From c6b88200156d329167686582dc276224f6c67772 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Wed, 1 Mar 2023 09:17:11 +0000
Subject: [PATCH 01/16] allow template for sendgrid if exists

---
 .../messaging/message_dispatch_service.py     | 39 ++++++++++++++++---
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/fides/api/ops/service/messaging/message_dispatch_service.py b/src/fides/api/ops/service/messaging/message_dispatch_service.py
index e6f7673f77..afd65c1fc9 100644
--- a/src/fides/api/ops/service/messaging/message_dispatch_service.py
+++ b/src/fides/api/ops/service/messaging/message_dispatch_service.py
@@ -6,7 +6,7 @@
 import requests
 import sendgrid
 from loguru import logger
-from sendgrid.helpers.mail import Content, Email, Mail, To
+from sendgrid.helpers.mail import Content, Email, Mail, Personalization, TemplateId, To
 from sqlalchemy.orm import Session
 from twilio.base.exceptions import TwilioRestException
 from twilio.rest import Client
@@ -45,6 +45,7 @@
 from fides.core.config.config_proxy import ConfigProxy
 
 EMAIL_JOIN_STRING = ", "
+EMAIL_TEMPLATE_NAME = "fides"
 
 
 def check_and_dispatch_error_notifications(db: Session) -> None:
@@ -378,7 +379,7 @@ def _mailgun_dispatcher(
     try:
         # Check if a fides template exists
         template_test = requests.get(
-            f"{base_url}/{messaging_config.details[MessagingServiceDetails.API_VERSION.value]}/{domain}/templates/fides",
+            f"{base_url}/{messaging_config.details[MessagingServiceDetails.API_VERSION.value]}/{domain}/templates/{EMAIL_TEMPLATE_NAME}",
             auth=(
                 "api",
                 messaging_config.secrets[MessagingServiceSecrets.MAILGUN_API_KEY.value],
@@ -392,7 +393,7 @@ def _mailgun_dispatcher(
         }
 
         if template_test.status_code == 200:
-            data["template"] = "fides"
+            data["template"] = EMAIL_TEMPLATE_NAME
             data["h:X-Mailgun-Variables"] = json.dumps(
                 {"fides_email_body": message.body}
             )
@@ -456,18 +457,27 @@ def _twilio_email_dispatcher(
         )
 
     try:
+
         sg = sendgrid.SendGridAPIClient(
             api_key=messaging_config.secrets[
                 MessagingServiceSecrets.TWILIO_API_KEY.value
             ]
         )
+        template_test = _get_template_id_if_exists(sg, EMAIL_TEMPLATE_NAME)
+
         from_email = Email(
             messaging_config.details[MessagingServiceDetails.TWILIO_EMAIL_FROM.value]
         )
         to_email = To(to.strip())
         subject = message.subject
-        content = Content("text/html", message.body)
-        mail = Mail(from_email, to_email, subject, content)
+        if template_test:
+            personalization = Personalization()
+            personalization.dynamic_template_data = {"fides_email_body": message.body}
+            template_id = TemplateId(template_test)
+            mail = Mail(from_email, to_email, personalization, template_id)
+        else:
+            content = Content("text/html", message.body)
+            mail = Mail(from_email, to_email, subject, content)
         response = sg.client.mail.send.post(request_body=mail.get())
         if response.status_code >= 400:
             logger.error(
@@ -526,3 +536,22 @@ def _twilio_sms_dispatcher(
     except TwilioRestException as e:
         logger.error("Twilio SMS failed to send: {}", Pii(str(e)))
         raise MessageDispatchException(f"Twilio SMS failed to send due to: {Pii(e)}")
+
+
+def _get_template_id_if_exists(
+    sg: sendgrid.SendGridAPIClient, template_name: str
+) -> Optional[str]:
+    """
+    Checks to see if a SendGrid template exists for Fides, returning the id if so
+    """
+
+    params = {"generations": "legacy,dynamic", "page_size": 18}
+
+    response = sg.client.templates.get(query_params=params)
+
+    response_body_dict = json.loads(response.body)
+
+    for template in response_body_dict["result"]:
+        if template["name"].lower() == template_name.lower():
+            return template["id"]
+    return None

From ab4ddc7b39b01a364b0b61f659227e62381f7ab3 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Wed, 1 Mar 2023 14:58:59 +0000
Subject: [PATCH 02/16] reconfigure sending from a template, dynamic only

---
 .../api/ops/service/messaging/message_dispatch_service.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/fides/api/ops/service/messaging/message_dispatch_service.py b/src/fides/api/ops/service/messaging/message_dispatch_service.py
index afd65c1fc9..ef143edcb9 100644
--- a/src/fides/api/ops/service/messaging/message_dispatch_service.py
+++ b/src/fides/api/ops/service/messaging/message_dispatch_service.py
@@ -471,10 +471,12 @@ def _twilio_email_dispatcher(
         to_email = To(to.strip())
         subject = message.subject
         if template_test:
+            mail = Mail(from_email=from_email, subject=subject)
+            mail.template_id = TemplateId(template_test)
             personalization = Personalization()
             personalization.dynamic_template_data = {"fides_email_body": message.body}
-            template_id = TemplateId(template_test)
-            mail = Mail(from_email, to_email, personalization, template_id)
+            personalization.add_email(to_email)
+            mail.add_personalization(personalization)
         else:
             content = Content("text/html", message.body)
             mail = Mail(from_email, to_email, subject, content)
@@ -545,7 +547,7 @@ def _get_template_id_if_exists(
     Checks to see if a SendGrid template exists for Fides, returning the id if so
     """
 
-    params = {"generations": "legacy,dynamic", "page_size": 18}
+    params = {"generations": "dynamic", "page_size": 18}
 
     response = sg.client.templates.get(query_params=params)
 

From c6df2577bd74414e894acff6bc1514b2c587d624 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Wed, 1 Mar 2023 18:14:37 +0000
Subject: [PATCH 03/16] use max page limit due to broken client pagination

---
 .../api/ops/service/messaging/message_dispatch_service.py  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/fides/api/ops/service/messaging/message_dispatch_service.py b/src/fides/api/ops/service/messaging/message_dispatch_service.py
index ef143edcb9..97fb676578 100644
--- a/src/fides/api/ops/service/messaging/message_dispatch_service.py
+++ b/src/fides/api/ops/service/messaging/message_dispatch_service.py
@@ -547,10 +547,11 @@ def _get_template_id_if_exists(
     Checks to see if a SendGrid template exists for Fides, returning the id if so
     """
 
-    params = {"generations": "dynamic", "page_size": 18}
-
+    # the pagination via the client actually doesn't work
+    # in lieu of over-engineering this we can manually call
+    # the next page if/when we hit the limit here
+    params = {"generations": "dynamic", "page_size": 200}
     response = sg.client.templates.get(query_params=params)
-
     response_body_dict = json.loads(response.body)
 
     for template in response_body_dict["result"]:

From 5368c054adddc97cac07411a64a8a7ca93761271 Mon Sep 17 00:00:00 2001
From: Sebastian Sangervasi <2236777+ssangervasi@users.noreply.github.com>
Date: Wed, 1 Mar 2023 11:19:16 -0800
Subject: [PATCH 04/16] [2460]: Change "manual webhook" to "manual process" in
 FE (#2717)

---
 CHANGELOG.md                                                | 1 +
 .../cypress/fixtures/connectors/connection_types.json       | 2 +-
 clients/admin-ui/src/constants.ts                           | 6 +++---
 .../manual-processing/ManualProcessingList.tsx              | 2 +-
 src/fides/api/ops/models/connectionconfig.py                | 2 +-
 .../api/v1/endpoints/test_connection_template_endpoints.py  | 2 +-
 6 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d3916ed0b..26c8ad03d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ The types of changes are:
   * Add flow for selecting system types when manually creating a system [#2530](https://github.com/ethyca/fides/pull/2530)
   * Updated forms for privacy declarations [#2648](https://github.com/ethyca/fides/pull/2648)
   * Delete flow for privacy declarations [#2664](https://github.com/ethyca/fides/pull/2664)
+  * "Manual Webhook" has been renamed to "Manual Process". [#2717](https://github.com/ethyca/fides/pull/2717)
 * Convert all config values to Pydantic `Field` objects [#2613](https://github.com/ethyca/fides/pull/2613)
 * Add warning to 'fides deploy' when installed outside of a virtual environment [#2641](https://github.com/ethyca/fides/pull/2641)
 * Redesigned the default/init config file to be auto-documented. Also updates the `fides init` logic and analytics consent logic [#2694](https://github.com/ethyca/fides/pull/2694)
diff --git a/clients/admin-ui/cypress/fixtures/connectors/connection_types.json b/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
index 5804649ea6..96490a753e 100644
--- a/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
+++ b/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
@@ -57,7 +57,7 @@
     {
       "identifier": "manual_webhook",
       "type": "manual",
-      "human_readable": "Manual Webhook",
+      "human_readable": "Manual Process",
       "encoded_icon": null
     },
     {
diff --git a/clients/admin-ui/src/constants.ts b/clients/admin-ui/src/constants.ts
index 8ff6e55b7d..4861d42447 100644
--- a/clients/admin-ui/src/constants.ts
+++ b/clients/admin-ui/src/constants.ts
@@ -109,15 +109,15 @@ export const USER_PRIVILEGES: UserPrivileges[] = [
     scope: "privacy-request:view_data",
   },
   {
-    privilege: "Create manual webhooks",
+    privilege: "Create manual processes",
     scope: "webhook:create_or_update",
   },
   {
-    privilege: "Read manual webhooks",
+    privilege: "Read manual processes",
     scope: "webhook:read",
   },
   {
-    privilege: "Delete manual webhooks",
+    privilege: "Delete manual processes",
     scope: "webhook:delete",
   },
 ];
diff --git a/clients/admin-ui/src/features/privacy-requests/manual-processing/ManualProcessingList.tsx b/clients/admin-ui/src/features/privacy-requests/manual-processing/ManualProcessingList.tsx
index efb0aa28cf..3b1340c867 100644
--- a/clients/admin-ui/src/features/privacy-requests/manual-processing/ManualProcessingList.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/manual-processing/ManualProcessingList.tsx
@@ -229,7 +229,7 @@ const ManualProcessingList: React.FC<ManualProcessingListProps> = ({
                     <Td colSpan={3} pl="0">
                       <Center>
                         <Text>
-                          You don&lsquo;t have any Manual Webhook connections
+                          You don&lsquo;t have any Manual Process connections
                           set up yet.
                         </Text>
                       </Center>
diff --git a/src/fides/api/ops/models/connectionconfig.py b/src/fides/api/ops/models/connectionconfig.py
index ef9a6a78e9..07095ef52d 100644
--- a/src/fides/api/ops/models/connectionconfig.py
+++ b/src/fides/api/ops/models/connectionconfig.py
@@ -70,7 +70,7 @@ def human_readable(self) -> str:
             ConnectionType.bigquery.value: "BigQuery",
             ConnectionType.manual.value: "Manual Connector",
             ConnectionType.email.value: "Email Connector",
-            ConnectionType.manual_webhook.value: "Manual Webhook",
+            ConnectionType.manual_webhook.value: "Manual Process",
             ConnectionType.timescale.value: "TimescaleDB",
             ConnectionType.fides.value: "Fides Connector",
             ConnectionType.sovrn.value: "Sovrn",
diff --git a/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py b/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
index 074466a062..66e12fa31a 100644
--- a/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
@@ -310,7 +310,7 @@ def test_search_manual_system_type(self, api_client, generate_auth_header, url):
             {
                 "identifier": "manual_webhook",
                 "type": "manual",
-                "human_readable": "Manual Webhook",
+                "human_readable": "Manual Process",
                 "encoded_icon": None,
             }
         ]

From 0e7d3f78c47daa5d9ffad4610d8f58bbae96eb5f Mon Sep 17 00:00:00 2001
From: Allison King <allison@ethyca.com>
Date: Wed, 1 Mar 2023 15:54:56 -0500
Subject: [PATCH 05/16] Privacy declaration updates (#2723)

---
 clients/admin-ui/cypress/e2e/systems.cy.ts    | 15 ++++-
 .../src/features/common/form/inputs.tsx       |  7 +-
 .../src/features/config-wizard/AddSystem.tsx  |  4 +-
 .../features/config-wizard/SystemOption.tsx   |  2 +-
 .../src/features/dataset/dataset.slice.ts     |  7 ++
 .../features/system/SystemInformationForm.tsx |  1 +
 .../PrivacyDeclarationAccordion.tsx           |  1 +
 .../PrivacyDeclarationForm.tsx                | 67 +++++++++----------
 .../PrivacyDeclarationManager.tsx             |  1 +
 .../PrivacyDeclarationStep.tsx                |  7 +-
 .../system/privacy-declarations/hooks.ts      | 44 ++++++++++++
 clients/admin-ui/src/flags.json               |  6 ++
 12 files changed, 121 insertions(+), 41 deletions(-)
 create mode 100644 clients/admin-ui/src/features/system/privacy-declarations/hooks.ts

diff --git a/clients/admin-ui/cypress/e2e/systems.cy.ts b/clients/admin-ui/cypress/e2e/systems.cy.ts
index c4e5e732b0..e6b9647bde 100644
--- a/clients/admin-ui/cypress/e2e/systems.cy.ts
+++ b/clients/admin-ui/cypress/e2e/systems.cy.ts
@@ -56,6 +56,9 @@ describe("System management page", () => {
       beforeEach(() => {
         stubTaxonomyEntities();
         stubSystemCrud();
+        cy.intercept("GET", "/api/v1/dataset", { fixture: "datasets.json" }).as(
+          "getDatasets"
+        );
         cy.intercept("GET", "/api/v1/connection_type*", {
           fixture: "connectors/connection_types.json",
         }).as("getConnectionTypes");
@@ -128,7 +131,12 @@ describe("System management page", () => {
           // Fill in the privacy declaration form
           cy.getByTestId("tab-Data uses").click();
           cy.getByTestId("add-btn").click();
-          cy.wait(["@getDataCategories", "@getDataSubjects", "@getDataUses"]);
+          cy.wait([
+            "@getDataCategories",
+            "@getDataSubjects",
+            "@getDataUses",
+            "@getDatasets",
+          ]);
           cy.getByTestId("new-declaration-form");
           const declaration = system.privacy_declarations[0];
           cy.getByTestId("input-data_use").click();
@@ -141,6 +149,10 @@ describe("System management page", () => {
           declaration.data_subjects.forEach((ds) => {
             cy.getByTestId("input-data_subjects").type(`${ds}{enter}`);
           });
+          cy.getByTestId("input-dataset_references").click();
+          cy.getByTestId("input-dataset_references").within(() => {
+            cy.contains("Demo Users Dataset 2").click();
+          });
 
           cy.getByTestId("save-btn").click();
           cy.wait("@putSystem").then((interception) => {
@@ -150,6 +162,7 @@ describe("System management page", () => {
               data_use: declaration.data_use,
               data_categories: declaration.data_categories,
               data_subjects: declaration.data_subjects,
+              dataset_references: ["demo_users_dataset_2"],
             });
           });
           cy.getByTestId("new-declaration-form").within(() => {
diff --git a/clients/admin-ui/src/features/common/form/inputs.tsx b/clients/admin-ui/src/features/common/form/inputs.tsx
index a6186266e6..2cd2de5810 100644
--- a/clients/admin-ui/src/features/common/form/inputs.tsx
+++ b/clients/admin-ui/src/features/common/form/inputs.tsx
@@ -80,7 +80,12 @@ const TextInput = ({
 
   return (
     <InputGroup size="sm" mr="2">
-      <Input {...props} type={type} pr={isPassword ? "10" : "3"} />
+      <Input
+        {...props}
+        type={type}
+        pr={isPassword ? "10" : "3"}
+        background="white"
+      />
       {isPassword ? (
         <InputRightElement pr="2">
           <IconButton
diff --git a/clients/admin-ui/src/features/config-wizard/AddSystem.tsx b/clients/admin-ui/src/features/config-wizard/AddSystem.tsx
index a7ca49df8c..f06f93e171 100644
--- a/clients/admin-ui/src/features/config-wizard/AddSystem.tsx
+++ b/clients/admin-ui/src/features/config-wizard/AddSystem.tsx
@@ -51,7 +51,7 @@ const AddSystem = () => {
       </Stack>
       <Box data-testid="manual-options">
         <SectionTitle>Manually add systems</SectionTitle>
-        <SimpleGrid columns={{ sm: 2, md: 3 }} spacing="4">
+        <SimpleGrid columns={{ base: 1, md: 2, xl: 3 }} spacing="4">
           <SystemOption
             label="Add a system"
             icon={<ManualSetupIcon boxSize={8} />}
@@ -67,7 +67,7 @@ const AddSystem = () => {
 
       <Box data-testid="automated-options">
         <SectionTitle>Automated infrastructure scanning</SectionTitle>
-        <SimpleGrid columns={{ sm: 2, md: 3 }} spacing="4">
+        <SimpleGrid columns={{ base: 1, md: 2, xl: 3 }} spacing="4">
           <SystemOption
             label="Scan your infrastructure (AWS)"
             description="Automatically discover new systems in your AWS infrastructure"
diff --git a/clients/admin-ui/src/features/config-wizard/SystemOption.tsx b/clients/admin-ui/src/features/config-wizard/SystemOption.tsx
index a29cb681df..08d80d58a4 100644
--- a/clients/admin-ui/src/features/config-wizard/SystemOption.tsx
+++ b/clients/admin-ui/src/features/config-wizard/SystemOption.tsx
@@ -41,7 +41,7 @@ const SystemOption = ({
       whiteSpace="break-spaces"
       textAlign="left"
     >
-      <Box as="span" display="flex" alignItems="center">
+      <Box as="span" display="flex" alignItems="center" mb={2}>
         {icon}
         <Text fontWeight="semibold" color="gray.700" as="span" ml={3}>
           {label}
diff --git a/clients/admin-ui/src/features/dataset/dataset.slice.ts b/clients/admin-ui/src/features/dataset/dataset.slice.ts
index c927e706ed..296ee8ac9d 100644
--- a/clients/admin-ui/src/features/dataset/dataset.slice.ts
+++ b/clients/admin-ui/src/features/dataset/dataset.slice.ts
@@ -153,6 +153,13 @@ export const { reducer } = datasetSlice;
 
 const selectDataset = (state: RootState) => state.dataset;
 
