How to use roles to set user permissions

You can set permissions for new and existing users when creating or modifying a user in Org Settings > Users and for added users in Org Settings > Identity & Access Management. Learn more about managing users here and Identity & Access Management here. Note: If your organization has set up SSO or SCIM group sync, membership updates are not allowed through TerraTrue and must be done directly through your Identity Provider.

TerraTrue provides users the ability to assign permissions based on the following roles:

  1. Admin: Used for managing the organization settings on TerraTrue, including provisioning users, managing access, managing review teams and much more. This permission is particularly powerful so please consider carefully whom you grant it to. 
    1. A user with the Admin permission can manage user roles and make changes to the org settings within TerraTrue. Here is the list of the unique abilities that come with this powerful permission, grouped by functionality. These are in addition to the built-in permission as well as all other supported permissions.
      1. Launch Summary: 
        1. Delete any comment on a launch, even when not authored by that user.
      2. Organization Settings: 
        1. View organization history
        2. Add (or delete) a user
        3. Change a user's display name
        4. Configure IAM - add and remove permissions to users and review teams
        5. Add a user to (and remove from) a review team
        6. Add, edit, and remove review teams
  2. Observer: This is currently the only permission that restricts what a user can do as opposed to granting them additional abilities. The Observer permission is intended to be given to users who may want to observe your program on TerraTrue but otherwise not make changes to it. For example, you may want to grant the Observer permission to your compliance team or to an external legal counsel. While you may add additional permissions to a user who has the Observer permission, those added permissions may not fully take effect for those users; the Observer user is prevented from making sensitive modifications such as creating Data Specs, managing organization settings or deleting launches.
  3. Outbound Webhook Managers can view or modify the outbound webhooks for an organization, both as TerraTrue users and as external API users. 
  4. Workflow Managers can create, edit, and delete workflows such as Launch Summary Workflows, Launch Creation Workflows, Assessments, Data Specs, and Internal Surveys. This permission includes changing visibility and other related configuration rules for custom workflows.
  5. Data Spec Viewers can view Data Specs, which contain information about how a launch collects, uses, shares, and retains data. This role lets users view but not modify existing Data Specs. This permission is given by default to Everyone
  6. Data Spec Editors can edit Data Specs and determine how launches will collect, use, share, and retain data. This role allows users not only view existing Data Specs but also create, modify, and delete Data Specs. It is not necessary to also grant the Data Spec Viewer permission as it is implicitly given. This permission is given by default to Everyone.
  7. Privacy Manager: Used for managing the Privacy and Customization organization settings on TerraTrue, including the Privacy Policy Permissions, the Privacy Profile, the Privacy Policy Generator among other privacy settings.
  8. Privacy Worksheet Viewers can view but not modify existing Privacy Worksheets and Privacy Assessments (DPIAs, LIAs, PIAs, and TIAs). Because a Privacy Worksheet contains data from the Data Spec, this permission also allows users to view Data Specs. It is not necessary to also grant the Data Spec Viewer permission as it is implicitly given. 
  9. Privacy Worksheet Editor: Lets users view existing Privacy Worksheets an Privacy Assessments (DPIAs, LIAs, PIAs, and TIAs) as well as create, modify and delete them. It is not necessary to also grant the Privacy Worksheet Viewer permission as it is implicitly given. 
  10. Launch Managers can delete launches, reset the status of your launch reviews (invalidating prior reviews to indicate that a launch warrants a re-review due to a scope change or other reasons), and recover deleted launches. Such a user is then also able to manage labels and components as well as import launches, all from the corresponding organization settings.
  11. Third Party Assessment Viewers can only view third party assessments invitations, view third party assessments comments, and view third party reports. Third Party Assessment Viewers can link third party assessments invitations to launches however this role cannot create, send, or manage Third Party Assessments or Invitations. Visit this article to learn more.
  12. Third Party Manager can create a third party, update a third party along with its status, manage third party categories and attributes, create and manage third party assessment invitations, view third party assessments invitations, view third party assessments comments and third party reports, create and manage third party assessments workflows.
  13. Data Catalog Admins sets up the data catalog database connections. This role allows users to view, create, and edit ingestions and secrets in addition to all that a Data Catalog Editor can do.
  14. Data Catalog Editors can edit datasets or classifications. This role allows users to view, search and also update existing datasets including the Data Types of a column and the description of a dataset.
  15. Data Catalog Viewers can view the Data Catalog and all scanned datasets. This role allows users to view and search existing datasets but not modify the description or the classification of the Data Types.

Privacy Program Permissions

TerraTrue recognizes the following specific Privacy management related permissions.

  • Data Spec Viewer
  • Data Spec Editor
  • Privacy Worksheet Viewer
  • Privacy Worksheet Editor
  • Privacy Manager

The following general permissions are also useful for Privacy program management.

  • Launch Manager
  • Workflow Manager

 

Third Party Management Permissions

TerraTrue recognizes the following specific Third Party management related permissions.

  • Third Party Manager
  • Third Party Assessment Viewer

The following general permissions are also useful for Third Party management.

  • Workflow Manager
  • Privacy Manager
  • Launch Manager

 

Data Privacy Engineering Permissions

TerraTrue recognizes the following specific data privacy engineering related permissions.

  • Data Catalog Admin
  • Data Catalog Viewer
  • Data Catalog Editor

 

Built-in permissions

Below is a detailed list of what every role has permissions to grouped by functionality. Please note that an asterisk (*) next to a line indicates that this ability is not available to users with the Observer permission.

Launchpad

  • Every role may view and search the Launchpad
  • Every role may add, modify and remove a Saved Search

Launch Summary

  • Every role may view any launch summary including comments and revision history
  • Every role may edit launch title, description, and due date*
  • Every role may add a launch comment and delete your own launch comment*
  • Every role may assign approval for a given approval role*

Privacy Central

  • Every role may view and search Privacy Central

Organization Settings

  • Every role may view users and their permissions*
  • Every role may view Review Teams and their memberships*
  • Every role may view label groups and their values

Taxonomies

  • View Data Use, Data Type, and Third Party taxonomies
  • Add Data Use, Data Type, and Third Party custom taxonomies*

Support Portal

  • Every role may view and search all support cases and feature requests
  • Every role may xreate a new support case and feature request
  • Every role may edit title, description, status, or priority of a support case
  • Every role may edit title and description of a feature request
  • Every role may add comment to a support case
  • Every role may delete any comment from a support case

 

Review Team's Assignee and Status

Throughout the review process, users will want to update the status of the review to indicate their progress and notify other users. There are some considerations in terms of which users can modify the status of a review. The following table describes the permissions required to update a review team status.

Pre-requisite: the user has access to the launch being interacted with.

Actor

Assign / Re-assign/Un-assign

Reviewer

Update Review Team Status
Observer only Cannot alter in any way. Cannot alter in any way.
User on the review team Yes, can choose anyone in the review team to assign to.

Yes, can update the status if they are on this review team.

If no one was assigned prior, they become the Assignee.

Any user who is more privileged than Observer but not on the review team

Yes, can choose anyone in the review team to assign to.

 

Cannot alter in any way.

 

Launch Manager

Yes, can choose anyone in the review team to assign to.

Can also assign to self

Yes, can update the status even if they are not on this review team.

If no one was assigned prior, they become the Assignee.

Launch Creator No extra privileges. If not a Launch Manager, can choose anyone in the review team to assign to. Cannot alter in any way if not in the review team.
Admin No extra privileges. If not a Launch Manager, can choose anyone in the review team to assign to. Cannot alter in any way if not in the review team.
Was this article helpful?
0 out of 0 found this helpful