Group Permissions

For organizations managing multiple distinct brands, subsidiaries, or teams under a single parent umbrella, data privacy and isolation are critical. The Multi-Brand Group Permissions feature allows you to centralize your privacy program while maintaining strict barriers between your business units.

This feature ensures that a user belonging to "Brand A" can never access, view, or modify the data, integrations, or requests belonging to "Brand B" even though both exist within the same tenant.

Key Benefits

• Strict Data Segregation: Prevents the co-mingling of data between distinct business units, honoring complex ownership structures.
• Granular Access Control: Users interact only with the assets relevant to their specific group, reducing noise and increasing security.
• Enterprise Trust: Ensures that subsidiaries can adopt the platform with the guarantee that their data is firewalled from unauthorized internal users.

How it Works

DataGrail utilizes a Group-Based Access Control model that works in tandem with your existing roles. While your Role (e.g., Read-Only, Admin) dictates what actions you can perform, your Group dictates which data you can perform those actions on.

The Hierarchy

1. Super Admins: Have global visibility. They can view, edit, filter and manage data across all groups. They are the only users capable of re-assigning groups or managing system-wide settings.
2. Group Members: Restricted visibility. They can only see objects (Integrations, Systems, Requests) explicitly assigned to their group.

Logic and Behavior

• Visibility: If a user is assigned to the "Group A", the existence of all other groups is hidden. They will not see other groups in index tables, dropdowns, or filters.
• Automatic Assignment: When a Group Member creates a new object (such as adding a new Integration or manually adding a System), that object is automatically added to the user's group. The user does not need to select a group manually, and they cannot assign it to a group they do not belong to.
• Strict Enforcement: Non-Super Admin users must be assigned to a group to read or write data in a multi-brand configuration.

Permissions Matrix

Feature	Super Admin	Group Member
View Data	All Groups	Own Group Only
Create Assets	Can assign to any Group	Auto-assigned to Own Group
Edit Assets	Can edit any Group's assets	Can edit Own Group's assets
Re-assign Groups	Yes	No
User Management	Can assign users to Groups	N/A

Supported Product Areas

The following areas are scoped by User Group:

Integrations & API Keys

Users see a filtered view of the Integrations page. They can only view and manage connections and API keys that belong to their group.

Responsible Data Discovery

• Agents: Users view only agents deployed for their group.
• Classifications: Data classification results from RDD-enabled authentications are visible only if the authentication belongs to the user's group.
• Exports: CSV exports are automatically filtered to exclude rows from other groups.

Live Data Map

Users see only the Systems detected from authentications belonging to their group.

• Manual Entry: If a user manually adds a system, it is locked to their group by default.
• Super Admin Entry: Super Admins can manually assign a new system to any specific group during creation.

Request Manager

Privacy requests are strictly segregated to ensure legal compliance and data security.

• Portal Tickets: Users only see subject requests associated with their brand/group.
• Opt-Outs: Opt-out lists are filtered similarly.
• Exports: All compliance reporting exports respect group boundaries.

Future Support for User Groups

Currently, Processing Activities, Risk Assessments, Consent, and Automations function as global settings and cannot be scoped to specific User Groups.

Impact of Enabling Permissions: If you choose to enable the Permissions Feature now, please be aware that non-Admin users will lose access to these global areas. Until these features are updated to support specific groups, only Super Admins will be able to view or edit them.

Group Mapping

To streamline user management and avoid manual administrative overhead, this feature supports Okta Group Mapping. This allows you to manage user group assignments directly within your Identity Provider. Learn more here.