+const emptyDatasets: Dataset[] = [];
+export const selectAllDatasets: (state: RootState) => Dataset[] =
+  createSelector(
+    datasetApi.endpoints.getAllDatasets.select(),
+    ({ data }) => data ?? emptyDatasets
+  );
+
 export const selectActiveDatasetFidesKey = createSelector(
   selectDataset,
   (state) => state.activeDatasetFidesKey
diff --git a/clients/admin-ui/src/features/system/SystemInformationForm.tsx b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
index 37f6ab1dbb..0bbec56b8c 100644
--- a/clients/admin-ui/src/features/system/SystemInformationForm.tsx
+++ b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
@@ -35,6 +35,7 @@ import SystemInformationFormExtension from "~/features/system/SystemInformationF
 import { ResourceTypes, System } from "~/types/api";
 
 const ValidationSchema = Yup.object().shape({
+  name: Yup.string().required().label("System name"),
   fides_key: Yup.string().required().label("System key"),
 });
 
diff --git a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationAccordion.tsx b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationAccordion.tsx
index 12c442086b..32f2919d3c 100644
--- a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationAccordion.tsx
+++ b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationAccordion.tsx
@@ -24,6 +24,7 @@ interface AccordionProps extends DataProps {
     newDeclaration: PrivacyDeclaration
   ) => Promise<boolean>;
   onDelete: (declaration: PrivacyDeclaration) => Promise<boolean>;
+  includeDeprecatedFields?: boolean;
 }
 
 const PrivacyDeclarationAccordionItem = ({
diff --git a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationForm.tsx b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationForm.tsx
index ea70fb4160..7b0f780f10 100644
--- a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationForm.tsx
+++ b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationForm.tsx
@@ -17,23 +17,11 @@ import { Form, Formik, FormikHelpers, useFormikContext } from "formik";
 import { useMemo, useState } from "react";
 import * as Yup from "yup";
 
-import { useAppSelector } from "~/app/hooks";
 import ConfirmationModal from "~/features/common/ConfirmationModal";
-import { CustomSelect } from "~/features/common/form/inputs";
-import {
-  selectDataSubjects,
-  useGetAllDataSubjectsQuery,
-} from "~/features/data-subjects/data-subject.slice";
-import {
-  selectDataUses,
-  useGetAllDataUsesQuery,
-} from "~/features/data-use/data-use.slice";
-import {
-  selectDataCategories,
-  useGetAllDataCategoriesQuery,
-} from "~/features/taxonomy/taxonomy.slice";
+import { CustomSelect, CustomTextInput } from "~/features/common/form/inputs";
 import {
   DataCategory,
+  Dataset,
   DataSubject,
   DataUse,
   PrivacyDeclaration,
@@ -53,6 +41,7 @@ const defaultInitialValues: PrivacyDeclaration = {
   data_categories: [],
   data_subjects: [],
   data_use: "",
+  dataset_references: [],
 };
 
 type FormValues = typeof defaultInitialValues;
@@ -61,18 +50,28 @@ export interface DataProps {
   allDataCategories: DataCategory[];
   allDataUses: DataUse[];
   allDataSubjects: DataSubject[];
+  allDatasets?: Dataset[];
 }
 
 export const PrivacyDeclarationFormComponents = ({
   allDataUses,
   allDataCategories,
   allDataSubjects,
+  allDatasets,
   onDelete,
-}: DataProps & Pick<Props, "onDelete">) => {
+  includeDeprecatedFields,
+}: DataProps & Pick<Props, "onDelete" | "includeDeprecatedFields">) => {
   const { dirty, isSubmitting, isValid, initialValues } =
     useFormikContext<FormValues>();
   const deleteModal = useDisclosure();
 
+  const datasetOptions = allDatasets
+    ? allDatasets.map((d) => ({
+        label: d.name ?? d.fides_key,
+        value: d.fides_key,
+      }))
+    : [];
+
   const handleDelete = async () => {
     await onDelete(initialValues);
     deleteModal.onClose();
@@ -94,6 +93,14 @@ export const PrivacyDeclarationFormComponents = ({
         variant="stacked"
         singleValueBlock
       />
+      {includeDeprecatedFields ? (
+        <CustomTextInput
+          id="name"
+          label="Privacy declaration name (deprecated)"
+          name="name"
+          variant="stacked"
+        />
+      ) : null}
       <CustomSelect
         name="data_categories"
         label="Data categories"
@@ -116,6 +123,16 @@ export const PrivacyDeclarationFormComponents = ({
         isMulti
         variant="stacked"
       />
+      {allDatasets ? (
+        <CustomSelect
+          name="dataset_references"
+          label="Dataset references"
+          options={datasetOptions}
+          tooltip="Referenced Dataset fides keys used by the system."
+          isMulti
+          variant="stacked"
+        />
+      ) : null}
       <ButtonGroup size="sm" display="flex" justifyContent="space-between">
         <Button
           variant="outline"
@@ -147,25 +164,6 @@ export const PrivacyDeclarationFormComponents = ({
   );
 };
 
-/**
- * Set up subscriptions to all taxonomy resources
- */
-export const useTaxonomyData = () => {
-  // Query subscriptions:
-  const { isLoading: isLoadingDataCategories } = useGetAllDataCategoriesQuery();
-  const { isLoading: isLoadingDataSubjects } = useGetAllDataSubjectsQuery();
-  const { isLoading: isLoadingDataUses } = useGetAllDataUsesQuery();
-
-  const allDataCategories = useAppSelector(selectDataCategories);
-  const allDataSubjects = useAppSelector(selectDataSubjects);
-  const allDataUses = useAppSelector(selectDataUses);
-
-  const isLoading =
-    isLoadingDataCategories || isLoadingDataSubjects || isLoadingDataUses;
-
-  return { allDataCategories, allDataSubjects, allDataUses, isLoading };
-};
-
 /**
  * Hook to supply all data needed for the privacy declaration form
  * Purposefully excludes redux queries so that this can be used across apps
@@ -234,6 +232,7 @@ interface Props {
   ) => Promise<boolean>;
   onDelete: (declaration: PrivacyDeclaration) => Promise<boolean>;
   initialValues?: PrivacyDeclaration;
+  includeDeprecatedFields?: boolean;
 }
 
 export const PrivacyDeclarationForm = ({
diff --git a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationManager.tsx b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationManager.tsx
index b625d45977..d016871f95 100644
--- a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationManager.tsx
+++ b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationManager.tsx
@@ -23,6 +23,7 @@ interface Props {
     privacyDeclarations: PrivacyDeclaration[],
     isDelete?: boolean
   ) => Promise<boolean>;
+  includeDeprecatedFields?: boolean;
 }
 
 const PrivacyDeclarationManager = ({
diff --git a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationStep.tsx b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationStep.tsx
index e219468ab6..59d5810b81 100644
--- a/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationStep.tsx
+++ b/clients/admin-ui/src/features/system/privacy-declarations/PrivacyDeclarationStep.tsx
@@ -4,12 +4,13 @@ import { FetchBaseQueryError } from "@reduxjs/toolkit/dist/query/fetchBaseQuery"
 import NextLink from "next/link";
 
 import { useAppDispatch } from "~/app/hooks";
+import { useFeatures } from "~/features/common/features";
 import { getErrorMessage, isErrorResult } from "~/features/common/helpers";
 import { errorToastParams, successToastParams } from "~/features/common/toast";
 import { setActiveSystem, useUpdateSystemMutation } from "~/features/system";
 import { PrivacyDeclaration, System } from "~/types/api";
 
-import { useTaxonomyData } from "./PrivacyDeclarationForm";
+import { usePrivacyDeclarationData } from "./hooks";
 import PrivacyDeclarationManager from "./PrivacyDeclarationManager";
 
 interface Props {
@@ -20,7 +21,8 @@ const PrivacyDeclarationStep = ({ system }: Props) => {
   const toast = useToast();
   const dispatch = useAppDispatch();
   const [updateSystemMutationTrigger] = useUpdateSystemMutation();
-  const { isLoading, ...dataProps } = useTaxonomyData();
+  const { isLoading, ...dataProps } = usePrivacyDeclarationData();
+  const { flags } = useFeatures();
 
   const handleSave = async (
     updatedDeclarations: PrivacyDeclaration[],
@@ -95,6 +97,7 @@ const PrivacyDeclarationStep = ({ system }: Props) => {
           system={system}
           onCollision={collisionWarning}
           onSave={handleSave}
+          includeDeprecatedFields={flags.privacyDeclarationDeprecatedFields}
           {...dataProps}
         />
       )}
diff --git a/clients/admin-ui/src/features/system/privacy-declarations/hooks.ts b/clients/admin-ui/src/features/system/privacy-declarations/hooks.ts
new file mode 100644
index 0000000000..a2954f5eea
--- /dev/null
+++ b/clients/admin-ui/src/features/system/privacy-declarations/hooks.ts
@@ -0,0 +1,44 @@
+import { useAppSelector } from "~/app/hooks";
+import {
+  selectDataSubjects,
+  useGetAllDataSubjectsQuery,
+} from "~/features/data-subjects/data-subject.slice";
+import {
+  selectDataUses,
+  useGetAllDataUsesQuery,
+} from "~/features/data-use/data-use.slice";
+import { selectAllDatasets, useGetAllDatasetsQuery } from "~/features/dataset";
+import {
+  selectDataCategories,
+  useGetAllDataCategoriesQuery,
+} from "~/features/taxonomy";
+
+/**
+ * Set up subscriptions to all taxonomy resources
+ */
+export const usePrivacyDeclarationData = () => {
+  // Query subscriptions:
+  const { isLoading: isLoadingDataCategories } = useGetAllDataCategoriesQuery();
+  const { isLoading: isLoadingDataSubjects } = useGetAllDataSubjectsQuery();
+  const { isLoading: isLoadingDataUses } = useGetAllDataUsesQuery();
+  const { isLoading: isLoadingDatasets } = useGetAllDatasetsQuery();
+
+  const allDataCategories = useAppSelector(selectDataCategories);
+  const allDataSubjects = useAppSelector(selectDataSubjects);
+  const allDataUses = useAppSelector(selectDataUses);
+  const allDatasets = useAppSelector(selectAllDatasets);
+
+  const isLoading =
+    isLoadingDataCategories ||
+    isLoadingDataSubjects ||
+    isLoadingDataUses ||
+    isLoadingDatasets;
+
+  return {
+    allDataCategories,
+    allDataSubjects,
+    allDataUses,
+    allDatasets,
+    isLoading,
+  };
+};
diff --git a/clients/admin-ui/src/flags.json b/clients/admin-ui/src/flags.json
index 886128b55c..95e19142ee 100644
--- a/clients/admin-ui/src/flags.json
+++ b/clients/admin-ui/src/flags.json
@@ -21,5 +21,11 @@
     "development": true,
     "production": true,
     "test": true
+  },
+  "privacyDeclarationDeprecatedFields": {
+    "description": "Show deprecated fields when adding/editing privacy declarations.",
+    "development": true,
+    "production": false,
+    "test": false
   }
 }

From 532c5583a9afa43645f3c1820ab8b86a95de0f77 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Wed, 1 Mar 2023 22:46:46 +0000
Subject: [PATCH 06/16] add tests for template function

---
 .../messaging/message_dispatch_service.py     | 22 ++++++-----
 .../message_dispatch_service_test.py          | 37 +++++++++++++++++++
 2 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/src/fides/api/ops/service/messaging/message_dispatch_service.py b/src/fides/api/ops/service/messaging/message_dispatch_service.py
index 97fb676578..375a6a6b39 100644
--- a/src/fides/api/ops/service/messaging/message_dispatch_service.py
+++ b/src/fides/api/ops/service/messaging/message_dispatch_service.py
@@ -463,7 +463,16 @@ def _twilio_email_dispatcher(
                 MessagingServiceSecrets.TWILIO_API_KEY.value
             ]
         )
-        template_test = _get_template_id_if_exists(sg, EMAIL_TEMPLATE_NAME)
+
+        # the pagination via the client actually doesn't work
+        # in lieu of over-engineering this we can manually call
+        # the next page if/when we hit the limit here
+        response = sg.client.templates.get(
+            query_params={"generations": "dynamic", "page_size": 200}
+        )
+        template_test = _get_template_id_if_exists(
+            json.loads(response.body), EMAIL_TEMPLATE_NAME
+        )
 
         from_email = Email(
             messaging_config.details[MessagingServiceDetails.TWILIO_EMAIL_FROM.value]
@@ -541,20 +550,13 @@ def _twilio_sms_dispatcher(
 
 
 def _get_template_id_if_exists(
-    sg: sendgrid.SendGridAPIClient, template_name: str
+    templates_response: Dict[str, List], template_name: str
 ) -> Optional[str]:
     """
     Checks to see if a SendGrid template exists for Fides, returning the id if so
     """
 
-    # the pagination via the client actually doesn't work
-    # in lieu of over-engineering this we can manually call
-    # the next page if/when we hit the limit here
-    params = {"generations": "dynamic", "page_size": 200}
-    response = sg.client.templates.get(query_params=params)
-    response_body_dict = json.loads(response.body)
-
-    for template in response_body_dict["result"]:
+    for template in templates_response["result"]:
         if template["name"].lower() == template_name.lower():
             return template["id"]
     return None
diff --git a/tests/ops/service/messaging/message_dispatch_service_test.py b/tests/ops/service/messaging/message_dispatch_service_test.py
index d2506ff7c8..1a5338073d 100644
--- a/tests/ops/service/messaging/message_dispatch_service_test.py
+++ b/tests/ops/service/messaging/message_dispatch_service_test.py
@@ -25,6 +25,7 @@
 from fides.api.ops.schemas.redis_cache import Identity
 from fides.api.ops.service.messaging.message_dispatch_service import (
     _get_dispatcher_from_config_type,
+    _get_template_id_if_exists,
     _twilio_email_dispatcher,
     _twilio_sms_dispatcher,
     dispatch_message,
@@ -32,6 +33,32 @@
 from fides.core.config import CONFIG
 
 
+@pytest.fixture
+def test_template_response_body():
+    yield {
+        "result": [
+            {
+                "id": "d-0507bb6d47cb46f38761f541b9cb8507",
+                "name": "fides",
+                "generation": "dynamic",
+                "updated_at": "2023-02-28 00:43:28",
+                "versions": [
+                    {
+                        "id": "2080ab46-ebd2-40fa-b595-01d3e94e2700",
+                        "template_id": "d-0507bb6d47cb46f38761f541b9cb8507",
+                        "active": 1,
+                        "name": "fides",
+                        "generate_plain_content": False,
+                        "subject": "DSR Testing",
+                        "updated_at": "2023-03-01 13:34:23",
+                        "editor": "design",
+                    }
+                ],
+            },
+        ]
+    }
+
+
 @pytest.mark.unit
 class TestMessageDispatchService:
     @mock.patch(
@@ -429,6 +456,16 @@ def test_dispatch_no_secrets(self, messaging_config_twilio_email):
 
         assert "No twilio email config details or secrets" in str(exc.value)
 
+    def test_template_found(self, test_template_response_body):
+        template_test = _get_template_id_if_exists(test_template_response_body, "fides")
+        assert template_test
+
+    def test_no_template_found(self, test_template_response_body):
+        template_test = _get_template_id_if_exists(
+            test_template_response_body, "not_fides"
+        )
+        assert template_test is None
+
 
 class TestTwilioSmsDispatcher:
     def test_dispatch_no_to(self, messaging_config_twilio_sms):

From 2d426556c78737e800e73da532b432a7443eb4ac Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Thu, 2 Mar 2023 13:01:41 +0000
Subject: [PATCH 07/16] refactor to improve test coverage

---
 .../messaging/message_dispatch_service.py     | 38 ++++++++++++++-----
 .../message_dispatch_service_test.py          | 34 ++++++++++++++++-
 2 files changed, 60 insertions(+), 12 deletions(-)

diff --git a/src/fides/api/ops/service/messaging/message_dispatch_service.py b/src/fides/api/ops/service/messaging/message_dispatch_service.py
index 375a6a6b39..9ef4900d85 100644
--- a/src/fides/api/ops/service/messaging/message_dispatch_service.py
+++ b/src/fides/api/ops/service/messaging/message_dispatch_service.py
@@ -479,16 +479,10 @@ def _twilio_email_dispatcher(
         )
         to_email = To(to.strip())
         subject = message.subject
-        if template_test:
-            mail = Mail(from_email=from_email, subject=subject)
-            mail.template_id = TemplateId(template_test)
-            personalization = Personalization()
-            personalization.dynamic_template_data = {"fides_email_body": message.body}
-            personalization.add_email(to_email)
-            mail.add_personalization(personalization)
-        else:
-            content = Content("text/html", message.body)
-            mail = Mail(from_email, to_email, subject, content)
+        mail = _compose_twilio_mail(
+            from_email, to_email, subject, message.body, template_test
+        )
+
         response = sg.client.mail.send.post(request_body=mail.get())
         if response.status_code >= 400:
             logger.error(
@@ -560,3 +554,27 @@ def _get_template_id_if_exists(
         if template["name"].lower() == template_name.lower():
             return template["id"]
     return None
+
+
+def _compose_twilio_mail(
+    from_email: Email,
+    to_email: To,
+    subject: str,
+    message_body: str,
+    template_test: Optional[str] = None,
+) -> Mail:
+    """
+    Returns the Mail object to send, if a template is passed composes the Mail
+    appropriately with the template ID and paramaterized message body.
+    """
+    if template_test:
+        mail = Mail(from_email=from_email, subject=subject)
+        mail.template_id = TemplateId(template_test)
+        personalization = Personalization()
+        personalization.dynamic_template_data = {"fides_email_body": message_body}
+        personalization.add_email(to_email)
+        mail.add_personalization(personalization)
+    else:
+        content = Content("text/html", message_body)
+        mail = Mail(from_email, to_email, subject, content)
+    return mail
diff --git a/tests/ops/service/messaging/message_dispatch_service_test.py b/tests/ops/service/messaging/message_dispatch_service_test.py
index 1a5338073d..4022e12979 100644
--- a/tests/ops/service/messaging/message_dispatch_service_test.py
+++ b/tests/ops/service/messaging/message_dispatch_service_test.py
@@ -3,6 +3,7 @@
 
 import pytest
 import requests_mock
+from sendgrid.helpers.mail import Email, To
 from sqlalchemy.orm import Session
 
 from fides.api.ops.common_exceptions import MessageDispatchException
@@ -24,6 +25,8 @@
 from fides.api.ops.schemas.privacy_request import Consent
 from fides.api.ops.schemas.redis_cache import Identity
 from fides.api.ops.service.messaging.message_dispatch_service import (
+    EMAIL_TEMPLATE_NAME,
+    _compose_twilio_mail,
     _get_dispatcher_from_config_type,
     _get_template_id_if_exists,
     _twilio_email_dispatcher,
@@ -59,6 +62,11 @@ def test_template_response_body():
     }
 
