Managing Users and Roles within DataGrail
DataGrail uses role-based access control to provide flexible user management throughout DataGrail's products. This document describes the available roles in the platform, the permissions they grant, and how to assign these roles to your users.
Managing Users and Roles
The full list of DataGrail users and their respective roles can be found by navigating to Settings and then User Admin. This page allows you to assign user roles and manage user invitations using Google and Microsoft SSO.
Customers using Group Provisioning or Just-in-Time Provisioning must manage user roles directly in their SAML provider.
Modifying Roles
User roles can be modified by taking the following steps within the DataGrail platform:
-
Select the user for whom you'd like to modify permissions, and then select Edit User.
-
Select the Roles dropdown to add or remove additional roles from the user's profile.
-
(Optional) If the selected user needs to manage a system in Live Data Map, it can be assigned using the Systems to manage in LDM dropdown.
-
(Optional) If the selected user needs to approve a system on a Privacy Request, it can be assigned using the Systems to Approve dropdown.
-
Once complete, select Update User.
Roles and Permissions
DataGrail offers a number of roles with the platform to help your privacy team connect and maintain systems and manage requests.
DataGrail recommends following the Principle of Least Privilege (PoLP) and only assigning users the role that provides the minimum permissions necessary for the user to perform their tasks within DataGrail.
General Roles
| Role | Description & Permissions |
|---|---|
| Super Admin | Full visibility into all product sections and can perform any action within DataGrail. |
| Connections Manager | Intended for system owners who must connect integrations. - View and connect systems on the Integrations page |
| API Credentials Manager | For users who need to create DataGrail API Keys. - View and create API Keys in the Settings > API Keys section |
| Content Manager | Manage email templates sent from the platform. - View and edit Request Manager email templates |
Request Manager Roles
| Role | Description & Permissions |
|---|---|
| Request Admin | All Request Agent capabilities plus: - View the Compliance Dashboard - Approve results for any connection needing approval |
| Request Agent | All Request Approver capabilities plus: - Create Privacy Requests - Edit Privacy Request details (policy, data subject info, etc.) - Stop processing Direct Contact integrations - Assign Privacy Requests - Process Privacy Requests - View and complete Opt Out Requests |
| Request Approver | Can view and approve results for assigned integrations. - Upload files to a Privacy Request - Edit Privacy Request results - View Privacy Request queue and details - Comment on Privacy Requests - Approve results for assigned integrations |
Consent Management Roles
| Role | Description & Permissions |
|---|---|
| Consent Management Admin | Can perform all actions within the Consent Management product. Also requires the Connections Manager Role to connect GTM and other Consent integrations. |
| Consent Management Edit | All Consent Management Read capabilities plus: - Manage Consent Containers - Manage Consent Policies - Edit Consent Banner text and style - Manage & categorize Tracking Services - Publish to connected containers |
| Consent Management Read | View-only for all Consent product sections. - View all Consent Management areas - Download Consent Audits |
The Connections Manager Role is also needed to connect Google Tag Manager and any integrations used by the Consent Product.
Live Data Map Roles
| Role | Description & Permissions |
|---|---|
| Live Data Map Admin | Can perform all actions within the Live Data Map product. |
| Inventory Manager | Manage Processing Activity Reports (may be scoped to specific systems or all). - View, edit, and approve Processing Activity Reports - Export the Overview - Export the Data Processing Report |
Risk Assessments Roles
| Role | Description & Permissions |
|---|---|
| Risk Assessments Admin | Can perform all actions within the Risk Monitor product. |
Responsible Data Discovery Roles
| Role | Description & Permissions |
|---|---|
| Data Discovery Admin | Can perform all actions within the Responsible Data Discovery product. |
| Data Discovery Read | Review and export Data Classification information. |
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.