Access Control

Transcend allows for granular role-based access control to restrict what your organization members can or cannot do on your organization's Transcend account. Every route that we expose has the ability to be managed from the Users →, Teams → and Scopes → pages. This means the administrator of your account can dictate which views the users in your Transcend account can see, as well as which changes they can make. We call these access controls scopes.

Throughout our docs, we will indicate when a section is referring to some set of scopes. Look for messages like this to determine how you can configure access control for certain features.

We break down every view we show, and action we allow into scopes. An administrator of your Transcend account can assign these scopes to individual members, or to teams of members within your organization. You can see the set of scopes and which users have access to those scopes on the Scopes → tab under "Administration" settings.

Scopes view in Transcend Administration.

Scopes can also be assigned to API keys. The API keys can be given that same privileges as any member in your organization.

You can manage the assignment of scopes under individual users in the Users → section within Administration. You can manage the assignment of scopes to teams by going to the Teams → section within Administration.

A full list of available user scopes is available below. Note: some scopes grant access to other scopes. For example, the ability to "View Email Templates" is automatically granted when permissions are given to "Manage Email Templates". This scope dependency is described by the "Dependencies" column.

TitleDescriptionTypeProductsDependencies
View OnlyAccess is granted to all of the scopes of type "View".ViewAdmin
  • All Scopes of Type=View
Full AdminFull administrative access. All scopes are granted.ModifyAdmin
  • All Scopes
Rotate Hosted Sombra keysAbility to perform a key rotation on the encryption keys used within your account.ModifyAdmin
    Manage Global AttributesUnder the infrastructure tab, manage your custom attributes and select which views those attributes should display in.ModifyAdmin
    • View Global Attributes
    Manage Access ControlsManage what employees in your organization can access within Transcend.ModifyAdmin
    • View Employees
    • View Scopes
    Manage BillingManage billing details for your organization.ModifyAdmin
      Manage SSOManage SSO configuration for members of your organization.ModifyAdmin
      • View SSO
      Manage API KeysCreate, update and delete API keys for programmatic access to your Transcend organization.ModifyAdmin
      • View API Keys
      Manage Organization InformationEdit the top-level organization settings details.ModifyAdmin
        Manage Email DomainsManage the domains from which Transcend can send emails on behalf of your organization.ModifyAdmin
        • View Email Domains
        View Customer Data in Privacy RequestsGive permissions for an employee to view the data in an access request.ViewAdmin, Privacy Requests
          View Customer Data in Data MappingGive permissions for an employee to view the sampled data in the data mapping product.ViewAdmin, Data Mapping
            View API KeysView the API keys on your account and see what scopes are assigned to them.ViewAdmin
              View Audit EventsView any audit events made throughout the platform. This includes any of the "Audit Trail" tabs across the Admin Dashboard.ViewAdmin
                View SSOView the SSO configuration for your organization.ViewAdmin
                  View ScopesView the potential access control scopes that can be assigned to members in the organization.ViewAdmin
                  • View Employees
                  View All Action ItemsView all action items in the organization, regardless of assignee or scopes for specific resources. This is necessary when querying API keys via the API.ViewAdmin
                    Manage All Action ItemsManage all action items in the organization, regardless of assignee or scopes for specific resources. This is necessary when querying API keys via the API.ModifyAdmin
                      View EmployeesView the list of employees within your organization.ViewAdmin
                        View Email DomainsView the domains from which Transcend can send emails on behalf of your organization.ViewAdmin
                          View Global AttributesView the attribute definition key/value pairs.ViewAdmin
                            View Legal HoldView the individuals that have been placed on legal holds.ViewPrivacy Requests
                              Manage Legal HoldsManage and edit the individuals that have been placed on legal holds.ModifyPrivacy Requests
                              • View Legal Hold
                              Manage Request SecurityReSign expired request encryption contexts, and data silo contexts.ModifyAdmin, Privacy Requests
                                Manage Request CompilationMake changes to the compilation process of a request. This involves changing the status of data silos in your Data Map, as well as editing profiles and files.ModifyPrivacy Requests
                                • View Incoming Requests
                                • View the Request Compilation
                                Manage Assigned Privacy RequestsMake changes to the compilation process of a request for requests assigned to your or your team. This involves changing the status of data silos in your Data Map, as well as editing profiles and files.ModifyPrivacy Requests
                                • View Assigned Privacy Requests
                                Submit New Data Subject RequestSubmit a new privacy requests.ModifyPrivacy Requests
                                • View Data Subject Request Settings
                                • View Identity Verification Settings
                                Manage Data Subject Request SettingsMake changes to the request actions that your organization allows, as well as what data subjects you will serve.ModifyPrivacy Requests
                                • View Data Subject Request Settings
                                Manage Email TemplatesManage the email communication templates that your organization uses to communicate with your data subjects.ModifyPrivacy Requests
                                • View Email Templates