 
+@pytest.fixture
+def test_message_body():
+    yield "This is a test DSR message body"
+
+
 @pytest.mark.unit
 class TestMessageDispatchService:
     @mock.patch(
@@ -457,15 +465,37 @@ def test_dispatch_no_secrets(self, messaging_config_twilio_email):
         assert "No twilio email config details or secrets" in str(exc.value)
 
     def test_template_found(self, test_template_response_body):
-        template_test = _get_template_id_if_exists(test_template_response_body, "fides")
+        template_test = _get_template_id_if_exists(
+            test_template_response_body, EMAIL_TEMPLATE_NAME
+        )
         assert template_test
 
     def test_no_template_found(self, test_template_response_body):
         template_test = _get_template_id_if_exists(
-            test_template_response_body, "not_fides"
+            test_template_response_body, f"not_{EMAIL_TEMPLATE_NAME}"
         )
         assert template_test is None
 
+    def test_templated_mail(self, test_message_body):
+        mail = _compose_twilio_mail(
+            Email("test@test.com"),
+            To("test@test.com"),
+            "Test DSR EMail",
+            test_message_body,
+            "test_template",
+        )
+        assert "template_id" in mail.get()
+
+    def test_non_templated_mail(self, test_message_body):
+        mail = _compose_twilio_mail(
+            Email("test@test.com"),
+            To("test@test.com"),
+            "Test DSR EMail",
+            test_message_body,
+            template_test=None,
+        )
+        assert "template_id" not in mail.get()
+
 
 class TestTwilioSmsDispatcher:
     def test_dispatch_no_to(self, messaging_config_twilio_sms):

From ae296e75d9a16b7e252e61aa0322fa61494d7688 Mon Sep 17 00:00:00 2001
From: Steve Murphy <steven.d.murphy@gmail.com>
Date: Thu, 23 Feb 2023 21:43:30 +0000
Subject: [PATCH 08/16] include feature flag check in helper (#2675)

---
 CHANGELOG.md                                     | 10 +++++++---
 clients/admin-ui/src/features/dataset/helpers.ts |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff4f6cc762..91d268f769 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,12 +16,16 @@ The types of changes are:
 
 ## [Unreleased](https://github.com/ethyca/fides/compare/2.7.0...main)
 
+### Fixed
+
+* Fix error with the classify dataset feature flag not writing the dataset to the server [#2675](https://github.com/ethyca/fides/pull/2675)
+
 ## [2.7.0](https://github.com/ethyca/fides/compare/2.6.6...2.7.0)
 
 * Fides API
   * Access and erasure support for Braintree [#2223](https://github.com/ethyca/fides/pull/2223)
   * Added route to send a test message [#2585](https://github.com/ethyca/fides/pull/2585)
-  
+
 * Admin UI
   * Custom Metadata [#2536](https://github.com/ethyca/fides/pull/2536)
     * Create Custom Lists
@@ -133,7 +137,7 @@ The types of changes are:
   * Patch Google Analytics Consent Connector to delete by client_id [#2355](https://github.com/ethyca/fides/pull/2355)
   * Add a "skip_param_values option" to optionally skip when we are missing param values in the body [#2384](https://github.com/ethyca/fides/pull/2384)
   * Adds a new Universal Analytics Connector that works with the UA Tracking Id
-  
+
 ### Changed
 
 * Unified Fides Resources
@@ -154,7 +158,7 @@ The types of changes are:
 
 ### Developer Experience
 
-* `nox -s test_env` has been replaced with `nox -s "fides_env(dev)"` 
+* `nox -s test_env` has been replaced with `nox -s "fides_env(dev)"`
 * New command `nox -s "fides_env(test)"` creates a complete test environment with seed data (similar to `fides_env(dev)`) but with the production fides image so the built UI can be accessed at `localhost:8080` [#2399](https://github.com/ethyca/fides/pull/2399)
 * Change from code climate to codecov for coverage reporting [#2402](https://github.com/ethyca/fides/pull/2402)
 
diff --git a/clients/admin-ui/src/features/dataset/helpers.ts b/clients/admin-ui/src/features/dataset/helpers.ts
index 87ed21f558..a7b0096091 100644
--- a/clients/admin-ui/src/features/dataset/helpers.ts
+++ b/clients/admin-ui/src/features/dataset/helpers.ts
@@ -98,7 +98,7 @@ export const getUpdatedDatasetFromClassifyDataset = (
         draftCollection.name
       );
 
-      if (classifyCollection?.name !== activeCollection) {
+      if (activeCollection && classifyCollection?.name !== activeCollection) {
         return;
       }
 

From c86b56184344892ea70371a65ad18467a8e70ce1 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Thu, 2 Mar 2023 16:46:22 +0000
Subject: [PATCH 09/16] ready changelog for 2.7.1

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 91d268f769..5e698ea1b0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,9 @@ The types of changes are:
 * `Fixed` for any bug fixes.
 * `Security` in case of vulnerabilities.
 
-## [Unreleased](https://github.com/ethyca/fides/compare/2.7.0...main)
+## [Unreleased](https://github.com/ethyca/fides/compare/2.7.1...main)
+
+## [2.7.1](https://github.com/ethyca/fides/compare/2.7.0...2.7.1)
 
 ### Fixed
 

From 87370f44dc6c256015841b58e08b784bfe7738a4 Mon Sep 17 00:00:00 2001
From: Dawn Pattison <pattisdr@users.noreply.github.com>
Date: Thu, 2 Mar 2023 16:39:27 -0600
Subject: [PATCH 10/16] Consent Privacy Request Status when Identity
 Verification Required (#2736)

---
 CHANGELOG.md                                  |  1 +
 .../api/ops/api/v1/endpoints/drp_endpoints.py |  5 +-
 .../v1/endpoints/privacy_request_endpoints.py |  1 +
 .../privacy_request/request_runner_service.py |  3 +-
 .../privacy_request/request_service.py        |  3 +-
 tests/fixtures/saas/vend_fixtures.py          | 20 +++----
 .../test_consent_request_endpoints.py         | 58 +++++++++++++++++++
 .../test_privacy_request_endpoints.py         |  2 -
 .../request_runner_service_test.py            |  2 +-
 .../privacy_request/test_request_service.py   | 42 +++++++++++++-
 10 files changed, 120 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 26c8ad03d0..561feb5755 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -58,6 +58,7 @@ The types of changes are:
 * Allow string dates to stay strings in cache decoding [#2695](https://github.com/ethyca/fides/pull/2695)
 * Admin UI
   * Remove Identifiability (Data Qualifier) from taxonomy editor [2684](https://github.com/ethyca/fides/pull/2684)
+* Fix Privacy Request Status when submitting a consent request when identity verification is required [#2736](https://github.com/ethyca/fides/pull/2736)
 
 ## [2.7.0](https://github.com/ethyca/fides/compare/2.6.6...2.7.0)
 
diff --git a/src/fides/api/ops/api/v1/endpoints/drp_endpoints.py b/src/fides/api/ops/api/v1/endpoints/drp_endpoints.py
index b10ed55cdf..d8056ac73c 100644
--- a/src/fides/api/ops/api/v1/endpoints/drp_endpoints.py
+++ b/src/fides/api/ops/api/v1/endpoints/drp_endpoints.py
@@ -93,7 +93,10 @@ async def create_drp_privacy_request(
         )
 
     privacy_request_kwargs: Dict[str, Any] = build_required_privacy_request_kwargs(
-        None, policy.id, config_proxy.execution.subject_identity_verification_required
+        None,
+        policy.id,
+        config_proxy.execution.subject_identity_verification_required,
+        authenticated=False,
     )
 
     try:
diff --git a/src/fides/api/ops/api/v1/endpoints/privacy_request_endpoints.py b/src/fides/api/ops/api/v1/endpoints/privacy_request_endpoints.py
index a447d76942..926ee13f42 100644
--- a/src/fides/api/ops/api/v1/endpoints/privacy_request_endpoints.py
+++ b/src/fides/api/ops/api/v1/endpoints/privacy_request_endpoints.py
@@ -1633,6 +1633,7 @@ def create_privacy_request_func(
             privacy_request_data.requested_at,
             policy.id,
             config_proxy.execution.subject_identity_verification_required,
+            authenticated,
         )
         for field in optional_fields:
             attr = getattr(privacy_request_data, field)
diff --git a/src/fides/api/ops/service/privacy_request/request_runner_service.py b/src/fides/api/ops/service/privacy_request/request_runner_service.py
index 0f71656f04..cd6836ce52 100644
--- a/src/fides/api/ops/service/privacy_request/request_runner_service.py
+++ b/src/fides/api/ops/service/privacy_request/request_runner_service.py
@@ -554,7 +554,8 @@ def initiate_privacy_request_completion_email(
             service_type=config_proxy.notifications.notification_service_type,
             message_body_params=AccessRequestCompleteBodyParams(
                 download_links=access_result_urls,
-                subject_request_download_time_in_days=CONFIG.security.subject_request_download_link_ttl_seconds / 86400,
+                subject_request_download_time_in_days=CONFIG.security.subject_request_download_link_ttl_seconds
+                / 86400,
             ),
         )
     if policy.get_rules_for_action(action_type=ActionType.erasure):
diff --git a/src/fides/api/ops/service/privacy_request/request_service.py b/src/fides/api/ops/service/privacy_request/request_service.py
index 7022c33e41..cda7885776 100644
--- a/src/fides/api/ops/service/privacy_request/request_service.py
+++ b/src/fides/api/ops/service/privacy_request/request_service.py
@@ -22,6 +22,7 @@ def build_required_privacy_request_kwargs(
     requested_at: Optional[datetime],
     policy_id: str,
     verification_required: bool,
+    authenticated: bool,
 ) -> Dict[str, Any]:
     """Build kwargs required for creating privacy request
 
@@ -30,7 +31,7 @@ def build_required_privacy_request_kwargs(
     """
     status = (
         PrivacyRequestStatus.identity_unverified
-        if verification_required
+        if verification_required and not authenticated
         else PrivacyRequestStatus.pending
     )
     return {
diff --git a/tests/fixtures/saas/vend_fixtures.py b/tests/fixtures/saas/vend_fixtures.py
index 00c30409cc..556b3077ad 100644
--- a/tests/fixtures/saas/vend_fixtures.py
+++ b/tests/fixtures/saas/vend_fixtures.py
@@ -27,15 +27,13 @@
 def vend_secrets(saas_config):
     return {
         "domain": pydash.get(saas_config, "vend.domain") or secrets["domain"],
-        "token": pydash.get(saas_config, "vend.token") or secrets["token"]
+        "token": pydash.get(saas_config, "vend.token") or secrets["token"],
     }
 
 
 @pytest.fixture(scope="session")
 def vend_identity_email(saas_config):
-    return (
-        pydash.get(saas_config, "vend.identity_email") or secrets["identity_email"]
-    )
+    return pydash.get(saas_config, "vend.identity_email") or secrets["identity_email"]
 
 
 @pytest.fixture(scope="function")
@@ -60,10 +58,9 @@ def vend_dataset() -> Dict[str, Any]:
         "vend_instance",
     )[0]
 
+
 @pytest.fixture(scope="function")
-def vend_connection_config(
-    db: Session, vend_config, vend_secrets
-) -> Generator:
+def vend_connection_config(db: Session, vend_config, vend_secrets) -> Generator:
     fides_key = vend_config["fides_key"]
     connection_config = ConnectionConfig.create(
         db=db,
@@ -79,6 +76,7 @@ def vend_connection_config(
     yield connection_config
     connection_config.delete(db)
 
+
 @pytest.fixture
 def vend_dataset_config(
     db: Session,
@@ -121,13 +119,15 @@ def vend_create_erasure_data(
         "first_name": "Ethyca",
         "last_name": "Test Erasure",
         "email": vend_erasure_identity_email,
-        "do_not_email": "true"
+        "do_not_email": "true",
     }
 
-    customers_response = requests.post(url=f"{base_url}/api/2.0/customers", headers=headers, json=body)
+    customers_response = requests.post(
+        url=f"{base_url}/api/2.0/customers", headers=headers, json=body
+    )
     customer = customers_response.json()
 
-    # there is no endpoint to create a sale so we cannot test it 
+    # there is no endpoint to create a sale so we cannot test it
     sleep(60)
 
     yield customer
diff --git a/tests/ops/api/v1/endpoints/test_consent_request_endpoints.py b/tests/ops/api/v1/endpoints/test_consent_request_endpoints.py
index 0e18cfd03c..094918993b 100644
--- a/tests/ops/api/v1/endpoints/test_consent_request_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_consent_request_endpoints.py
@@ -20,6 +20,7 @@
 from fides.api.ops.models.privacy_request import (
     Consent,
     ConsentRequest,
+    PrivacyRequestStatus,
     ProvidedIdentity,
 )
 from fides.api.ops.schemas.messaging.messaging import MessagingServiceType
@@ -808,6 +809,63 @@ def test_set_consent_consent_preferences(
 
         assert mock_run_privacy_request.called
 
+    @pytest.mark.usefixtures(
+        "subject_identity_verification_required", "require_manual_request_approval"
+    )
+    @patch("fides.api.ops.models.privacy_request.ConsentRequest.verify_identity")
+    @mock.patch(
+        "fides.api.ops.service.privacy_request.request_runner_service.run_privacy_request.delay"
+    )
+    def test_set_consent_preferences_privacy_request_pending_when_id_verification_required(
+        self,
+        mock_run_privacy_request: MagicMock,
+        mock_verify_identity: MagicMock,
+        provided_identity_and_consent_request,
+        db,
+        api_client,
+        verification_code,
+        consent_policy,
+    ):
+        provided_identity, consent_request = provided_identity_and_consent_request
+        consent_request.cache_identity_verification_code(verification_code)
+
+        consent_data: list[dict[str, Any]] = [
+            {
+                "data_use": "advertising",
+                "data_use_description": None,
+                "opt_in": True,
+                "has_gpc_flag": True,
+                "conflicts_with_gpc": False,
+            }
+        ]
+
+        for data in deepcopy(consent_data):
+            data["provided_identity_id"] = provided_identity.id
+            Consent.create(db, data=data)
+
+        data = {
+            "code": verification_code,
+            "identity": {"email": "test@email.com"},
+            "consent": consent_data,
+            "policy_key": consent_policy.key,  # Optional policy_key supplied,
+            "executable_options": [
+                {"data_use": "advertising", "executable": True},
+                {"data_use": "improve", "executable": False},
+            ],
+            "browser_identity": {"ga_client_id": "test_ga_client_id"},
+        }
+        response = api_client.patch(
+            f"{V1_URL_PREFIX}{CONSENT_REQUEST_PREFERENCES_WITH_ID.format(consent_request_id=consent_request.id)}",
+            json=data,
+        )
+
+        assert response.status_code == 200
+
+        mock_verify_identity.assert_called_with(verification_code)
+        db.refresh(consent_request)
+        assert consent_request.privacy_request.status == PrivacyRequestStatus.pending
+        assert not mock_run_privacy_request.called
+
     @patch("fides.api.ops.models.privacy_request.ConsentRequest.verify_identity")
     def test_set_consent_consent_preferences_without_verification(
         self,
diff --git a/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py b/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
index 6a2520f08a..bec5b99f2c 100644
--- a/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
@@ -77,8 +77,6 @@
 from fides.api.ops.schemas.policy import PolicyResponse
 from fides.api.ops.schemas.redis_cache import Identity
 from fides.api.ops.task import graph_task
-from fides.api.ops.task.graph_task import run_access_request
-from fides.api.ops.task.task_resources import TaskResources
 from fides.api.ops.tasks import MESSAGING_QUEUE_NAME
 from fides.api.ops.util.cache import (
     get_encryption_cache_key,
diff --git a/tests/ops/service/privacy_request/request_runner_service_test.py b/tests/ops/service/privacy_request/request_runner_service_test.py
index 1b8184599f..94a2e23a89 100644
--- a/tests/ops/service/privacy_request/request_runner_service_test.py
+++ b/tests/ops/service/privacy_request/request_runner_service_test.py
@@ -1986,7 +1986,7 @@ def test_email_complete_send_access_and_erasure(
                     service_type=MessagingServiceType.MAILGUN.value,
                     message_body_params=AccessRequestCompleteBodyParams(
                         subject_request_download_time_in_days=download_time_in_days,
-                        download_links=[upload_mock.return_value]
+                        download_links=[upload_mock.return_value],
                     ),
                 ),
                 call(
diff --git a/tests/ops/service/privacy_request/test_request_service.py b/tests/ops/service/privacy_request/test_request_service.py
index 991cbe9631..a958f9e963 100644
--- a/tests/ops/service/privacy_request/test_request_service.py
+++ b/tests/ops/service/privacy_request/test_request_service.py
@@ -1,10 +1,13 @@
+from datetime import datetime
+
 import pytest
 from httpx import HTTPStatusError
 
 from fides.api.ctl.database.seed import create_or_update_parent_user
 from fides.api.ops.api.v1.urn_registry import LOGIN, V1_URL_PREFIX
-from fides.api.ops.models.privacy_request import PrivacyRequest
+from fides.api.ops.models.privacy_request import PrivacyRequest, PrivacyRequestStatus
 from fides.api.ops.service.privacy_request.request_service import (
+    build_required_privacy_request_kwargs,
     poll_server_for_completion,
 )
 from fides.core.config import CONFIG
@@ -108,3 +111,40 @@ async def test_poll_server_for_completion_non_200(async_api_client, db, policy):
             client=async_api_client,
             poll_interval_seconds=1,
         )
+
+
+class TestBuildPrivacyRequestRequiredKwargs:
+    def test_build_required_privacy_request_kwargs_authenticated(self):
+        resp = build_required_privacy_request_kwargs(
+            requested_at=datetime.now(),
+            policy_id="test_id",
+            verification_required=True,
+            authenticated=True,
+        )
+        assert resp["requested_at"] is not None
+        assert resp["policy_id"] == "test_id"
+        assert resp["status"] == PrivacyRequestStatus.pending
+
+    def test_build_required_privacy_request_kwargs_not_authenticated(self):
+        resp = build_required_privacy_request_kwargs(
+            requested_at=datetime.now(),
+            policy_id="test_id",
+            verification_required=True,
+            authenticated=False,
+        )
+        assert resp["requested_at"] is not None
+        assert resp["policy_id"] == "test_id"
+        assert resp["status"] == PrivacyRequestStatus.identity_unverified
+
+    def test_build_required_privacy_request_kwargs_identity_verification_not_required(
+        self,
+    ):
+        resp = build_required_privacy_request_kwargs(
+            requested_at=datetime.now(),
+            policy_id="test_id",
+            verification_required=False,
+            authenticated=False,
+        )
+        assert resp["requested_at"] is not None
+        assert resp["policy_id"] == "test_id"
+        assert resp["status"] == PrivacyRequestStatus.pending

From 35186dd32ecd16bb4237d71c78bcfa77a19dc3ba Mon Sep 17 00:00:00 2001
From: Allison King <allison@ethyca.com>
Date: Fri, 3 Mar 2023 10:45:25 -0500
Subject: [PATCH 11/16] Access controls UI spike (#2682)

