member was also individually assigned those scopes.

                                  You can manage and invite new "Users" on from your profile icon in the bottom left, then "Administration", then Users & Permissions → tab.

                                  When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.

                                  You can enable the following SSO attribute mappings

                                  AttributeTranscend Mapping
                                  Employee Details.Titletitle
                                  Employee Details.Departmentdepartment

                                  In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").

                                  Map SSO Group to Transcend Team.