                                Manage Request Identity VerificationManage how your organization will verify the identities of new privacy requests, and how that identity will be enriched for all of your data silos to lookup that person.ModifyPrivacy Requests
                                • View Identity Verification Settings
                                Publish Privacy CenterLaunch the Privacy Center on your own domain, and publish new changes.ModifyPrivacy Requests, Privacy Center
                                • Manage Privacy Center Layout
                                Manage Data MapEdit the configurations on your data silos and determine what information should be included in a request.ModifyPrivacy Requests, Data Mapping
                                • View Data Map
                                Manage Privacy Center LayoutMake changes to the privacy center configuration and policies.ModifyPrivacy Requests, Privacy Center
                                • View Privacy Center Layout
                                Request Approval and CommunicationThe ability to approve and manage the state of privacy requests, and communicate with the data subject.ModifyPrivacy Requests
                                • View Incoming Requests
                                • View the Request Compilation
                                • Manage Request Compilation
                                View Data Subject Request SettingsView the privacy request actions settings and data subject categories that your organization supports.ViewPrivacy Requests
                                  View the Request CompilationView the status of requests as they compile across your Data Map.ViewPrivacy Requests
                                  • View Incoming Requests
                                  View Identity Verification SettingsView the settings for data subject request identity verification.ViewPrivacy Requests
                                    View Incoming RequestsView the stream of incoming requests, and any details submit through the form or later enriched.ViewPrivacy Requests
                                    • View Global Attributes
                                    • View Data Subject Request Settings
                                    • View Email Templates
                                    View Assigned Privacy RequestsView the stream of incoming requests assigned to you and your team. You will be able to see any request details submitted through the form or later enriched.ViewPrivacy Requests
                                    • View Global Attributes
                                    • View Data Subject Request Settings
                                    • View Email Templates
                                    View Privacy Center LayoutView the full configuration of the privacy center.ViewPrivacy Requests, Privacy Center
                                      View Email TemplatesView the default email templates templates used to communicate with your data subjects.ViewPrivacy Requests, Privacy Center
                                        Connect Data SilosConnect new data silos to your Data Map.ModifyPrivacy Requests, Data Mapping
                                        • View Data Map
                                        • Manage Data Map
                                        • View Email Templates
                                        Manage Data InventoryAbility to manage and edit everything in the data mapping product. Includes the data inventory, ROPE, and content classification views.ModifyData Mapping
                                        • View Data Inventory
                                        Manage Assigned Data InventoryManage the data inventory rows in your organization's Data Map that are assigned to you or your team.ModifyData Mapping
                                        • View Assigned Data Inventory
                                        Manage Assigned IntegrationsManage the integrations in your organization's Data Map that are assigned to you or your team.ModifyPrivacy Requests, Data Mapping
                                        • View Assigned Integrations
                                        View Data MapView your organization's Data Map and see the configuration settings for each action your support.ViewPrivacy Requests, Data Mapping
                                        • View Global Attributes
                                        View Assigned IntegrationsView the integrations in your organization's Data Map that are assigned to you or your team.ViewPrivacy Requests, Data Mapping
                                        • View Global Attributes
                                        View Assigned Data InventoryAbility to view the resources in the data mapping product that are assigned to your or your team.ViewData Mapping
                                        • View Global Attributes
                                        • View Data Subject Request Settings
                                        View Data InventoryAbility to view all of the data mapping product. Includes the data inventory, ROPA, and content classification views.ViewData Mapping
                                        • View Data Map
                                        • View Global Attributes
                                        • View Data Subject Request Settings
                                        Manage Consent ManagerManage & deploy the consent manager changes to your websites.ModifyConsent Manager
                                        • View Consent Manager
                                        • Manage Data Flows
                                        • Manage Consent Manager Display Settings
                                        • Manage Consent Manager Developer Settings
                                        • Deploy Consent Manager
                                        • Deploy Test Consent Manager
                                        • View Data Flows
                                        Manage Consent Manager Developer SettingsManage the developer settings for the Consent Manager. This does not allow for clicking the "Set Changes Live" button.ModifyConsent Manager
                                        • View Consent Manager
                                        Manage Consent Manager Display SettingsManage the display settings for the consent manager. This includes messages, styles and other UI settings.ModifyConsent Manager
