Transcend allows for granular role-based access control to restrict what your organization
members can or cannot do on your organization's Transcend account. Every route that we expose has the ability to be managed from the Member Scopes tab →. This means the administrator of your account can dictate which views the users in your Transcend account can see, as well as which changes they can make. We call these access controls
Throughout these docs, we will indicate when a section is referring to some set of scopes. Look for messages like this to determine how you can configure access control for certain features.
We break down every view we show, and action we allow into
scopes. An administrator of your Transcend account can assign these
scopes to individual
members, or to
teams of members within your organization.
Scopes can also be assigned to API keys. The API keys can be given that same privileges as any
member in your organization.
You can manage the assignment of "Scopes" under individual users in the Users & Permissions → section within Administration.
A full list of available user scopes:
|Connect Data Silos||Connect new data silos to your Connected Services.|
|Publish Privacy Center||Launch the Privacy Center on your own domain, and publish new changes to your deployed instance.|
|Submit New Data Subject Request||Submit new data subject requests programmatically through our API.|
|Manage Access Controls||Manage what employees in your organization can access within Transcend.|
|Manage API Keys||Create, update and delete API keys for programmatic access to your Transcend organization.|
|Manage Billing||Manage billing details for your organization.|
|Manage Consent Manager||Manage & deploy Consent Manager.|
|Manage Data Flows||Manage & deploy Consent Manager Data Flows (tracking purpose maps, site scans, cookies).|
|Manage Data Inventory||Manage the data inventory information for your organization.|
|Manage Data Map for Privacy Requests||Edit the configurations on your data silos and determine what information should be included in a privacy request.|
|Manage Data Subject Request Settings||Make changes to the request actions that your organization allows, as well as what data subjects you will serve.|
|Manage Email Domains||Manage the domains from which Transcend can send emails on behalf of your organization.|
|Manage Email Templates||Manage the email communication templates that your organization uses to communicate with your data subjects.|
|Manage Organization Information||Edit the top-level organization settings details.|
|Manage Privacy Center Layout||Make changes to the Privacy Center configuration and policies.|
|Manage Request Compilation||Make changes to the compilation process of a request. This involves changing the status of data silos in your Connected Services, as well as editing profiles and files.|
|Manage Request Identity Verification||Manage how your organization will verify the identities of new data subject requests, and how that identity will be enriched for all of your data silos to lookup that person.|
|Manage Request Security||ReSign expired request encryption contexts, and data silo contexts.|
|Rotate Hosted Sombra keys||Rotate Hosted Sombra keys.|
|Manage SSO||Manage SSO configuration for members of your organization.|
|Request Approval and Communication||Approve and manage the state of data subject requests, and communicate with the data subject.|
|View API Keys||View the API keys on your account and see what scopes are assigned to them.|
|View Data Flows||View Data Flows (tracking purpose maps, site scans).|
|View Data Inventory||Check data inventory information for your organization.|
|View Data Map||View your organization's Connected Services and see the configuration settings for each action your support.|
|View Data Subject Request Settings||View the DSR actions settings and data subject categories that your organization supports.|
|View Email Domains||View the domains from which Transcend can send emails on behalf of your organization.|
|View Email Templates||View the default email templates templates used to communicate with your data subjects.|
|View Employees||View the employees within your organization.|
|View Opt Out Status||Check the opt out status of data subjects of your organization.|
|View Privacy Center Layout||View the full configuration of your Privacy Center.|
|View the Request Compilation||View the status of privacy requests as they compile across your data.|
|View Identity Verification Settings||View the settings for data subject request identity verification.|
|View Incoming Requests||View the stream of incoming privacy requests, and any details submit through the form or later enriched.|
|View Scopes||View the potential access control scopes that can be assigned to members in the organization.|
Every employee, partner, or person that should have a login to your Transcend account is known as a
member. By default, each
member has no
scopes. They cannot see any incoming Requests or private configurations for your organization. The only changes they can make are to their personal account settings.
You can manage and invite new "Users" on the Users and Scopes → tab.
Typically, groups of
members should be assigned the same set of
scopes. For this reason, we allow you to create
teams of members, and assign scopes to everyone in that team. If you remove a member from a team, that member will lose the scopes it had from that team unless the member was also individually assigned those scopes.
You can manage and invite new "Users" on from your profile icon in the bottom left, then "Administration", then Users & Permissions → tab.
When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.
You can enable the following SSO attribute mappings
In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").