---
 CHANGELOG.md                                  |   1 +
 clients/admin-ui/cypress/e2e/home.cy.ts       |  68 ++++++++
 clients/admin-ui/cypress/e2e/routes.cy.ts     |  56 ++++++
 .../fixtures/scopes/roles-to-scopes.json      | 136 +++++++++++++++
 .../fixtures/user-management/permissions.json |  76 ++++++--
 clients/admin-ui/cypress/support/commands.ts  |  23 ++-
 .../src/features/auth/ProtectedRoute.tsx      |  30 +++-
 .../admin-ui/src/features/auth/auth.slice.ts  |  15 +-
 .../features/common/CommonSubscriptions.tsx   |   3 +
 .../admin-ui/src/features/common/Restrict.tsx |  31 ++++
 .../src/features/common/nav/v2/hooks.ts       |   6 +-
 .../features/common/nav/v2/nav-config.test.ts | 154 +++++++++++++++-
 .../src/features/common/nav/v2/nav-config.ts  | 156 +++++++++++++++--
 .../datastore-connections/ConnectionGrid.tsx  |   1 +
 .../ConnectionsEmptyState.tsx                 |   1 +
 .../PrivacyRequestsContainer.tsx              |   2 +-
 .../features/user-management/EditUserForm.tsx |  24 +--
 .../user-management/PasswordManagement.tsx    |  17 +-
 .../user-management/user-management.slice.ts  |  34 +++-
 clients/admin-ui/src/home/HomeContent.tsx     | 165 ++++++++----------
 clients/admin-ui/src/home/constants.ts        |  60 ++++---
 clients/admin-ui/src/home/tile-config.test.ts | 149 ++++++++++++++++
 clients/admin-ui/src/home/tile-config.ts      |  44 +++++
 clients/admin-ui/src/home/types.ts            |  17 +-
 clients/admin-ui/src/types/api/index.ts       |   2 +
 .../src/types/api/models/RoleRegistry.ts      |  13 ++
 .../src/types/api/models/ScopeRegistry.ts     |  81 +++++++++
 .../types/api/models/UserPermissionsCreate.ts |   8 +-
 .../types/api/models/UserPermissionsEdit.ts   |   9 +-
 .../api/models/UserPermissionsResponse.ts     |   7 +-
 .../ops/api/v1/endpoints/oauth_endpoints.py   |   3 +-
 src/fides/api/ops/api/v1/scope_registry.py    |   7 +
 32 files changed, 1189 insertions(+), 210 deletions(-)
 create mode 100644 clients/admin-ui/cypress/e2e/home.cy.ts
 create mode 100644 clients/admin-ui/cypress/e2e/routes.cy.ts
 create mode 100644 clients/admin-ui/cypress/fixtures/scopes/roles-to-scopes.json
 create mode 100644 clients/admin-ui/src/features/common/Restrict.tsx
 create mode 100644 clients/admin-ui/src/home/tile-config.test.ts
 create mode 100644 clients/admin-ui/src/home/tile-config.ts
 create mode 100644 clients/admin-ui/src/types/api/models/RoleRegistry.ts
 create mode 100644 clients/admin-ui/src/types/api/models/ScopeRegistry.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d237d4c93..004c27f66b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ The types of changes are:
   * Add flow for selecting system types when manually creating a system [#2530](https://github.com/ethyca/fides/pull/2530)
   * Updated forms for privacy declarations [#2648](https://github.com/ethyca/fides/pull/2648)
   * Delete flow for privacy declarations [#2664](https://github.com/ethyca/fides/pull/2664)
+  * Add framework to have UI elements respect the user's scopes [#2682](https://github.com/ethyca/fides/pull/2682)
   * "Manual Webhook" has been renamed to "Manual Process". [#2717](https://github.com/ethyca/fides/pull/2717)
 * Convert all config values to Pydantic `Field` objects [#2613](https://github.com/ethyca/fides/pull/2613)
 * Add warning to 'fides deploy' when installed outside of a virtual environment [#2641](https://github.com/ethyca/fides/pull/2641)
diff --git a/clients/admin-ui/cypress/e2e/home.cy.ts b/clients/admin-ui/cypress/e2e/home.cy.ts
new file mode 100644
index 0000000000..82e57dfc89
--- /dev/null
+++ b/clients/admin-ui/cypress/e2e/home.cy.ts
@@ -0,0 +1,68 @@
+import { stubPlus } from "cypress/support/stubs";
+
+import { RoleRegistry } from "~/types/api";
+
+const ALL_TILES = [
+  "View data map",
+  "Add systems",
+  "View systems",
+  "Configure privacy requests",
+  "Review privacy requests",
+];
+
+const verifyExpectedTiles = (expectedTiles: string[]) => {
+  expectedTiles.forEach((tile) => {
+    cy.getByTestId(`tile-${tile}`);
+  });
+  const remainingTiles = ALL_TILES.filter((t) => !expectedTiles.includes(t));
+  remainingTiles.forEach((item) => {
+    cy.getByTestId(`tile-${item}`).should("not.exist");
+  });
+};
+
+describe("Home page", () => {
+  beforeEach(() => {
+    cy.login();
+  });
+
+  describe("permissions", () => {
+    beforeEach(() => {
+      // For these tests, let's say we always have systems and connectors
+      cy.intercept("GET", "/api/v1/system", {
+        fixture: "systems/systems.json",
+      }).as("getSystems");
+      cy.intercept("GET", "/api/v1/connection*", {
+        fixture: "connectors/list.json",
+      }).as("getConnectors");
+      stubPlus(true);
+    });
+
+    it("renders all tiles when all scopes are available", () => {
+      cy.assumeRole(RoleRegistry.ADMIN);
+      cy.visit("/");
+      verifyExpectedTiles(ALL_TILES);
+    });
+
+    it("renders viewer only tiles", () => {
+      cy.assumeRole(RoleRegistry.VIEWER);
+      cy.visit("/");
+      verifyExpectedTiles(["View data map", "View systems"]);
+    });
+
+    it("renders privacy request manager tiles", () => {
+      cy.assumeRole(RoleRegistry.PRIVACY_REQUEST_MANAGER);
+      cy.visit("/");
+      verifyExpectedTiles(["Review privacy requests"]);
+    });
+
+    it("renders privacy request manager + viewer tiles", () => {
+      cy.assumeRole(RoleRegistry.VIEWER_AND_PRIVACY_REQUEST_MANAGER);
+      cy.visit("/");
+      verifyExpectedTiles([
+        "View data map",
+        "View systems",
+        "Review privacy requests",
+      ]);
+    });
+  });
+});
diff --git a/clients/admin-ui/cypress/e2e/routes.cy.ts b/clients/admin-ui/cypress/e2e/routes.cy.ts
new file mode 100644
index 0000000000..e0fc3c97ab
--- /dev/null
+++ b/clients/admin-ui/cypress/e2e/routes.cy.ts
@@ -0,0 +1,56 @@
+import { stubPlus } from "cypress/support/stubs";
+
+import { RoleRegistry } from "~/types/api";
+
+describe("Routes", () => {
+  beforeEach(() => {
+    cy.login();
+  });
+
+  describe("permissions", () => {
+    beforeEach(() => {
+      // For these tests, let's say we always have systems and connectors
+      cy.intercept("GET", "/api/v1/system", {
+        fixture: "systems/systems.json",
+      }).as("getSystems");
+      cy.intercept("GET", "/api/v1/connection*", {
+        fixture: "connectors/list.json",
+      }).as("getConnectors");
+      stubPlus(true);
+    });
+
+    it("admins can access many routes", () => {
+      cy.assumeRole(RoleRegistry.ADMIN);
+      cy.visit("/");
+      cy.visit("/add-systems");
+      cy.wait("@getSystems");
+      cy.getByTestId("add-systems");
+      cy.visit("/privacy-requests");
+      cy.getByTestId("privacy-requests");
+      cy.visit("/datastore-connection");
+      cy.wait("@getConnectors");
+      cy.getByTestId("connection-grid");
+    });
+
+    it("viewers and/or approvers can only access limited routes", () => {
+      [
+        RoleRegistry.VIEWER,
+        RoleRegistry.PRIVACY_REQUEST_MANAGER,
+        RoleRegistry.VIEWER_AND_PRIVACY_REQUEST_MANAGER,
+      ].forEach((role) => {
+        cy.assumeRole(role);
+        // cannot access /add-systems
+        cy.visit("/add-systems");
+        cy.getByTestId("add-systems").should("not.exist");
+        cy.getByTestId("home-content");
+        // cannot access /datastore-connection
+        cy.visit("/datastore-connection");
+        cy.getByTestId("connection-grid").should("not.exist");
+        cy.getByTestId("home-content");
+        // can access /privacy-requests
+        cy.visit("/privacy-requests");
+        cy.getByTestId("privacy-requests");
+      });
+    });
+  });
+});
diff --git a/clients/admin-ui/cypress/fixtures/scopes/roles-to-scopes.json b/clients/admin-ui/cypress/fixtures/scopes/roles-to-scopes.json
new file mode 100644
index 0000000000..9be051212e
--- /dev/null
+++ b/clients/admin-ui/cypress/fixtures/scopes/roles-to-scopes.json
@@ -0,0 +1,136 @@
+{
+  "admin": [
+    "cli-objects:create",
+    "cli-objects:delete",
+    "cli-objects:read",
+    "cli-objects:update",
+    "client:create",
+    "client:delete",
+    "client:read",
+    "client:update",
+    "config:read",
+    "config:update",
+    "connection:authorize",
+    "connection:create_or_update",
+    "connection:delete",
+    "connection:instantiate",
+    "connection:read",
+    "connection_type:read",
+    "consent:read",
+    "database:reset",
+    "datamap:read",
+    "dataset:create_or_update",
+    "dataset:delete",
+    "dataset:read",
+    "encryption:exec",
+    "fides_taxonomy:update",
+    "generate:exec",
+    "messaging:create_or_update",
+    "messaging:delete",
+    "messaging:read",
+    "organization:create",
+    "organization:delete",
+    "organization:update",
+    "policy:create_or_update",
+    "policy:delete",
+    "policy:read",
+    "privacy-request-notifications:create_or_update",
+    "privacy-request-notifications:read",
+    "privacy-request:create",
+    "privacy-request:delete",
+    "privacy-request:read",
+    "privacy-request:resume",
+    "privacy-request:review",
+    "privacy-request:transfer",
+    "privacy-request:upload_data",
+    "privacy-request:view_data",
+    "rule:create_or_update",
+    "rule:delete",
+    "rule:read",
+    "saas_config:create_or_update",
+    "saas_config:delete",
+    "saas_config:read",
+    "scope:read",
+    "storage:create_or_update",
+    "storage:delete",
+    "storage:read",
+    "system:create",
+    "system:delete",
+    "system:update",
+    "taxonomy:create",
+    "taxonomy:delete",
+    "taxonomy:update",
+    "user-permission:create",
+    "user-permission:read",
+    "user-permission:update",
+    "user:create",
+    "user:delete",
+    "user:password-reset",
+    "user:read",
+    "user:update",
+    "validate:exec",
+    "webhook:create_or_update",
+    "webhook:delete",
+    "webhook:read"
+  ],
+  "viewer_and_privacy_request_manager": [
+    "cli-objects:read",
+    "client:read",
+    "config:read",
+    "connection:read",
+    "connection_type:read",
+    "consent:read",
+    "datamap:read",
+    "dataset:read",
+    "messaging:read",
+    "policy:read",
+    "privacy-request-notifications:create_or_update",
+    "privacy-request-notifications:read",
+    "privacy-request:create",
+    "privacy-request:delete",
+    "privacy-request:read",
+    "privacy-request:resume",
+    "privacy-request:review",
+    "privacy-request:transfer",
+    "privacy-request:upload_data",
+    "privacy-request:view_data",
+    "rule:read",
+    "saas_config:read",
+    "scope:read",
+    "storage:read",
+    "user:read",
+    "webhook:read"
+  ],
+  "viewer": [
+    "cli-objects:read",
+    "client:read",
+    "config:read",
+    "connection:read",
+    "connection_type:read",
+    "consent:read",
+    "datamap:read",
+    "dataset:read",
+    "messaging:read",
+    "policy:read",
+    "privacy-request-notifications:read",
+    "privacy-request:read",
+    "rule:read",
+    "saas_config:read",
+    "scope:read",
+    "storage:read",
+    "user:read",
+    "webhook:read"
+  ],
+  "privacy_request_manager": [
+    "privacy-request-notifications:create_or_update",
+    "privacy-request-notifications:read",
+    "privacy-request:create",
+    "privacy-request:delete",
+    "privacy-request:read",
+    "privacy-request:resume",
+    "privacy-request:review",
+    "privacy-request:transfer",
+    "privacy-request:upload_data",
+    "privacy-request:view_data"
+  ]
+}
diff --git a/clients/admin-ui/cypress/fixtures/user-management/permissions.json b/clients/admin-ui/cypress/fixtures/user-management/permissions.json
index bfe767ef9c..2af6462532 100644
--- a/clients/admin-ui/cypress/fixtures/user-management/permissions.json
+++ b/clients/admin-ui/cypress/fixtures/user-management/permissions.json
@@ -1,33 +1,79 @@
 {
   "scopes": [
-    "privacy-request:read",
-    "privacy-request:review",
-    "privacy-request:resume",
-    "connection:read",
+    "config:read",
+    "config:update",
+    "cli-objects:create",
+    "cli-objects:read",
+    "cli-objects:update",
+    "cli-objects:delete",
+    "client:create",
+    "client:delete",
+    "client:read",
+    "client:update",
     "connection:create_or_update",
-    "connection:instantiate",
-    "connection_type:read",
     "connection:delete",
+    "connection:read",
+    "connection:authorize",
+    "connection_type:read",
     "consent:read",
-    "dataset:read",
+    "database:reset",
+    "datamap:read",
     "dataset:create_or_update",
     "dataset:delete",
-    "policy:read",
+    "dataset:read",
+    "encryption:exec",
+    "fides_taxonomy:update",
+    "generate:exec",
+    "messaging:create_or_update",
+    "messaging:delete",
+    "messaging:read",
+    "organization:create",
+    "organization:delete",
+    "organization:update",
     "policy:create_or_update",
-    "user:read",
+    "policy:delete",
+    "policy:read",
+    "privacy-request:create",
+    "privacy-request:resume",
+    "privacy-request:delete",
+    "privacy-request-notifications:create_or_update",
+    "privacy-request-notifications:read",
+    "privacy-request:read",
+    "privacy-request:review",
+    "privacy-request:transfer",
+    "privacy-request:upload_data",
+    "privacy-request:view_data",
+    "rule:create_or_update",
+    "rule:delete",
+    "rule:read",
+    "saas_config:create_or_update",
+    "saas_config:delete",
+    "saas_config:read",
+    "connection:instantiate",
+    "scope:read",
+    "storage:create_or_update",
+    "storage:delete",
+    "storage:read",
+    "system:create",
+    "system:delete",
+    "system:update",
+    "taxonomy:create",
+    "taxonomy:delete",
+    "taxonomy:update",
     "user:create",
     "user:update",
     "user:delete",
+    "user:read",
     "user:password-reset",
     "user-permission:create",
     "user-permission:update",
     "user-permission:read",
-    "privacy-request:upload_data",
-    "privacy-request:view_data",
+    "validate:exec",
     "webhook:create_or_update",
-    "webhook:read",
-    "webhook:delete"
+    "webhook:delete",
+    "webhook:read"
   ],
-  "id": "123",
-  "user_id": "123"
+  "roles": ["admin"],
+  "id": "fidesadmin",
+  "user_id": "fidesadmin"
 }
diff --git a/clients/admin-ui/cypress/support/commands.ts b/clients/admin-ui/cypress/support/commands.ts
index 68f2472e7a..42fda03db5 100644
--- a/clients/admin-ui/cypress/support/commands.ts
+++ b/clients/admin-ui/cypress/support/commands.ts
@@ -1,6 +1,7 @@
 /// <reference types="cypress" />
 
-import { STORAGE_ROOT_KEY, USER_PRIVILEGES } from "~/constants";
+import { STORAGE_ROOT_KEY } from "~/constants";
+import { RoleRegistry, ScopeRegistry } from "~/types/api";
 
 Cypress.Commands.add("getByTestId", (selector, options) =>
   cy.get(`[data-testid='${selector}']`, options)
@@ -26,11 +27,20 @@ Cypress.Commands.add("login", () => {
         })
       );
     });
+    cy.intercept("/api/v1/user/*/permission", {
+      fixture: "user-management/permissions.json",
+    }).as("getUserPermission");
+  });
+});
+
+Cypress.Commands.add("assumeRole", (role) => {
+  cy.fixture("scopes/roles-to-scopes.json").then((mapping) => {
+    const scopes: ScopeRegistry[] = mapping[role];
     cy.intercept("/api/v1/user/*/permission", {
       body: {
-        id: body.user_data.id,
-        user_id: body.user_data.id,
-        scopes: USER_PRIVILEGES.map((up) => up.scope),
+        id: 123,
+        user_id: 123,
+        scopes,
       },
     }).as("getUserPermission");
   });
@@ -70,6 +80,11 @@ declare global {
        * Programmatically login with a mock user
        */
       login(): void;
+      /**
+       * Stub a user with the scopes associated with a role
+       * @example cy.assumeRole(RoleRegistry.ADMIN)
+       */
+      assumeRole(role: RoleRegistry): void;
     }
   }
 }
diff --git a/clients/admin-ui/src/features/auth/ProtectedRoute.tsx b/clients/admin-ui/src/features/auth/ProtectedRoute.tsx
index e319abc0b9..b234fa5418 100644
--- a/clients/admin-ui/src/features/auth/ProtectedRoute.tsx
+++ b/clients/admin-ui/src/features/auth/ProtectedRoute.tsx
@@ -3,7 +3,9 @@ import { ReactNode } from "react";
 import { useDispatch, useSelector } from "react-redux";
 
 import { LOGIN_ROUTE, VERIFY_AUTH_INTERVAL } from "~/constants";
+import { canAccessRoute } from "~/features/common/nav/v2/nav-config";
 import { useGetUserPermissionsQuery } from "~/features/user-management";
+import { ScopeRegistry } from "~/types/api";
 
 import { logout, selectToken, selectUser } from "./auth.slice";
 
@@ -23,10 +25,27 @@ const useProtectedRoute = (redirectUrl: string) => {
     if (typeof window !== "undefined") {
       router.push(redirectUrl);
     }
-    return false;
+    return { authenticated: false, hasAccess: false };
   }
 