                                        • View Consent Manager
                                        Deploy Test Consent ManagerAbility to publish changes to the test Consent Manager bundle. This changes the code contents of airgap.js and attempts to invalidate the CDN.ModifyConsent Manager
                                        • View Consent Manager
                                        Deploy Consent ManagerAbility to publish changes to the production and test Consent Manager bundle. This changes the code contents of airgap.js and attempts to invalidate the CDN.ModifyConsent Manager
                                        • View Consent Manager
                                        • Deploy Test Consent Manager
                                        Manage Assigned Consent ManagerManage Data Flows & Cookies assigned to you or your team.ModifyConsent Manager
                                        • View Assigned Consent Manager
                                        Manage Data FlowsAbility to manage and delete Data Flows and Cookies within the Consent Manager product.ModifyConsent Manager
                                        • View Data Flows
                                        View Opt Out StatusCheck the opt out status of a particular user.ViewPrivacy Requests, Consent Manager
                                          View Data FlowsView Data Flows (tracking purpose maps, site scans)ViewConsent Manager
                                          • View Consent Manager
                                          View Assigned Consent ManagerView Data Flows and Cookies assigned to you or your team.ViewConsent Manager
                                          • View Global Attributes
                                          View Consent ManagerView the consent manager configuration.ViewConsent Manager
                                          • View Global Attributes
                                          • View Managed Consent Database Admin API
                                          View AssessmentsView the assessments and assessment templates.ViewAssessments, Data Mapping
                                            Manage AssessmentsManage and edit assessments and assessment templatesModifyAssessments, Data Mapping
                                            • View Assessments
                                            View Assigned AssessmentsView the assigned assessments forms.ViewAssessments, Data Mapping
                                              Manage Assigned AssessmentsManage and edit the assigned assessments.ModifyAssessments, Data Mapping
                                              • View Assigned Assessments
                                              Approve AssessmentsApprove the assessments and assessment templatesModifyAssessments, Data Mapping
                                              • View Assessments
                                              View PathfinderView the pathfinder settings.ViewPathfinder
                                              • View Global Attributes
                                              Manage PathfinderManage the pathfinder settings under that pathfinder side menuModifyPathfinder
                                              • View Pathfinder
                                              View Contract ScanningView the contract scanning side menu - including setting and contracts.ViewPathfinder
                                              • View Global Attributes
                                              Manage Contract ScanningUpload and manage contracts under the contract scanning side menuModifyPathfinder
                                              • View Contract Scanning
                                              View PromptsView the prompts and prompt templates.ViewPrompt Manager
                                              • View Global Attributes
                                              Manage PromptsManage and edit prompts and prompt templatesModifyPrompt Manager
                                              • View Prompts
                                              View Prompt RunsView the output run results for prompts.ViewPrompt Manager
                                              • View Prompts
                                              Manage Prompt RunsManage, edit and create prompt run resultsModifyPrompt Manager
                                              • View Prompt Runs
                                              • View Prompts
                                              View Code ScanningView the code scanning tables.ViewData Mapping
                                              • View Global Attributes
                                              Manage Code ScanningManage, edit and create records in code scanningModifyData Mapping
                                              • View Code Scanning
                                              Execute PromptAbility to execute a prompt and view the outputsModifyPrompt Manager
                                              • View Prompt Runs
                                              • View Prompts
                                              View Auditor RunsView the output run results for Auditor.ViewWeb Auditor
                                                Manage Auditor Runs and SchedulesManage, edit and create prompt run resultsModifyWeb Auditor
                                                • View Auditor Runs
                                                Execute AuditorAbility to execute or schedule Auditor and view the outputsModifyWeb Auditor
                                                • View Auditor Runs
                                                Approve PromptsApprove the prompts and prompt templatesModifyPrompt Manager
                                                • View Prompts
                                                Manage Action Item CollectionsManage and edit action item collectionsModifyAdmin
                                                  View Managed Consent Database Admin APIAbility to query user consent preferences with the Managed Consent Database Admin APIViewConsent Manager, Preference Store
                                                    Modify User Stored PreferencesAbility to make updates to user stored consent preferencesModifyConsent Manager, Preference Store
                                                    • View Managed Consent Database Admin API

