Skip to main content

Managing Users and Roles within DataGrail

DataGrail uses role-based access control to provide flexible user management throughout DataGrail's products. This document describes the available roles in the platform, the permissions they grant, and how to assign these roles to your users.

Managing Users and Roles

The full list of DataGrail users and their respective roles can be found by navigating to Settings and then User Admin. This page allows you to assign user roles and manage user invitations using Google and Microsoft SSO.

Group and Just-in-Time Provisioning

Customers using Group Provisioning or Just-in-Time Provisioning must manage user roles directly in their SAML provider.

Modifying Roles

User roles can be modified by taking the following steps within the DataGrail platform:

  1. Select the user for whom you'd like to modify permissions, and then select Edit User.

    Edit User

  2. Select the Roles dropdown to add or remove additional roles from the user's profile.

    User Roles

  3. (Optional) If the selected user needs to manage a system in Live Data Map, it can be assigned using the Systems to manage in LDM dropdown.

  4. (Optional) If the selected user needs to approve a system on a Privacy Request, it can be assigned using the Systems to Approve dropdown.

  5. Once complete, select Update User.

Roles and Permissions

DataGrail offers a number of roles with the platform to help your privacy team connect and maintain systems and manage requests.

Principle of Least Privilege

DataGrail recommends following the Principle of Least Privilege (PoLP) and only assigning users the role that provides the minimum permissions necessary for the user to perform their tasks within DataGrail.

General Roles

Super Admin

Super Admin roles have visibility into all product sections and can perform any action within DataGrail.

Connections Manager

The Connections Manager role is granted to a system owner who needs to connect an integration.

  • View and connect systems on the Integrations page

API Credentials Manager

The API Credentials Manager role is granted to a user who needs to create a DataGrail API Key.

  • View the and create API Keys in the API Keys section on the settings page

Content Manager

The Content Manager role is granted to users who need the ability to view and edit templates for emails sent from the DataGrail platform.

  • View and edit email templates for Request Manager

Request Manager Roles

Request Admin

The Request Admin is able to perform all the actions that the Request Agent can as well as the following:

  • View the Compliance Dashboard
  • Approve results for any connection where approval is required

Request Agent

The Request Agent role is able to perform all the actions that the Request Approver can. In addition, they can create and edit Privacy Requests as well as interact with Opt Out requests.

  • Create Privacy Requests
  • Edit Privacy Request details (i.e. request policy, data subject information, etc)
  • Stop processing Direct Contact integrations
  • Assign Privacy Requests
  • Process Privacy Requests
  • View and Complete Opt Out Requests

Request Approver

The Request Approver role is able to view and approve results on a Privacy Request for assigned system integrations.

  • Upload files to a Privacy Request
  • Edit Privacy Request results
  • View Privacy Request queue
  • View Privacy Request details
  • Comment on Privacy Requests
  • Approve results for assigned integrations on a Privacy Request

The Consent Management Admin role is able to perform all actions within the Consent Management product.

Connecting Integrations For Consent

The Connections Manager Role is also needed to connect Google Tag Manager and any integrations used by the Consent Product.

The Consent Management Edit role is able to perform all the actions that the Consent Management Read can. In addition, they can modify all Consent Management Settings.

  • Manage Consent Containers
  • Manage Consent Policies
  • Edit the Consent Banner Text and Style
  • Manage and Categorize Tracking Services
  • Publish to Connected Containers

The Consent Management Read role can view all sections within the Consent Product, but cannot modify any settings or publish changes.

  • View all Consent Management product sections
  • Download Consent Audits

Live Data Map Roles

Live Data Map Admin

The Live Data Map Admin role is able to perform all actions within the Live Data Map product.

Inventory Manager

The Inventory Manager role grants users the ability to manage the Live Data Map Inventory System Reports. This role may be assigned specific systems or have access to all systems for an organization.

  • View, edit, and approve Inventory System Reports
  • Export the Overview
  • Export the Data Processing Report

Risk Assessments Roles

Risk Assessments Admin

The Risk Assessments Admin role is able to perform all actions within the Risk Monitor product.

Responsible Data Discovery Roles

Data Discovery Admin

The Data Discovery Admin role is able to perform all actions within the Responsible Data Discovery product.

 

Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.