-  return permissionsQuery.isSuccess;
+  const path = router.pathname;
+  const userScopes = permissionsQuery.data
+    ? (permissionsQuery.data.scopes as ScopeRegistry[])
+    : [];
+
+  const hasAccess = canAccessRoute({ path, userScopes });
+  if (
+    !hasAccess &&
+    permissionsQuery.isSuccess &&
+    typeof window !== "undefined"
+  ) {
+    router.push("/");
+  }
+
+  return {
+    authenticated: permissionsQuery.isSuccess,
+    hasAccess,
+  };
 };
 
 interface ProtectedRouteProps {
@@ -38,7 +57,12 @@ const ProtectedRoute = ({
   children,
   redirectUrl = LOGIN_ROUTE,
 }: ProtectedRouteProps) => {
-  const authenticated = useProtectedRoute(redirectUrl);
+  const { authenticated, hasAccess } = useProtectedRoute(redirectUrl);
+
+  // Prevents the children from "flashing" on the screen before the hasAccess redirect
+  if (!hasAccess) {
+    return null;
+  }
 
   // Silly type error: https://github.com/DefinitelyTyped/DefinitelyTyped/issues/18051
   // eslint-disable-next-line react/jsx-no-useless-fragment
diff --git a/clients/admin-ui/src/features/auth/auth.slice.ts b/clients/admin-ui/src/features/auth/auth.slice.ts
index 97a41bc79f..97f9c6dd0d 100644
--- a/clients/admin-ui/src/features/auth/auth.slice.ts
+++ b/clients/admin-ui/src/features/auth/auth.slice.ts
@@ -6,6 +6,7 @@ import { BASE_URL } from "~/constants";
 import { addCommonHeaders } from "~/features/common/CommonHeaders";
 import { utf8ToB64 } from "~/features/common/utils";
 import { User } from "~/features/user-management/types";
+import { RoleRegistry, ScopeRegistry } from "~/types/api";
 
 import {
   LoginRequest,
@@ -53,6 +54,8 @@ export const selectToken = (state: RootState) => selectAuth(state).token;
 
 export const { login, logout } = authSlice.actions;
 
+type RoleToScopes = Record<RoleRegistry, ScopeRegistry[]>;
+
 // Auth API
 export const authApi = createApi({
   reducerPath: "authApi",
@@ -64,7 +67,7 @@ export const authApi = createApi({
       return headers;
     },
   }),
-  tagTypes: ["Auth"],
+  tagTypes: ["Auth", "Roles"],
   endpoints: (build) => ({
     login: build.mutation<LoginResponse, LoginRequest>({
       query: (credentials) => ({
@@ -81,8 +84,16 @@ export const authApi = createApi({
       }),
       invalidatesTags: () => ["Auth"],
     }),
+    getRolesToScopesMapping: build.query<RoleToScopes, void>({
+      query: () => ({ url: `oauth/role` }),
+      providesTags: ["Roles"],
+    }),
   }),
 });
 
-export const { useLoginMutation, useLogoutMutation } = authApi;
+export const {
+  useLoginMutation,
+  useLogoutMutation,
+  useGetRolesToScopesMappingQuery,
+} = authApi;
 export const { reducer } = authSlice;
diff --git a/clients/admin-ui/src/features/common/CommonSubscriptions.tsx b/clients/admin-ui/src/features/common/CommonSubscriptions.tsx
index c31fa2444c..15e815aa7b 100644
--- a/clients/admin-ui/src/features/common/CommonSubscriptions.tsx
+++ b/clients/admin-ui/src/features/common/CommonSubscriptions.tsx
@@ -1,3 +1,4 @@
+import { useAppSelector } from "~/app/hooks";
 import { useGetHealthQuery } from "~/features/common/health.slice";
 import {
   INITIAL_CONNECTIONS_FILTERS,
@@ -5,12 +6,14 @@ import {
 } from "~/features/datastore-connections/datastore-connection.slice";
 import { useGetHealthQuery as useGetPlusHealthQuery } from "~/features/plus/plus.slice";
 import { useGetAllSystemsQuery } from "~/features/system/system.slice";
+import { selectThisUsersScopes } from "~/features/user-management";
 
 const useCommonSubscriptions = () => {
   useGetHealthQuery();
   useGetPlusHealthQuery();
   useGetAllSystemsQuery();
   useGetAllDatastoreConnectionsQuery(INITIAL_CONNECTIONS_FILTERS);
+  useAppSelector(selectThisUsersScopes);
 };
 
 /**
diff --git a/clients/admin-ui/src/features/common/Restrict.tsx b/clients/admin-ui/src/features/common/Restrict.tsx
new file mode 100644
index 0000000000..4bc69a3e6c
--- /dev/null
+++ b/clients/admin-ui/src/features/common/Restrict.tsx
@@ -0,0 +1,31 @@
+import { useAppSelector } from "~/app/hooks";
+import { selectThisUsersScopes } from "~/features/user-management";
+import { ScopeRegistry } from "~/types/api";
+
+export const useHasPermission = (scopes: ScopeRegistry[]) => {
+  const userScopes = useAppSelector(selectThisUsersScopes);
+  return (
+    userScopes.filter((userScope) => scopes.includes(userScope)).length > 0
+  );
+};
+
+const Restrict = ({
+  scopes,
+  children,
+}: {
+  /**
+   * If the user has _any_ of these scopes, the children will render
+   */
+  scopes: ScopeRegistry[];
+  children: React.ReactNode;
+}) => {
+  const userHasScopes = useHasPermission(scopes);
+
+  if (!userHasScopes) {
+    return null;
+  }
+  // eslint-disable-next-line react/jsx-no-useless-fragment
+  return <>{children}</>;
+};
+
+export default Restrict;
diff --git a/clients/admin-ui/src/features/common/nav/v2/hooks.ts b/clients/admin-ui/src/features/common/nav/v2/hooks.ts
index 49c509ee48..efcf8c0e7a 100644
--- a/clients/admin-ui/src/features/common/nav/v2/hooks.ts
+++ b/clients/admin-ui/src/features/common/nav/v2/hooks.ts
@@ -1,11 +1,14 @@
 import { useMemo } from "react";
 
+import { useAppSelector } from "~/app/hooks";
 import { useFeatures } from "~/features/common/features";
+import { selectThisUsersScopes } from "~/features/user-management";
 
 import { configureNavGroups, findActiveNav, NAV_CONFIG } from "./nav-config";
 
 export const useNav = ({ path }: { path: string }) => {
   const features = useFeatures();
+  const userScopes = useAppSelector(selectThisUsersScopes);
 
   const navGroups = useMemo(
     () =>
@@ -16,8 +19,9 @@ export const useNav = ({ path }: { path: string }) => {
         hasConnections: features.connectionsCount > 0,
         hasAccessToPrivacyRequestConfigurations:
           features.flags.privacyRequestsConfiguration,
+        userScopes,
       }),
-    [features]
+    [features, userScopes]
   );
 
   const activeNav = useMemo(
diff --git a/clients/admin-ui/src/features/common/nav/v2/nav-config.test.ts b/clients/admin-ui/src/features/common/nav/v2/nav-config.test.ts
index 796a9cc345..24c5166048 100644
--- a/clients/admin-ui/src/features/common/nav/v2/nav-config.test.ts
+++ b/clients/admin-ui/src/features/common/nav/v2/nav-config.test.ts
@@ -1,11 +1,19 @@
 import { describe, expect, it } from "@jest/globals";
 
-import { configureNavGroups, findActiveNav, NAV_CONFIG } from "./nav-config";
+import { ScopeRegistry } from "~/types/api";
+
+import {
+  canAccessRoute,
+  configureNavGroups,
+  findActiveNav,
+  NAV_CONFIG,
+} from "./nav-config";
 
 describe("configureNavGroups", () => {
   it("only includes home and management by default", () => {
     const navGroups = configureNavGroups({
       config: NAV_CONFIG,
+      userScopes: [],
     });
 
     expect(navGroups[0]).toMatchObject({
@@ -15,11 +23,7 @@ describe("configureNavGroups", () => {
 
     expect(navGroups[1]).toMatchObject({
       title: "Management",
-      children: [
-        { title: "Taxonomy", path: "/taxonomy" },
-        { title: "Users", path: "/user-management" },
-        { title: "About Fides", path: "/management/about" },
-      ],
+      children: [{ title: "About Fides", path: "/management/about" }],
     });
   });
 
@@ -27,6 +31,10 @@ describe("configureNavGroups", () => {
     const navGroups = configureNavGroups({
       config: NAV_CONFIG,
       hasConnections: true,
+      userScopes: [
+        ScopeRegistry.PRIVACY_REQUEST_READ,
+        ScopeRegistry.CONNECTION_CREATE_OR_UPDATE,
+      ],
     });
 
     expect(navGroups[0]).toMatchObject({
@@ -47,6 +55,10 @@ describe("configureNavGroups", () => {
     const navGroups = configureNavGroups({
       config: NAV_CONFIG,
       hasSystems: true,
+      userScopes: [
+        ScopeRegistry.CLI_OBJECTS_CREATE,
+        ScopeRegistry.CLI_OBJECTS_READ,
+      ],
     });
 
     expect(navGroups[0]).toMatchObject({
@@ -69,8 +81,13 @@ describe("configureNavGroups", () => {
     const navGroups = configureNavGroups({
       config: NAV_CONFIG,
       hasSystems: true,
-
       hasPlus: true,
+      userScopes: [
+        ScopeRegistry.DATAMAP_READ,
+        ScopeRegistry.CLI_OBJECTS_CREATE,
+        ScopeRegistry.CLI_OBJECTS_READ,
+        ScopeRegistry.CLI_OBJECTS_UPDATE,
+      ],
     });
 
     expect(navGroups[0]).toMatchObject({
@@ -90,6 +107,83 @@ describe("configureNavGroups", () => {
       ],
     });
   });
+  describe("configure by scopes", () => {
+    it("does not render paths the user does not have scopes for", () => {
+      const navGroups = configureNavGroups({
+        config: NAV_CONFIG,
+        hasSystems: true,
+        userScopes: [ScopeRegistry.CLI_OBJECTS_READ],
+      });
+
+      expect(navGroups[0]).toMatchObject({
+        title: "Home",
+        children: [{ title: "Home", path: "/" }],
+      });
+
+      expect(navGroups[1]).toMatchObject({
+        title: "Data map",
+        children: [{ title: "View systems", path: "/system" }],
+      });
+    });
+
+    it("only shows minimal nav when user has the wrong scopes", () => {
+      const navGroups = configureNavGroups({
+        config: NAV_CONFIG,
+        // entirely irrelevant scope in this case
+        userScopes: [ScopeRegistry.DATABASE_RESET],
+      });
+
+      expect(navGroups[0]).toMatchObject({
+        title: "Home",
+        children: [{ title: "Home", path: "/" }],
+      });
+
+      expect(navGroups[1]).toMatchObject({
+        title: "Management",
+        children: [{ title: "About Fides", path: "/management/about" }],
+      });
+    });
+
+    it("conditionally shows request manager using scopes", () => {
+      const navGroups = configureNavGroups({
+        config: NAV_CONFIG,
+        hasSystems: true,
+        hasConnections: true,
+        userScopes: [ScopeRegistry.PRIVACY_REQUEST_READ],
+      });
+      expect(navGroups[1]).toMatchObject({
+        title: "Privacy requests",
+        children: [{ title: "Request manager", path: "/privacy-requests" }],
+      });
+    });
+
+    it("does not show /datamap if plus is not enabled but user has the scope", () => {
+      const navGroups = configureNavGroups({
+        config: NAV_CONFIG,
+        hasSystems: true,
+        userScopes: [
+          ScopeRegistry.DATAMAP_READ,
+          ScopeRegistry.CLI_OBJECTS_CREATE,
+          ScopeRegistry.CLI_OBJECTS_READ,
+        ],
+      });
+
+      expect(navGroups[0]).toMatchObject({
+        title: "Home",
+        children: [{ title: "Home", path: "/" }],
+      });
+
+      // The data map should _not_ include the actual "/datamap".
+      expect(navGroups[1]).toMatchObject({
+        title: "Data map",
+        children: [
+          { title: "View systems", path: "/system" },
+          { title: "Add systems", path: "/add-systems" },
+          { title: "Manage datasets", path: "/dataset" },
+        ],
+      });
+    });
+  });
 });
 
 describe("findActiveNav", () => {
@@ -98,6 +192,12 @@ describe("findActiveNav", () => {
     hasPlus: true,
     hasSystems: true,
     hasConnections: true,
+    userScopes: [
+      ScopeRegistry.DATAMAP_READ,
+      ScopeRegistry.CLI_OBJECTS_CREATE,
+      ScopeRegistry.CLI_OBJECTS_READ,
+      ScopeRegistry.CONNECTION_CREATE_OR_UPDATE,
+    ],
   });
 
   const testCases = [
@@ -148,4 +248,44 @@ describe("findActiveNav", () => {
       expect(activeNav?.path).toEqual(expected.path);
     });
   });
+
+  describe("canAccessRoute", () => {
+    const accessTestCases = [
+      {
+        path: "/",
+        expected: true,
+        userScopes: [],
+      },
+      {
+        path: "/add-systems",
+        expected: false,
+        userScopes: [],
+      },
+      {
+        path: "/add-systems",
+        expected: true,
+        userScopes: [ScopeRegistry.CLI_OBJECTS_CREATE],
+      },
+      {
+        path: "/privacy-requests",
+        expected: false,
+        userScopes: [ScopeRegistry.CLI_OBJECTS_CREATE],
+      },
+      {
+        path: "/privacy-requests",
+        expected: true,
+        userScopes: [ScopeRegistry.PRIVACY_REQUEST_READ],
+      },
+      {
+        path: "/privacy-requests?queryParam",
+        expected: true,
+        userScopes: [ScopeRegistry.PRIVACY_REQUEST_READ],
+      },
+    ];
+    accessTestCases.forEach(({ path, expected, userScopes }) => {
+      it(`${path} is scope restricted`, () => {
+        expect(canAccessRoute({ path, userScopes })).toBe(expected);
+      });
+    });
+  });
 });
diff --git a/clients/admin-ui/src/features/common/nav/v2/nav-config.ts b/clients/admin-ui/src/features/common/nav/v2/nav-config.ts
index c6d8679e72..83eddae83e 100644
--- a/clients/admin-ui/src/features/common/nav/v2/nav-config.ts
+++ b/clients/admin-ui/src/features/common/nav/v2/nav-config.ts
@@ -1,8 +1,12 @@
+import { ScopeRegistry } from "~/types/api";
+
 export type NavConfigRoute = {
   title?: string;
   path: string;
   exact?: boolean;
   requiresPlus?: boolean;
+  /** This route is only available if the user has ANY of these scopes */
+  scopes: ScopeRegistry[];
 };
 
 export type NavConfigGroup = {
@@ -20,6 +24,7 @@ export const NAV_CONFIG: NavConfigGroup[] = [
       {
         path: "/",
         exact: true,
+        scopes: [],
       },
     ],
   },
@@ -27,32 +32,76 @@ export const NAV_CONFIG: NavConfigGroup[] = [
     title: "Privacy requests",
     requiresConnections: true,
     routes: [
-      { title: "Request manager", path: "/privacy-requests" },
-      { title: "Connection manager", path: "/datastore-connection" },
-      { title: "Configuration", path: "/privacy-requests/configure" },
+      {
+        title: "Request manager",
+        path: "/privacy-requests",
+        scopes: [ScopeRegistry.PRIVACY_REQUEST_READ],
+      },
+      {
+        title: "Connection manager",
+        path: "/datastore-connection",
+        scopes: [ScopeRegistry.CONNECTION_CREATE_OR_UPDATE],
+      },
+      {
+        title: "Configuration",
+        path: "/privacy-requests/configure",
+        scopes: [ScopeRegistry.MESSAGING_CREATE_OR_UPDATE],
+      },
     ],
   },
   {
     title: "Data map",
     requiresSystems: true,
     routes: [
-      { title: "View map", path: "/datamap", requiresPlus: true },
-      { title: "View systems", path: "/system" },
-      { title: "Add systems", path: "/add-systems" },
-      { title: "Manage datasets", path: "/dataset" },
+      {
+        title: "View map",
+        path: "/datamap",
+        requiresPlus: true,
+        scopes: [ScopeRegistry.DATAMAP_READ],
+      },
+      {
+        title: "View systems",
+        path: "/system",
+        scopes: [ScopeRegistry.CLI_OBJECTS_READ],
+      },
+      {
+        title: "Add systems",
+        path: "/add-systems",
+        scopes: [
+          ScopeRegistry.CLI_OBJECTS_CREATE,
+          ScopeRegistry.CLI_OBJECTS_UPDATE,
+        ],
+      },
+      {
+        title: "Manage datasets",
+        path: "/dataset",
+        scopes: [
+          ScopeRegistry.CLI_OBJECTS_CREATE,
+          ScopeRegistry.CLI_OBJECTS_UPDATE,
+        ],
+      },
       {
         title: "Classify systems",
         path: "/classify-systems",
         requiresPlus: true,
+        scopes: [ScopeRegistry.CLI_OBJECTS_UPDATE], // temporary scope until we decide what to do here
       },
     ],
   },
   {
     title: "Management",
     routes: [
-      { title: "Taxonomy", path: "/taxonomy" },
-      { title: "Users", path: "/user-management" },
-      { title: "About Fides", path: "/management/about" },
+      {
+        title: "Taxonomy",
+        path: "/taxonomy",
+        scopes: [ScopeRegistry.CLI_OBJECTS_READ],
+      },
+      {
+        title: "Users",
+        path: "/user-management",
+        scopes: [ScopeRegistry.USER_READ],
+      },
+      { title: "About Fides", path: "/management/about", scopes: [] },
     ],
   },
 ];
@@ -75,14 +124,58 @@ export type NavGroup = {
   children: Array<NavGroupChild>;
 };
 
+/**
+ * If a group contains only routes that the user cannot access, return false.
+ * An empty list of scopes is a special case where any scope works.
+ */
+const navGroupInScope = (
+  group: NavConfigGroup,
+  userScopes: ScopeRegistry[]
+) => {
+  if (group.routes.filter((route) => route.scopes.length === 0).length === 0) {
+    const allScopesAcrossRoutes = group.routes.reduce((acc, route) => {
+      const { scopes } = route;
+      return [...acc, ...scopes];
+    }, [] as ScopeRegistry[]);
+    if (
+      allScopesAcrossRoutes.length &&
+      allScopesAcrossRoutes.filter((scope) => userScopes.includes(scope))
+        .length === 0
+    ) {
+      return false;
+    }
+  }
+  return true;
+};
+
+/**
+ * If the user does not have any of the scopes listed in the route's requirements,
+ * return false. An empty list of scopes is a special case where any scope works.
+ */
+const navRouteInScope = (
+  route: NavConfigRoute,
+  userScopes: ScopeRegistry[]
+) => {
+  if (
+    route.scopes.length &&
+    route.scopes.filter((requiredScope) => userScopes.includes(requiredScope))
+      .length === 0
+  ) {
+    return false;
+  }
+  return true;
+};
+
 export const configureNavGroups = ({
   config,
+  userScopes,
   hasPlus = false,
   hasSystems = false,
   hasConnections = false,
   hasAccessToPrivacyRequestConfigurations = false,
 }: {
   config: NavConfigGroup[];
+  userScopes: ScopeRegistry[];
   hasPlus?: boolean;
   hasSystems?: boolean;
   hasConnections?: boolean;
@@ -99,6 +192,10 @@ export const configureNavGroups = ({
       return;
     }
 