                                                    Every employee, partner, or person that should have a log in to your Transcend account is known as a member. By default, each member has no scopes. They cannot see any incoming Requests or private configurations for your organization. The only changes they can make are to their personal account settings.

                                                    In order for your members to start doing things like configuring your Privacy Center or Integrations or responding to Data Subject Requests you must assign them scopes.

                                                    You can manage and invite new "Users" on the Administration -> Users tab.

                                                    Administration Users section.

                                                    If you need to revoke access of a user in your Transcend instance, you can you click the trash icon next to the selected user on the Administration -> Users tab. If you are using Single Sign On, the easiest way to revoke access is to deactivate the user within your single sign on provider. This will prevent the user from having the ability to log in to Transcend.

                                                    If you have a need to programmatically remove a user from Transcend, you can leverage the EU Hosting GraphQL API or US Hosting GraphQL API with the following mutation:

                                                    mutation {
                                                      removeUser(input: { email: "INSERT_EMAIL@transcend.io" }) {
                                                        clientMutationId
                                                      }
                                                    }
                                                    

                                                    As a CURL, this would be the following for EU hosting (default hosting option):

                                                    curl 'https://api.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n  removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n    clientMutationId\n  }\n}\n"}'
                                                    

                                                    or the following for US hosting option:

                                                    curl 'https://api.us.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n  removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n    clientMutationId\n  }\n}\n"}'
                                                    

                                                    in the commands above, please replace:

                                                    • INSERT_API_KEY: a Transcend API key with the scope Manage Access Controls
                                                    • INSERT_EMAIL@transcend.io: the email address of the user to remove

                                                    It's common for similar groups of members to be assigned the same set of scopes. For this reason, we allow you to create teams of members, and assign scopes to everyone in that team. If you remove a member from a team, that member will lose the scopes it had from that team unless the member was also individually assigned those scopes. You can create, edit, and modify membership to teams in the "Administration" section under Teams →.

                                                    You can manage and invite new "Users" on from your profile icon in the bottom left, then "Administration", then Users → tab, and you can add the user to a specific team when they are invited, or retroactively.

                                                    Modify Team in Administration section.

                                                    When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.

                                                    You can enable the following SSO attribute mappings

                                                    AttributeTranscend Mapping
                                                    Employee Details.Titletitle
                                                    Employee Details.Departmentdepartment

                                                    In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").

                                                    You can make changes to the mapping between your SSO provider and Transcend Teams on the Teams → tab under Administration.

                                                    Map SSO Group to Transcend Team.

                                                    When a user is just in time provisioned and their SSO attributes do not map them to a team, the default behavior is that the user will have no scopes applied to them. If you want to set a default set of scopes for newly provisioned users, you can set a "Default Team" under Administration -> Single Sign On →. This team will be assigned to users that have no other teams provisioned to them. The newly created user will inherit the scopes of that team.

                                                    SSO Default Team.

                                                    In some situations, it makes sense to have multiple Transcend accounts for different business units within a larger organization. For example, there may be some parent company operating over multiple child companies with independent brands and data sharing practices.

                                                    It is possible to configure a single SSO group that does just-in-time provisioning across multiple Transcend instances. This is done by:

                                                    1. Follow the instructions in the section above to map an SSO group or department to a team in the parent Transcend instance where your SSO settings were configured.
                                                    2. For each Transcend instance that you want to provision access to, switch into that Transcend instance and select the team created in (1) as the "Linked Team from Parent Account"
                                                    Parent Team Linking