Group Permissions

For organizations managing multiple distinct brands, subsidiaries, or teams under a single parent umbrella, data privacy and isolation are critical. The Multi-Brand Group Permissions feature allows you to centralize your privacy program while maintaining strict barriers between your business units.

This feature ensures that a user belonging to "Brand A" can never access, view, or modify the data, integrations, or requests belonging to "Brand B" even though both exist within the same tenant.

Key Benefits

• Strict Data Segregation: Prevents the co-mingling of data between distinct business units, honoring complex ownership structures.
• Granular Access Control: Users interact only with the assets relevant to their specific group, reducing noise and increasing security.
• Enterprise Trust: Ensures that subsidiaries can adopt the platform with the guarantee that their data is firewalled from unauthorized internal users.

How it Works

DataGrail utilizes a Group-Based Access Control model that works in tandem with your existing roles. While your Role (e.g., Read-Only, Admin) dictates what actions you can perform, your Group dictates which data you can perform those actions on.

The Hierarchy

1. Super Admins: Have global visibility. They can view, edit, filter and manage data across all groups. They are the only users capable of re-assigning groups or managing system-wide settings.
2. Group Members: Restricted visibility. Users can be assigned to one or more groups and can only see objects (Integrations, Systems, Requests) belonging to their assigned groups.

Logic and Behavior

• Visibility: You only see groups you are assigned to. Groups you do not belong to are hidden from index tables, dropdowns, and filters. If you are assigned to multiple groups, you see data from all of them.
• Automatic Filtering: When viewing privacy requests, managing integrations, or working with any group-scoped data, the system automatically filters everything to match your assigned groups. You only see data tied to your assigned groups.
• Group Assignment: When you create a new object (such as adding a new Integration or manually adding a System), the group assignment depends on your access:
  • Single group: The object is automatically assigned to your group with no selection required.
  • Multiple groups: You are prompted to select which of your assigned groups to associate with the new object.
  • Super Admins: Can assign to any group.
• Strict Enforcement: Non-Super Admin users must be assigned to at least one group to read or write data in a multi-brand configuration.

Permissions Matrix

Feature	Super Admin	Group Member
View Data	All Groups	Assigned Groups Only
Create Assets	Can assign to any Group	Auto-assigned if one Group; can choose from assigned Groups if multiple
Edit Assets	Can edit any Group's assets	Can edit assigned Groups' assets
Re-assign Groups	Yes	No
User Management	Can assign users to Groups	N/A

Supported Product Areas

The following areas are scoped by User Group:

Integrations & API Keys

Users see a filtered view of the Integrations page. They can only view and manage connections and API keys that belong to their group.

Responsible Data Discovery

• Agents: Users view only agents deployed for their group.
• Classifications: Data classification results from RDD-enabled authentications are visible only if the authentication belongs to the user's group.
• Exports: CSV exports are automatically filtered to exclude rows from other groups.

Live Data Map

Users see only the Systems detected from authentications belonging to their group.

• Manual Entry: If a user manually adds a system, it is locked to their group by default.
• Super Admin Entry: Super Admins can manually assign a new system to any specific group during creation.

Request Manager

Privacy requests are strictly segregated to ensure legal compliance and data security.

• Portal Tickets: Users only see subject requests associated with their brand/group.
• Opt-Outs: Opt-out lists are filtered similarly.
• Exports: All compliance reporting exports respect group boundaries.

Processing Activities

Processing Activities are scoped by group.

• Visibility: Users only see Processing Activities belonging to their assigned groups.
• Suggested Activities: When adding suggested Processing Activities, suggestions are filtered by group and cross-referenced with your group's inventory items to ensure consistency.
• Uniqueness: Activity names must be unique within a group but can be reused across different groups.
• Exports: CSV exports respect group boundaries.

Consent

Consent Projects can be associated with a Multibrand Group. All resources within a project (containers, categories, layouts, banner styles, etc.) inherit the project's group assignment.

• Visibility: Users only see Consent Projects belonging to their assigned groups.
• Scoping: All project-level resources are automatically scoped through the project's group.

Global Consent Settings

Some customer-level consent settings, such as TCF configurations, remain shared across all groups and are not scoped to individual Multibrand Groups.

Future Support for User Groups

Currently, Risk Assessments and Automations function as global settings and cannot be scoped to specific User Groups.

Impact of Enabling Permissions: If you choose to enable the Permissions Feature now, please be aware that non-Admin users will lose access to these global areas. Until these features are updated to support specific groups, only Super Admins will be able to view or edit them.

Group Mapping

To streamline user management and avoid manual administrative overhead, this feature supports Okta Group Mapping. This allows you to manage user group assignments directly within your Identity Provider. Learn more here.