+    if (!navGroupInScope(group, userScopes)) {
+      return;
+    }
+
     const navGroup: NavGroup = {
       title: group.title,
       children: [],
@@ -119,6 +216,10 @@ export const configureNavGroups = ({
         return;
       }
 
+      if (!navRouteInScope(route, userScopes)) {
+        return;
+      }
+
       navGroup.children.push({
         title: route.title ?? navGroup.title,
         path: route.path,
@@ -162,3 +263,38 @@ export const findActiveNav = ({
     path: activePath,
   };
 };
+
+/**
+ * Similar to findActiveNav, but using NavConfig instead of a NavGroup
+ * This may not be needed once we remove the progressive nav, since then we can
+ * just check what navs are available (they would all be restricted by scope)
+ */
+export const canAccessRoute = ({
+  path,
+  userScopes,
+}: {
+  path: string;
+  userScopes: ScopeRegistry[];
+}) => {
+  let childMatch: NavConfigRoute | undefined;
+  const groupMatch = NAV_CONFIG.find((group) => {
+    childMatch = group.routes.find((child) =>
+      child.exact ? path === child.path : path.startsWith(child.path)
+    );
+    return childMatch;
+  });
+
+  if (!(groupMatch && childMatch)) {
+    return false;
+  }
+
+  // Special case of empty scopes
+  if (childMatch.scopes.length === 0) {
+    return true;
+  }
+
+  const scopeOverlaps = childMatch.scopes.filter((scope) =>
+    userScopes.includes(scope)
+  );
+  return scopeOverlaps.length > 0;
+};
diff --git a/clients/admin-ui/src/features/datastore-connections/ConnectionGrid.tsx b/clients/admin-ui/src/features/datastore-connections/ConnectionGrid.tsx
index 5f3a6b7382..59fd2bdf8a 100644
--- a/clients/admin-ui/src/features/datastore-connections/ConnectionGrid.tsx
+++ b/clients/admin-ui/src/features/datastore-connections/ConnectionGrid.tsx
@@ -57,6 +57,7 @@ const ConnectionGrid: React.FC<ConnectionGridProps> = ({
               ? "0.5px"
               : undefined
           }
+          data-testid="connection-grid"
         >
           <SimpleGrid columns={columns}>
             {parent.map((child) => (
diff --git a/clients/admin-ui/src/features/datastore-connections/ConnectionsEmptyState.tsx b/clients/admin-ui/src/features/datastore-connections/ConnectionsEmptyState.tsx
index 8b0457847a..faf6bf3a13 100644
--- a/clients/admin-ui/src/features/datastore-connections/ConnectionsEmptyState.tsx
+++ b/clients/admin-ui/src/features/datastore-connections/ConnectionsEmptyState.tsx
@@ -11,6 +11,7 @@ const ConnectionsEmptyState: React.FC = () => (
     justifyContent="center"
     alignItems="center"
     flexDirection="column"
+    data-testid="connections-empty-state"
   >
     <Text
       color="black"
diff --git a/clients/admin-ui/src/features/privacy-requests/PrivacyRequestsContainer.tsx b/clients/admin-ui/src/features/privacy-requests/PrivacyRequestsContainer.tsx
index 2f25628e1e..ef020cfdd6 100644
--- a/clients/admin-ui/src/features/privacy-requests/PrivacyRequestsContainer.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/PrivacyRequestsContainer.tsx
@@ -22,7 +22,7 @@ const PrivacyRequestsContainer: React.FC = () => {
 
   return (
     <>
-      <Flex>
+      <Flex data-testid="privacy-requests">
         <Heading mb={8} fontSize="2xl" fontWeight="semibold">
           Privacy Requests
         </Heading>
diff --git a/clients/admin-ui/src/features/user-management/EditUserForm.tsx b/clients/admin-ui/src/features/user-management/EditUserForm.tsx
index 401dd49f71..9cc8a9235c 100644
--- a/clients/admin-ui/src/features/user-management/EditUserForm.tsx
+++ b/clients/admin-ui/src/features/user-management/EditUserForm.tsx
@@ -2,12 +2,12 @@ import { Divider, Heading } from "@fidesui/react";
 import React from "react";
 import { useSelector } from "react-redux";
 
-import { selectUser } from "../auth";
+import { selectUser } from "~/features/auth";
+import { useHasPermission } from "~/features/common/Restrict";
+import { ScopeRegistry } from "~/types/api";
+
 import { User, UserPermissions } from "./types";
-import {
-  useEditUserMutation,
-  useGetUserPermissionsQuery,
-} from "./user-management.slice";
+import { useEditUserMutation } from "./user-management.slice";
 import UserForm, { FormValues } from "./UserForm";
 
 const useUserForm = (profile: User, permissions: UserPermissions) => {
@@ -29,18 +29,8 @@ const useUserForm = (profile: User, permissions: UserPermissions) => {
   };
 
   const isOwnProfile = currentUser ? currentUser.id === profile.id : false;
-
-  let canUpdateUser = false;
-  const { data: userPermissions } = useGetUserPermissionsQuery(
-    currentUser?.id ?? ""
-  );
-  if (isOwnProfile) {
-    canUpdateUser = true;
-  } else {
-    canUpdateUser = userPermissions
-      ? userPermissions.scopes.includes("user:update")
-      : false;
-  }
+  const hasUserUpdatePermission = useHasPermission([ScopeRegistry.USER_UPDATE]);
+  const canUpdateUser = isOwnProfile ? true : hasUserUpdatePermission;
 
   return {
     handleSubmit,
diff --git a/clients/admin-ui/src/features/user-management/PasswordManagement.tsx b/clients/admin-ui/src/features/user-management/PasswordManagement.tsx
index c3dbbfb2a6..5f753155ec 100644
--- a/clients/admin-ui/src/features/user-management/PasswordManagement.tsx
+++ b/clients/admin-ui/src/features/user-management/PasswordManagement.tsx
@@ -3,10 +3,11 @@ import { HStack } from "@fidesui/react";
 import { useAppSelector } from "~/app/hooks";
 import { selectUser } from "~/features/auth";
 import { CustomTextInput } from "~/features/common/form/inputs";
+import Restrict from "~/features/common/Restrict";
+import { ScopeRegistry } from "~/types/api";
 
 import NewPasswordModal from "./NewPasswordModal";
 import UpdatePasswordModal from "./UpdatePasswordModal";
-import { useGetUserPermissionsQuery } from "./user-management.slice";
 
 interface Props {
   profileId?: string;
@@ -14,14 +15,8 @@ interface Props {
 const PasswordManagement = ({ profileId }: Props) => {
   const isNewUser = profileId == null;
   const currentUser = useAppSelector(selectUser);
-  const { data: userPermissions } = useGetUserPermissionsQuery(
-    currentUser?.id ?? ""
-  );
 
   const isOwnProfile = currentUser ? currentUser.id === profileId : false;
-  const canForceResetPassword = userPermissions
-    ? userPermissions.scopes.includes("user:password-reset")
-    : false;
 
   if (isNewUser) {
     return (
@@ -39,14 +34,12 @@ const PasswordManagement = ({ profileId }: Props) => {
     return null;
   }
 
-  if (!isOwnProfile && !canForceResetPassword) {
-    return null;
-  }
-
   return (
     <HStack>
       {isOwnProfile ? <UpdatePasswordModal id={profileId} /> : null}
-      {canForceResetPassword ? <NewPasswordModal id={profileId} /> : null}
+      <Restrict scopes={[ScopeRegistry.USER_PASSWORD_RESET]}>
+        <NewPasswordModal id={profileId} />
+      </Restrict>
     </HStack>
   );
 };
diff --git a/clients/admin-ui/src/features/user-management/user-management.slice.ts b/clients/admin-ui/src/features/user-management/user-management.slice.ts
index 4cb6b429f4..3d7db2ad00 100644
--- a/clients/admin-ui/src/features/user-management/user-management.slice.ts
+++ b/clients/admin-ui/src/features/user-management/user-management.slice.ts
@@ -1,13 +1,13 @@
-import { createSlice, PayloadAction } from "@reduxjs/toolkit";
+import { createSelector, createSlice, PayloadAction } from "@reduxjs/toolkit";
 import { createApi, fetchBaseQuery } from "@reduxjs/toolkit/query/react";
 import { addCommonHeaders } from "common/CommonHeaders";
 import { utf8ToB64 } from "common/utils";
 
 import type { RootState } from "~/app/store";
 import { BASE_URL } from "~/constants";
-import { UserForcePasswordReset } from "~/types/api";
+import { selectToken, selectUser } from "~/features/auth";
+import { ScopeRegistry, UserForcePasswordReset } from "~/types/api";
 
-import { selectToken } from "../auth";
 import {
   User,
   UserCreate,
@@ -60,12 +60,6 @@ export const userManagementSlice = createSlice({
 
 export const { setPage, setUsernameSearch } = userManagementSlice.actions;
 
-export const selectUserFilters = (state: RootState): UsersListParams => ({
-  page: state.userManagement.page,
-  size: state.userManagement.size,
-  username: state.userManagement.username,
-});
-
 export const { reducer } = userManagementSlice;
 
 // Helpers
@@ -187,6 +181,28 @@ export const userApi = createApi({
   }),
 });
 
+export const selectUserFilters = (state: RootState): UsersListParams => ({
+  page: state.userManagement.page,
+  size: state.userManagement.size,
+  username: state.userManagement.username,
+});
+
+const emptyScopes: ScopeRegistry[] = [];
+export const selectThisUsersScopes = createSelector(
+  [(RootState) => RootState, selectUser],
+  (RootState, user) => {
+    if (!user) {
+      return emptyScopes;
+    }
+    const permissions = userApi.endpoints.getUserPermissions.select(user.id)(
+      RootState
+    ).data;
+    // Backend UserPermissions model doesn't automatically type to the same enum
+    // so cast to ScopeRegistry[]
+    return permissions ? (permissions.scopes as ScopeRegistry[]) : emptyScopes;
+  }
+);
+
 export const {
   useGetAllUsersQuery,
   useGetUserByIdQuery,
diff --git a/clients/admin-ui/src/home/HomeContent.tsx b/clients/admin-ui/src/home/HomeContent.tsx
index 1cfb3b51af..6926659251 100644
--- a/clients/admin-ui/src/home/HomeContent.tsx
+++ b/clients/admin-ui/src/home/HomeContent.tsx
@@ -1,117 +1,104 @@
 import { Center, Flex, SimpleGrid, Text } from "@fidesui/react";
 import Link from "next/link";
+import { useRouter } from "next/router";
 import * as React from "react";
 import { useMemo } from "react";
 
+import { useAppSelector } from "~/app/hooks";
 import { useFeatures } from "~/features/common/features";
+import { resolveZoneLink } from "~/features/common/nav/zone-config";
+import { selectThisUsersScopes } from "~/features/user-management";
 
-import { MODULE_CARD_ITEMS, ModuleCardKeys } from "./constants";
+import { MODULE_CARD_ITEMS } from "./constants";
+import { configureTiles } from "./tile-config";
 
-const DEFAULT_CARD_ITEMS = MODULE_CARD_ITEMS.filter((item) =>
-  [
-    ModuleCardKeys.ADD_SYSTEMS,
-    ModuleCardKeys.CONFIGURE_PRIVACY_REQUESTS,
-  ].includes(item.key)
-);
+const COLUMNS = 3;
 
 const HomeContent: React.FC = () => {
-  const COLUMNS = 3;
-  const { connectionsCount, systemsCount } = useFeatures();
+  const router = useRouter();
+  const { connectionsCount, systemsCount, plus } = useFeatures();
   const hasConnections = connectionsCount > 0;
   const hasSystems = systemsCount > 0;
+  const userScopes = useAppSelector(selectThisUsersScopes);
 
-  const getCardItem = (key: ModuleCardKeys) => {
-    const cardItem = MODULE_CARD_ITEMS.find((item) => item.key === key);
-    return cardItem;
-  };
-
-  const getCardList = useMemo(
-    () => () => {
-      const list = [...DEFAULT_CARD_ITEMS];
-      if (hasConnections || hasSystems) {
-        if (hasConnections) {
-          const card = getCardItem(ModuleCardKeys.REVIEW_PRIVACY_REQUESTS);
-          list.push(card!);
-        }
-        if (hasSystems) {
-          const card = getCardItem(ModuleCardKeys.MANAGE_SYSTEMS);
-          list.push(card!);
-        }
-      }
-      return list;
-    },
-    [hasConnections, hasSystems]
+  const list = useMemo(
+    () =>
+      configureTiles({
+        config: MODULE_CARD_ITEMS,
+        hasPlus: plus,
+        hasConnections,
+        hasSystems,
+        userScopes,
+      }),
+    [hasConnections, hasSystems, plus, userScopes]
   );
 
-  const list = getCardList();
-
   return (
-    <Center px="36px">
+    <Center px="36px" data-testid="home-content">
       <SimpleGrid
         columns={list.length >= COLUMNS ? COLUMNS : list.length}
         spacing="24px"
       >
         {list
           .sort((a, b) => (a.sortOrder > b.sortOrder ? 1 : -1))
-          .map((item) => (
-            <Link
-              data-testid={item.name}
-              href={item.href}
-              key={item.key}
-              passHref
-            >
-              <Flex
-                background={item.backgroundColor}
-                borderRadius="8px"
-                boxShadow="base"
-                flexDirection="column"
-                maxH="164px"
-                overflow="hidden"
-                padding="16px 16px 20px 16px"
-                maxW="469.33px"
-                _hover={{
-                  border: "1px solid",
-                  borderColor: `${item.hoverBorderColor}`,
-                  cursor: "pointer",
-                }}
-              >
-                <Flex
-                  alignItems="center"
-                  border="2px solid"
-                  borderColor={item.titleColor}
-                  borderRadius="5.71714px"
-                  color={item.titleColor}
-                  fontSize="22px"
-                  fontWeight="extrabold"
-                  h="48px"
-                  justifyContent="center"
-                  lineHeight="29px"
-                  w="48px"
-                >
-                  {item.title}
-                </Flex>
-                <Flex
-                  color={item.nameColor}
-                  fontSize="16px"
-                  fontWeight="semibold"
-                  lineHeight="24px"
-                  mt="12px"
-                  mb="4px"
-                >
-                  {item.name}
-                  &nbsp; &#8594;
-                </Flex>
+          .map((item) => {
+            const { href } = resolveZoneLink({ href: item.href, router });
+            return (
+              <Link href={href} key={item.key} passHref>
                 <Flex
-                  color={item.descriptionColor}
-                  fontSize="14px"
-                  h="40px"
-                  lineHeight="20px"
+                  background={`${item.color}.50`}
+                  borderRadius="8px"
+                  boxShadow="base"
+                  flexDirection="column"
+                  maxH="164px"
+                  overflow="hidden"
+                  padding="16px 16px 20px 16px"
+                  maxW="469.33px"
+                  _hover={{
+                    border: "1px solid",
+                    borderColor: `${item.color}.500`,
+                    cursor: "pointer",
+                  }}
+                  data-testid={`tile-${item.name}`}
                 >
-                  <Text noOfLines={2}>{item.description}</Text>
+                  <Flex
+                    alignItems="center"
+                    border="2px solid"
+                    borderColor={`${item.color}.300`}
+                    borderRadius="5.71714px"
+                    color={`${item.color}.300`}
+                    fontSize="22px"
+                    fontWeight="extrabold"
+                    h="48px"
+                    justifyContent="center"
+                    lineHeight="29px"
+                    w="48px"
+                  >
+                    {item.title}
+                  </Flex>
+                  <Flex
+                    color={`${item.color}.800`}
+                    fontSize="16px"
+                    fontWeight="semibold"
+                    lineHeight="24px"
+                    mt="12px"
+                    mb="4px"
+                  >
+                    {item.name}
+                    &nbsp; &#8594;
+                  </Flex>
+                  <Flex
+                    color="gray.500"
+                    fontSize="14px"
+                    h="40px"
+                    lineHeight="20px"
+                  >
+                    <Text noOfLines={2}>{item.description}</Text>
+                  </Flex>
                 </Flex>
-              </Flex>
-            </Link>
-          ))}
+              </Link>
+            );
+          })}
       </SimpleGrid>
     </Center>
   );
diff --git a/clients/admin-ui/src/home/constants.ts b/clients/admin-ui/src/home/constants.ts
index 47326d9505..b7e719df88 100644
--- a/clients/admin-ui/src/home/constants.ts
+++ b/clients/admin-ui/src/home/constants.ts
@@ -1,78 +1,84 @@
 import {
   CONFIG_WIZARD_ROUTE,
+  DATAMAP_ROUTE,
   DATASTORE_CONNECTION_ROUTE,
   PRIVACY_REQUESTS_ROUTE,
   SYSTEM_ROUTE,
 } from "~/constants";
+import { ScopeRegistry } from "~/types/api";
 
-import { ModuleCard } from "./types";
+import { ModuleCardConfig } from "./types";
 
 /**
  * Enums
  */
 export enum ModuleCardKeys {
   ADD_SYSTEMS = 1,
-  MANAGE_SYSTEMS = 2,
+  VIEW_SYSTEMS = 2,
   CONFIGURE_PRIVACY_REQUESTS = 3,
   REVIEW_PRIVACY_REQUESTS = 4,
+  VIEW_MAP = 5,
 }
 
-export const MODULE_CARD_ITEMS: ModuleCard[] = [
+export const MODULE_CARD_ITEMS: ModuleCardConfig[] = [
   {
-    backgroundColor: "orange.50",
+    color: "blue",
+    description:
+      "Explore the systems and data flow across your organization and create custom reports.",
+    href: `${DATAMAP_ROUTE}`,
+    key: ModuleCardKeys.VIEW_MAP,
+    name: "View data map",
+    sortOrder: 0,
+    title: "VM",
+    requiresPlus: true,
+    requiresSystems: true,
+    scopes: [ScopeRegistry.DATAMAP_READ],
+  },
+  {
+    color: "orange",
     description:
       "As your organization grows you can continue adding systems to your Fides data map.",
-    descriptionColor: "gray.500",
-    hoverBorderColor: "orange.500",
     href: `${CONFIG_WIZARD_ROUTE}`,
     key: ModuleCardKeys.ADD_SYSTEMS,
     name: "Add systems",
-    nameColor: "orange.800",
     sortOrder: 1,
     title: "AS",
-    titleColor: "orange.300",
+    scopes: [ScopeRegistry.CLI_OBJECTS_CREATE],
   },
   {
-    backgroundColor: "purple.50",
+    color: "purple",
     description:
-      "Review and update system information across your data map including data categories and purposes of processing.",
-    descriptionColor: "gray.500",
-    hoverBorderColor: "purple.500",
+      "Review system information for all systems in your organization",
     href: `${SYSTEM_ROUTE}`,
-    key: ModuleCardKeys.MANAGE_SYSTEMS,
-    name: "Manage systems",
-    nameColor: "purple.800",
+    key: ModuleCardKeys.VIEW_SYSTEMS,
+    name: "View systems",
     sortOrder: 2,
-    title: "MS",
-    titleColor: "purple.300",
+    title: "VS",
+    scopes: [ScopeRegistry.CLI_OBJECTS_READ],
+    requiresSystems: true,
   },
   {
-    backgroundColor: "teal.50",
+    color: "teal",
     description:
       "Connect your systems and configure privacy request processing for DSRs (access and erasure).",
-    descriptionColor: "gray.500",
-    hoverBorderColor: "teal.500",
     href: `${DATASTORE_CONNECTION_ROUTE}/new?step=1`,
     key: ModuleCardKeys.CONFIGURE_PRIVACY_REQUESTS,
     name: "Configure privacy requests",
-    nameColor: "teal.800",
     sortOrder: 3,
     title: "PR",
-    titleColor: "teal.300",
+    scopes: [ScopeRegistry.CONNECTION_CREATE_OR_UPDATE],
   },
 
   {
-    backgroundColor: "pink.50",
+    color: "pink",
     description:
       "Review, approve and process privacy requests across your systems on behalf of your users.",
-    descriptionColor: "gray.500",
-    hoverBorderColor: "pink.500",
     href: `${PRIVACY_REQUESTS_ROUTE}`,
     key: ModuleCardKeys.REVIEW_PRIVACY_REQUESTS,
     name: "Review privacy requests",
-    nameColor: "pink.800",
     sortOrder: 4,
     title: "RP",
-    titleColor: "pink.300",
+    scopes: [ScopeRegistry.PRIVACY_REQUEST_CREATE],
+    requiresConnections: true,
   },
 ];
diff --git a/clients/admin-ui/src/home/tile-config.test.ts b/clients/admin-ui/src/home/tile-config.test.ts
new file mode 100644
index 0000000000..7d0b29445a
--- /dev/null
+++ b/clients/admin-ui/src/home/tile-config.test.ts
@@ -0,0 +1,149 @@
+import { describe, expect, it } from "@jest/globals";
+
+import { ScopeRegistry } from "~/types/api";
+
+import { MODULE_CARD_ITEMS } from "./constants";
+import { configureTiles } from "./tile-config";
+
+const ALL_SCOPES_FOR_TILES = [
+  ScopeRegistry.DATAMAP_READ,
+  ScopeRegistry.PRIVACY_REQUEST_CREATE,
+  ScopeRegistry.CONNECTION_CREATE_OR_UPDATE,
+  ScopeRegistry.CLI_OBJECTS_READ,
+  ScopeRegistry.CLI_OBJECTS_CREATE,
+];
+
+describe("configureTiles", () => {
+  it("does not return view datamap if not plus", () => {
+    const tiles = configureTiles({
+      config: MODULE_CARD_ITEMS,
+      hasPlus: false,
+      hasSystems: true,
+      userScopes: ALL_SCOPES_FOR_TILES,
+    });
+
+    expect(tiles.filter((t) => t.href === "/datamap").length).toEqual(0);
+  });
+
+  it("includes datamap view if plus", () => {
+    const tiles = configureTiles({
+      config: MODULE_CARD_ITEMS,
+      hasPlus: true,
+      hasSystems: true,
+      userScopes: ALL_SCOPES_FOR_TILES,
+    });
+    expect(tiles.filter((t) => t.href === "/datamap").length).toEqual(1);
+  });
+
+  it("can exclude tiles that require systems or connectors", () => {
+    const tiles = configureTiles({
+      config: MODULE_CARD_ITEMS,
+      hasPlus: true,
+      hasSystems: false,
+      hasConnections: false,
+      userScopes: ALL_SCOPES_FOR_TILES,
+    });
+    expect(tiles.map((t) => t.name)).toEqual([
+      "Add systems",
+      "Configure privacy requests",
+    ]);
+  });
+
+  it("can include tiles that require systems", () => {
+    const tiles = configureTiles({
+      config: MODULE_CARD_ITEMS,
+      hasPlus: true,
+      hasSystems: true,
+      userScopes: ALL_SCOPES_FOR_TILES,
+    });
+    expect(tiles.map((t) => t.name)).toEqual([
+      "View data map",
+      "Add systems",
+      "View systems",
+      "Configure privacy requests",
+    ]);
+  });
+
+  it("can include tiles that require connectors", () => {
+    const tiles = configureTiles({
+      config: MODULE_CARD_ITEMS,
+      hasConnections: true,
+      userScopes: ALL_SCOPES_FOR_TILES,
+    });
+    expect(tiles.map((t) => t.name)).toEqual([
+      "Add systems",
+      "Configure privacy requests",
+      "Review privacy requests",
+    ]);
+  });
+
+  describe("configure by scopes", () => {
+    it("returns no tiles if user has no scopes", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        userScopes: [],
+      });
+
+      expect(tiles.length).toEqual(0);
+    });
+
+    it("returns no tiles if user has wrong scopes", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        // irrelevant scope
+        userScopes: [ScopeRegistry.DATABASE_RESET],
+      });
+      expect(tiles.length).toEqual(0);
+    });
+
+    it("conditionally shows add systems based on scope", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        userScopes: [ScopeRegistry.CLI_OBJECTS_CREATE],
+      });
+      expect(tiles.map((t) => t.name)).toEqual(["Add systems"]);
+    });
+
+    it("conditionally shows configure privacy requests", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        userScopes: [ScopeRegistry.CONNECTION_CREATE_OR_UPDATE],
+      });
+      expect(tiles.map((t) => t.name)).toEqual(["Configure privacy requests"]);
+    });
+
+    it("conditionally shows view datamap", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        hasPlus: true,
+        hasSystems: true,
+        userScopes: [ScopeRegistry.DATAMAP_READ],
+      });
+      expect(tiles.map((t) => t.name)).toEqual(["View data map"]);
+    });
+
+    it("conditionally shows reviewing privacy requests", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        hasConnections: true,
+        userScopes: [ScopeRegistry.PRIVACY_REQUEST_CREATE],
+      });
+      expect(tiles.map((t) => t.name)).toEqual(["Review privacy requests"]);
+    });
+
+    it("can combine scopes to show multiple tiles", () => {
+      const tiles = configureTiles({
+        config: MODULE_CARD_ITEMS,
+        hasConnections: true,
+        userScopes: [
+          ScopeRegistry.PRIVACY_REQUEST_CREATE,
+          ScopeRegistry.CONNECTION_CREATE_OR_UPDATE,
+        ],
+      });
+      expect(tiles.map((t) => t.name)).toEqual([
+        "Configure privacy requests",
+        "Review privacy requests",
+      ]);
+    });
+  });
+});
diff --git a/clients/admin-ui/src/home/tile-config.ts b/clients/admin-ui/src/home/tile-config.ts
new file mode 100644
index 0000000000..f134a54c27
--- /dev/null
+++ b/clients/admin-ui/src/home/tile-config.ts
@@ -0,0 +1,44 @@
+import { ScopeRegistry } from "~/types/api";
+
+import { ModuleCardConfig } from "./types";
+
+export const configureTiles = ({
+  config,
+  userScopes,
+  hasPlus = false,
+  hasSystems = false,
+  hasConnections = false,
+}: {
+  config: ModuleCardConfig[];
+  userScopes: ScopeRegistry[];
+  hasPlus?: boolean;
+  hasSystems?: boolean;
+  hasConnections?: boolean;
+}): ModuleCardConfig[] => {
+  let filteredConfig = config;
+
+  if (!hasPlus) {
+    filteredConfig = filteredConfig.filter((c) => !c.requiresPlus);
+  }
+
+  if (!hasSystems) {
+    filteredConfig = filteredConfig.filter((c) => !c.requiresSystems);
+  }
+
+  if (!hasConnections) {
+    filteredConfig = filteredConfig.filter((c) => !c.requiresConnections);
+  }
+
+  const filteredByScope: ModuleCardConfig[] = [];
+  filteredConfig.forEach((moduleConfig) => {
+    if (moduleConfig.scopes.length === 0) {
+      filteredByScope.push(moduleConfig);
+    } else if (
+      moduleConfig.scopes.filter((scope) => userScopes.includes(scope)).length >
+      0
+    ) {
+      filteredByScope.push(moduleConfig);
+    }
+  });
+  return filteredByScope;
+};
diff --git a/clients/admin-ui/src/home/types.ts b/clients/admin-ui/src/home/types.ts
index a88892f3cc..5d69c8fe56 100644
--- a/clients/admin-ui/src/home/types.ts
+++ b/clients/admin-ui/src/home/types.ts
@@ -1,13 +1,18 @@
-export type ModuleCard = {
-  backgroundColor: string;
+import { ScopeRegistry } from "~/types/api";
+
+type ModuleCard = {
   description: string;
-  descriptionColor: string;
-  hoverBorderColor: string;
   href: string;
   key: number;
   name: string;
-  nameColor: string;
   sortOrder: number;
   title: string;
-  titleColor: string;
+  color: string;
 };
+
+export interface ModuleCardConfig extends ModuleCard {
+  requiresSystems?: boolean;
+  requiresConnections?: boolean;
+  requiresPlus?: boolean;
+  scopes: ScopeRegistry[];
+}
diff --git a/clients/admin-ui/src/types/api/index.ts b/clients/admin-ui/src/types/api/index.ts
index b6381fbf5d..cc2b4da856 100644
--- a/clients/admin-ui/src/types/api/index.ts
+++ b/clients/admin-ui/src/types/api/index.ts
@@ -200,6 +200,7 @@ export type { ResourceFilter } from "./models/ResourceFilter";
 export { ResourceTypes } from "./models/ResourceTypes";
 export { ResponseFormat } from "./models/ResponseFormat";
 export type { ReviewPrivacyRequestIds } from "./models/ReviewPrivacyRequestIds";
+export { RoleRegistry } from "./models/RoleRegistry";
 export type { RowCountRequest } from "./models/RowCountRequest";
 export type { RuleCreate } from "./models/RuleCreate";
 export type { RuleResponse } from "./models/RuleResponse";
@@ -214,6 +215,7 @@ export type { SaasConnectionTemplateValues } from "./models/SaasConnectionTempla
 export type { SaaSRequest } from "./models/SaaSRequest";
 export type { SaaSRequestMap } from "./models/SaaSRequestMap";
 export type { SaaSSchema } from "./models/SaaSSchema";
+export { ScopeRegistry } from "./models/ScopeRegistry";
 export type { SnowflakeDocsSchema } from "./models/SnowflakeDocsSchema";
 export type { SovrnEmailDocsSchema } from "./models/SovrnEmailDocsSchema";
 export { SpecialCategoriesEnum } from "./models/SpecialCategoriesEnum";
diff --git a/clients/admin-ui/src/types/api/models/RoleRegistry.ts b/clients/admin-ui/src/types/api/models/RoleRegistry.ts
new file mode 100644
index 0000000000..289cf8c4be
--- /dev/null
+++ b/clients/admin-ui/src/types/api/models/RoleRegistry.ts
@@ -0,0 +1,13 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * Enum of available roles
+ */
+export enum RoleRegistry {
+  ADMIN = "admin",
+  VIEWER_AND_PRIVACY_REQUEST_MANAGER = "viewer_and_privacy_request_manager",
+  VIEWER = "viewer",
+  PRIVACY_REQUEST_MANAGER = "privacy_request_manager",
+}
diff --git a/clients/admin-ui/src/types/api/models/ScopeRegistry.ts b/clients/admin-ui/src/types/api/models/ScopeRegistry.ts
new file mode 100644
index 0000000000..e6da9f07f6
--- /dev/null
+++ b/clients/admin-ui/src/types/api/models/ScopeRegistry.ts
@@ -0,0 +1,81 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * An enumeration.
+ */
+export enum ScopeRegistry {
+  CONFIG_READ = "config:read",
+  CONFIG_UPDATE = "config:update",
+  CLI_OBJECTS_CREATE = "cli-objects:create",
+  CLI_OBJECTS_READ = "cli-objects:read",
+  CLI_OBJECTS_UPDATE = "cli-objects:update",
+  CLI_OBJECTS_DELETE = "cli-objects:delete",
+  CLIENT_CREATE = "client:create",
+  CLIENT_DELETE = "client:delete",
+  CLIENT_READ = "client:read",
+  CLIENT_UPDATE = "client:update",
+  CONNECTION_CREATE_OR_UPDATE = "connection:create_or_update",
+  CONNECTION_DELETE = "connection:delete",
+  CONNECTION_READ = "connection:read",
+  CONNECTION_AUTHORIZE = "connection:authorize",
+  CONNECTION_TYPE_READ = "connection_type:read",
+  CONSENT_READ = "consent:read",
+  DATABASE_RESET = "database:reset",
+  DATAMAP_READ = "datamap:read",
+  DATASET_CREATE_OR_UPDATE = "dataset:create_or_update",
+  DATASET_DELETE = "dataset:delete",
+  DATASET_READ = "dataset:read",
+  ENCRYPTION_EXEC = "encryption:exec",
+  FIDES_TAXONOMY_UPDATE = "fides_taxonomy:update",
+  GENERATE_EXEC = "generate:exec",
+  MESSAGING_CREATE_OR_UPDATE = "messaging:create_or_update",
+  MESSAGING_DELETE = "messaging:delete",
+  MESSAGING_READ = "messaging:read",
+  ORGANIZATION_CREATE = "organization:create",
+  ORGANIZATION_DELETE = "organization:delete",
+  ORGANIZATION_UPDATE = "organization:update",
+  POLICY_CREATE_OR_UPDATE = "policy:create_or_update",
+  POLICY_DELETE = "policy:delete",
+  POLICY_READ = "policy:read",
+  PRIVACY_REQUEST_CREATE = "privacy-request:create",
+  PRIVACY_REQUEST_RESUME = "privacy-request:resume",
+  PRIVACY_REQUEST_DELETE = "privacy-request:delete",
+  PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE = "privacy-request-notifications:create_or_update",
+  PRIVACY_REQUEST_NOTIFICATIONS_READ = "privacy-request-notifications:read",
+  PRIVACY_REQUEST_READ = "privacy-request:read",
+  PRIVACY_REQUEST_REVIEW = "privacy-request:review",
+  PRIVACY_REQUEST_TRANSFER = "privacy-request:transfer",
+  PRIVACY_REQUEST_UPLOAD_DATA = "privacy-request:upload_data",
+  PRIVACY_REQUEST_VIEW_DATA = "privacy-request:view_data",
+  RULE_CREATE_OR_UPDATE = "rule:create_or_update",
+  RULE_DELETE = "rule:delete",
+  RULE_READ = "rule:read",
+  SAAS_CONFIG_CREATE_OR_UPDATE = "saas_config:create_or_update",
+  SAAS_CONFIG_DELETE = "saas_config:delete",
+  SAAS_CONFIG_READ = "saas_config:read",
+  CONNECTION_INSTANTIATE = "connection:instantiate",
+  SCOPE_READ = "scope:read",
+  STORAGE_CREATE_OR_UPDATE = "storage:create_or_update",
+  STORAGE_DELETE = "storage:delete",
+  STORAGE_READ = "storage:read",
+  SYSTEM_CREATE = "system:create",
+  SYSTEM_DELETE = "system:delete",
+  SYSTEM_UPDATE = "system:update",
+  TAXONOMY_CREATE = "taxonomy:create",
+  TAXONOMY_DELETE = "taxonomy:delete",
+  TAXONOMY_UPDATE = "taxonomy:update",
+  USER_CREATE = "user:create",
+  USER_UPDATE = "user:update",
+  USER_DELETE = "user:delete",
+  USER_READ = "user:read",
+  USER_PASSWORD_RESET = "user:password-reset",
+  USER_PERMISSION_CREATE = "user-permission:create",
+  USER_PERMISSION_UPDATE = "user-permission:update",
+  USER_PERMISSION_READ = "user-permission:read",
+  VALIDATE_EXEC = "validate:exec",
+  WEBHOOK_CREATE_OR_UPDATE = "webhook:create_or_update",
+  WEBHOOK_DELETE = "webhook:delete",
+  WEBHOOK_READ = "webhook:read",
+}
diff --git a/clients/admin-ui/src/types/api/models/UserPermissionsCreate.ts b/clients/admin-ui/src/types/api/models/UserPermissionsCreate.ts
index ab0c4017f8..27769f24af 100644
--- a/clients/admin-ui/src/types/api/models/UserPermissionsCreate.ts
+++ b/clients/admin-ui/src/types/api/models/UserPermissionsCreate.ts
@@ -2,9 +2,15 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { RoleRegistry } from "./RoleRegistry";
+
 /**
  * Data required to create a FidesUserPermissions record
+ *
+ * Users will generally be assigned role(s) directly which are associated with many scopes,
+ * but we also will continue to support the ability to be assigned specific individual scopes.
  */
 export type UserPermissionsCreate = {
-  scopes: Array<string>;
+  scopes?: Array<string>;
+  roles?: Array<RoleRegistry>;
 };
diff --git a/clients/admin-ui/src/types/api/models/UserPermissionsEdit.ts b/clients/admin-ui/src/types/api/models/UserPermissionsEdit.ts
index 27121ce6d8..caf1d4f1e9 100644
--- a/clients/admin-ui/src/types/api/models/UserPermissionsEdit.ts
+++ b/clients/admin-ui/src/types/api/models/UserPermissionsEdit.ts
@@ -2,10 +2,13 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { RoleRegistry } from "./RoleRegistry";
+
 /**
- * Data required to edit a FidesUserPermissions record
+ * Data required to edit a FidesUserPermissions record.
  */
 export type UserPermissionsEdit = {
-  scopes: Array<string>;
-  id: string;
+  scopes?: Array<string>;
+  roles?: Array<RoleRegistry>;
+  id?: string;
 };
diff --git a/clients/admin-ui/src/types/api/models/UserPermissionsResponse.ts b/clients/admin-ui/src/types/api/models/UserPermissionsResponse.ts
index e2b85b25f3..f5d04b1f04 100644
--- a/clients/admin-ui/src/types/api/models/UserPermissionsResponse.ts
+++ b/clients/admin-ui/src/types/api/models/UserPermissionsResponse.ts
@@ -2,11 +2,14 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { RoleRegistry } from "./RoleRegistry";
+
 /**
- * Response after creating, editing, or retrieving a FidesUserPermissions record
+ * Response after creating, editing, or retrieving a FidesUserPermissions record.
  */
 export type UserPermissionsResponse = {
-  scopes: Array<string>;
+  scopes?: Array<string>;
+  roles?: Array<RoleRegistry>;
   id: string;
   user_id: string;
 };
diff --git a/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py b/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
index 4a7202ce86..437a5f7987 100644
--- a/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
+++ b/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
@@ -21,6 +21,7 @@
     CLIENT_UPDATE,
     SCOPE_READ,
     SCOPE_REGISTRY,
+    SCOPE_REGISTRY_ENUM,
 )
 from fides.api.ops.api.v1.urn_registry import (
     CLIENT,
@@ -192,7 +193,7 @@ def set_client_scopes(
 @router.get(
     SCOPE,
     dependencies=[Security(verify_oauth_client, scopes=[SCOPE_READ])],
-    response_model=List[str],
+    response_model=List[SCOPE_REGISTRY_ENUM],
 )
 def read_scopes() -> List[str]:
     """Returns a list of all scopes available for assignment in the system"""
diff --git a/src/fides/api/ops/api/v1/scope_registry.py b/src/fides/api/ops/api/v1/scope_registry.py
index 9ce18c0d69..22d65ec022 100644
--- a/src/fides/api/ops/api/v1/scope_registry.py
+++ b/src/fides/api/ops/api/v1/scope_registry.py
@@ -8,6 +8,8 @@
 `SCOPE_REGISTRY` is intended as a comprehensive list of all available scopes.
 """
 
+from enum import Enum
+
 AUTHORIZE = "authorize"
 CLI_OBJECTS = "cli-objects"
 CLIENT = "client"
@@ -228,3 +230,8 @@
 }
 
 SCOPE_REGISTRY = list(SCOPE_DOCS.keys())
+
+_SCOPE_REGISTRY_DICT = {key: key for key in SCOPE_REGISTRY}
+# mypy doesn't like taking the dictionary to generate the enum
+# https://github.com/python/mypy/issues/5317
+SCOPE_REGISTRY_ENUM = Enum("ScopeRegistry", _SCOPE_REGISTRY_DICT)  # type: ignore

From 663bc5451d262f5c9a5c3eecbe50b6abfa1136d6 Mon Sep 17 00:00:00 2001
From: Dawn Pattison <pattisdr@users.noreply.github.com>
Date: Fri, 3 Mar 2023 13:17:42 -0600
Subject: [PATCH 12/16] Overhaul Roles and Roles Mapping [#2720] (#2744)

Update the roles that users can be granted along with their associated list of scopes.

- Owner: Full Admin
- Viewer: Can view everything
- Contributor: Can manage most things but can't adjust storage and messaging configs
- Approver: Limited view but can approve privacy requests
- Viewer + Approver: Full view and can approve privacy requests
---
 CHANGELOG.md                                  |  1 +
 scripts/setup/user.py                         |  2 +-
 .../9f38dad37628_redo_roles_scopes_mapping.py | 59 +++++++++++++++++
 src/fides/core/config/security_settings.py    |  4 +-
 src/fides/lib/oauth/roles.py                  | 54 +++++++++------
 tests/conftest.py                             | 31 ++++-----
 tests/ctl/cli/test_cli.py                     |  6 +-
 tests/fixtures/application_fixtures.py        | 58 +---------------
 tests/lib/test_client_model.py                | 24 +++----
 tests/lib/test_oauth_util.py                  | 66 ++++++++++++++-----
 .../test_connection_config_endpoints.py       | 10 +--
 .../api/v1/endpoints/test_oauth_endpoints.py  | 13 ++--
 .../test_privacy_request_endpoints.py         | 10 +--
 .../api/v1/endpoints/test_user_endpoints.py   | 20 +++---
 .../test_user_permission_endpoints.py         | 22 +++----
 15 files changed, 212 insertions(+), 168 deletions(-)
 create mode 100644 src/fides/api/ctl/migrations/versions/9f38dad37628_redo_roles_scopes_mapping.py

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 004c27f66b..8b452e1b1b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@ The types of changes are:
 * Add warning to 'fides deploy' when installed outside of a virtual environment [#2641](https://github.com/ethyca/fides/pull/2641)
 * Redesigned the default/init config file to be auto-documented. Also updates the `fides init` logic and analytics consent logic [#2694](https://github.com/ethyca/fides/pull/2694)
 * Change how config creation/import is handled across the application [#2622](https://github.com/ethyca/fides/pull/2622)
+* Updates Roles->Scopes Mapping [#2744](https://github.com/ethyca/fides/pull/2744)
 
 ### Developer Experience
 
diff --git a/scripts/setup/user.py b/scripts/setup/user.py
index c812dc5c55..30de0e55e6 100644
--- a/scripts/setup/user.py
+++ b/scripts/setup/user.py
@@ -6,7 +6,7 @@
 from fides.api.ops.api.v1 import urn_registry as urls
 from fides.api.ops.api.v1.scope_registry import SCOPE_REGISTRY
 from fides.core.config import CONFIG
-from fides.lib.oauth.roles import ADMIN
+from fides.lib.oauth.roles import OWNER
 
 from . import constants
 
diff --git a/src/fides/api/ctl/migrations/versions/9f38dad37628_redo_roles_scopes_mapping.py b/src/fides/api/ctl/migrations/versions/9f38dad37628_redo_roles_scopes_mapping.py
new file mode 100644
index 0000000000..74c9e3996d
--- /dev/null
+++ b/src/fides/api/ctl/migrations/versions/9f38dad37628_redo_roles_scopes_mapping.py
@@ -0,0 +1,59 @@
+"""Redo roles scopes mapping
+
+Revision ID: 9f38dad37628
+Revises: eb1e6ec39b83
+Create Date: 2023-03-03 16:53:03.553992
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+from sqlalchemy import text
+from sqlalchemy.engine import ResultProxy
+
+revision = "9f38dad37628"
+down_revision = "eb1e6ec39b83"
+branch_labels = None
+depends_on = None
+
+
+def swap_roles(old_role: str, new_role: str):
+    bind = op.get_bind()
+    matched_rows: ResultProxy = bind.execute(
+        text("SELECT * FROM fidesuserpermissions WHERE :old_role = ANY(roles);"),
+        {"old_role": old_role},
+    )
+    for row in matched_rows:
+        current_roles = row["roles"]
+        current_roles.remove(old_role)
+        current_roles.append(new_role)
+        bind.execute(
+            text("UPDATE fidesuserpermissions SET roles= :roles WHERE id= :id"),
+            {"roles": sorted(list(set(current_roles))), "id": row["id"]},
+        )
+
+    matched_client_rows: ResultProxy = bind.execute(
+        text("SELECT * FROM client WHERE :old_role = ANY(roles);"),
+        {"old_role": old_role},
+    )
+    for row in matched_client_rows:
+        client_roles = row["roles"]
+        client_roles.remove(old_role)
+        client_roles.append(new_role)
+        bind.execute(
+            text("UPDATE client SET roles= :roles WHERE id= :id"),
+            {"roles": sorted(list(set(client_roles))), "id": row["id"]},
+        )
+
+
+def upgrade():
+    swap_roles("admin", "owner")
+    swap_roles("viewer_and_privacy_request_manager", "viewer_and_approver")
+    swap_roles("privacy_request_manager", "approver")
+
+
+def downgrade():
+    swap_roles("owner", "admin")
+    swap_roles("viewer_and_approver", "viewer_and_privacy_request_manager")
+    swap_roles("approver", "privacy_request_manager")
diff --git a/src/fides/core/config/security_settings.py b/src/fides/core/config/security_settings.py
index 5644f83b58..e0a12ab52c 100644
--- a/src/fides/core/config/security_settings.py
+++ b/src/fides/core/config/security_settings.py
@@ -9,7 +9,7 @@
 
 from fides.api.ops.api.v1.scope_registry import SCOPE_REGISTRY
 from fides.lib.cryptography.cryptographic_util import generate_salt, hash_with_salt
-from fides.lib.oauth.roles import ADMIN
+from fides.lib.oauth.roles import OWNER
 
 from .fides_settings import FidesSettings
 
@@ -98,7 +98,7 @@ class SecuritySettings(FidesSettings):
         description="The list of scopes that are given to the root user.",
     )
     root_user_roles: List[str] = Field(
-        default=[ADMIN],
+        default=[OWNER],
         description="The list of roles that are given to the root user.",
     )
     root_password: Optional[str] = Field(
diff --git a/src/fides/lib/oauth/roles.py b/src/fides/lib/oauth/roles.py
index c91a23d051..1d3371540f 100644
--- a/src/fides/lib/oauth/roles.py
+++ b/src/fides/lib/oauth/roles.py
@@ -10,51 +10,56 @@
     CONSENT_READ,
     DATAMAP_READ,
     DATASET_READ,
+    MESSAGING_CREATE_OR_UPDATE,
+    MESSAGING_DELETE,
     MESSAGING_READ,
     POLICY_READ,
     PRIVACY_REQUEST_CALLBACK_RESUME,
-    PRIVACY_REQUEST_CREATE,
-    PRIVACY_REQUEST_DELETE,
     PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
     PRIVACY_REQUEST_NOTIFICATIONS_READ,
     PRIVACY_REQUEST_READ,
     PRIVACY_REQUEST_REVIEW,
-    PRIVACY_REQUEST_TRANSFER,
     PRIVACY_REQUEST_UPLOAD_DATA,
     PRIVACY_REQUEST_VIEW_DATA,
     RULE_READ,
     SAAS_CONFIG_READ,
     SCOPE_READ,
     SCOPE_REGISTRY,
+    STORAGE_CREATE_OR_UPDATE,
+    STORAGE_DELETE,
     STORAGE_READ,
     USER_READ,
     WEBHOOK_READ,
 )
 
-PRIVACY_REQUEST_MANAGER = "privacy_request_manager"
+APPROVER = "approver"
+CONTRIBUTOR = "contributor"
+OWNER = "owner"
 VIEWER = "viewer"
-VIEWER_AND_PRIVACY_REQUEST_MANAGER = "viewer_and_privacy_request_manager"
-ADMIN = "admin"
+VIEWER_AND_APPROVER = "viewer_and_approver"
 
 
 class RoleRegistry(Enum):
-    """Enum of available roles"""
+    """Enum of available roles
 
-    admin = ADMIN
-    viewer_and_privacy_request_manager = VIEWER_AND_PRIVACY_REQUEST_MANAGER
+    Owner - Full admin
+    Viewer - Can view everything
+    Approver - Limited viewer but can approve Privacy Requests
+    Viewer + Approver = Full View and can approve Privacy Requests
+    Contributor - Can't configure storage and messaging
+    """
+
+    owner = OWNER
+    viewer_approver = VIEWER_AND_APPROVER
     viewer = VIEWER
-    privacy_request_manager = PRIVACY_REQUEST_MANAGER
+    approver = APPROVER
+    contributor = CONTRIBUTOR
 
 
-privacy_request_manager_scopes = [
-    PRIVACY_REQUEST_CREATE,
+approver_scopes = [
     PRIVACY_REQUEST_REVIEW,
     PRIVACY_REQUEST_READ,
-    PRIVACY_REQUEST_DELETE,
     PRIVACY_REQUEST_CALLBACK_RESUME,
-    PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
-    PRIVACY_REQUEST_NOTIFICATIONS_READ,
-    PRIVACY_REQUEST_TRANSFER,
     PRIVACY_REQUEST_UPLOAD_DATA,
     PRIVACY_REQUEST_VIEW_DATA,
 ]
@@ -81,13 +86,20 @@ class RoleRegistry(Enum):
     USER_READ,
 ]
 
+not_contributor_scopes = [
+    STORAGE_CREATE_OR_UPDATE,
+    STORAGE_DELETE,
+    MESSAGING_CREATE_OR_UPDATE,
+    MESSAGING_DELETE,
+    PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
+]
+
 ROLES_TO_SCOPES_MAPPING: Dict[str, List] = {
-    ADMIN: sorted(SCOPE_REGISTRY),
-    VIEWER_AND_PRIVACY_REQUEST_MANAGER: sorted(
-        list(set(viewer_scopes + privacy_request_manager_scopes))
-    ),
+    OWNER: sorted(SCOPE_REGISTRY),
+    VIEWER_AND_APPROVER: sorted(list(set(viewer_scopes + approver_scopes))),
     VIEWER: sorted(viewer_scopes),
-    PRIVACY_REQUEST_MANAGER: sorted(privacy_request_manager_scopes),
+    APPROVER: sorted(approver_scopes),
+    CONTRIBUTOR: sorted(list(set(SCOPE_REGISTRY) - set(not_contributor_scopes))),
 }
 
 
diff --git a/tests/conftest.py b/tests/conftest.py
index 2321dbb0f9..ad5ed49dc2 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -43,10 +43,7 @@
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
 from fides.lib.oauth.jwt import generate_jwe
-from fides.lib.oauth.roles import (
-    PRIVACY_REQUEST_MANAGER,
-    VIEWER_AND_PRIVACY_REQUEST_MANAGER,
-)
+from fides.lib.oauth.roles import APPROVER, CONTRIBUTOR, VIEWER_AND_APPROVER
 from tests.fixtures.application_fixtures import *
 from tests.fixtures.bigquery_fixtures import *
 from tests.fixtures.email_fixtures import *
@@ -665,16 +662,14 @@ def config_proxy(db):
 
 @pytest.fixture(scope="function")
 def oauth_role_client(db: Session) -> Generator:
-    """Return a client that has the admin role for authentication purposes"""
+    """Return a client that has all roles for authentication purposes
+    This is not a typical state but this client will then work with any
+    roles a token is given
+    """
     client = ClientDetail(
         hashed_secret="thisisatest",
         salt="thisisstillatest",
-        roles=[
-            ADMIN,
-            PRIVACY_REQUEST_MANAGER,
-            VIEWER,
-            VIEWER_AND_PRIVACY_REQUEST_MANAGER,
-        ],
+        roles=[OWNER, APPROVER, VIEWER, VIEWER_AND_APPROVER, CONTRIBUTOR],
     )  # Intentionally adding all roles here so the client will always
     # have a role that matches a role on a token for testing
     db.add(client)
@@ -718,10 +713,10 @@ def _build_jwt(roles: List[str]) -> Dict[str, str]:
 
 
 @pytest.fixture
-def admin_client(db):
-    """Return a client with an "admin" role for authentication purposes."""
+def owner_client(db):
+    """Return a client with an "owner" role for authentication purposes."""
     client = ClientDetail(
-        hashed_secret="thisisatest", salt="thisisstillatest", scopes=[], roles=[ADMIN]
+        hashed_secret="thisisatest", salt="thisisstillatest", scopes=[], roles=[OWNER]
     )
     db.add(client)
     db.commit()
@@ -744,11 +739,11 @@ def viewer_client(db):
 
 
 @pytest.fixture
-def admin_user(db):
+def owner_user(db):
     user = FidesUser.create(
         db=db,
         data={
-            "username": "test_fides_admin_user",
+            "username": "test_fides_owner_user",
             "password": "TESTdcnG@wzJeu0&%3Qe2fGo7",
         },
     )
@@ -756,12 +751,12 @@ def admin_user(db):
         hashed_secret="thisisatest",
         salt="thisisstillatest",
         scopes=[],
-        roles=[ADMIN],
+        roles=[OWNER],
         user_id=user.id,
     )
 
     FidesUserPermissions.create(
-        db=db, data={"user_id": user.id, "scopes": [], "roles": [ADMIN]}
+        db=db, data={"user_id": user.id, "scopes": [], "roles": [OWNER]}
     )
 
     db.add(client)
diff --git a/tests/ctl/cli/test_cli.py b/tests/ctl/cli/test_cli.py
index 35fce30e08..5de3f9841e 100644
--- a/tests/ctl/cli/test_cli.py
+++ b/tests/ctl/cli/test_cli.py
@@ -14,7 +14,7 @@
 from fides.core.config import CONFIG
 from fides.core.user import get_user_permissions
 from fides.core.utils import get_auth_header, read_credentials_file
-from fides.lib.oauth.roles import ADMIN
+from fides.lib.oauth.roles import OWNER
 
 OKTA_URL = "https://dev-78908748.okta.com"
 
@@ -951,7 +951,7 @@ def test_user_create(
             credentials.user_id, get_auth_header(), CONFIG.cli.server_url
         )
         assert scopes == SCOPE_REGISTRY
-        assert roles == [ADMIN]
+        assert roles == [OWNER]
 
     @pytest.mark.unit
     def test_user_permissions_valid(
@@ -992,7 +992,7 @@ def test_get_user_permissions(
             CONFIG.cli.server_url,
         )
         assert scopes == SCOPE_REGISTRY
-        assert roles == [ADMIN]
+        assert roles == [OWNER]
 
     @pytest.mark.unit
     def test_user_permissions_not_found(
diff --git a/tests/fixtures/application_fixtures.py b/tests/fixtures/application_fixtures.py
index 50cf8d2bab..529dfb8127 100644
--- a/tests/fixtures/application_fixtures.py
+++ b/tests/fixtures/application_fixtures.py
@@ -71,7 +71,7 @@
 from fides.lib.models.client import ClientDetail
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
-from fides.lib.oauth.roles import ADMIN, VIEWER
+from fides.lib.oauth.roles import OWNER, VIEWER
 
 logging.getLogger("faker").setLevel(logging.ERROR)
 # disable verbose faker logging
@@ -1628,59 +1628,3 @@ def system(db: Session) -> System:
         },
     )
     return system
-
-
-@pytest.fixture
-def admin_user(db):
-    user = FidesUser.create(
-        db=db,
-        data={
-            "username": "test_fides_admin_user",
-            "password": "TESTdcnG@wzJeu0&%3Qe2fGo7",
-        },
-    )
-    client = ClientDetail(
-        hashed_secret="thisisatest",
-        salt="thisisstillatest",
-        scopes=[],
-        roles=[ADMIN],
-        user_id=user.id,
-    )
-
-    FidesUserPermissions.create(
-        db=db, data={"user_id": user.id, "scopes": [], "roles": [ADMIN]}
-    )
-
-    db.add(client)
-    db.commit()
-    db.refresh(client)
-    yield user
-    user.delete(db)
-
-
-@pytest.fixture
-def viewer_user(db):
-    user = FidesUser.create(
-        db=db,
-        data={
-            "username": "test_fides_viewer_user",
-            "password": "TESTdcnG@wzJeu0&%3Qe2fGo7",
-        },
-    )
-    client = ClientDetail(
-        hashed_secret="thisisatest",
-        salt="thisisstillatest",
-        scopes=[],
-        roles=[VIEWER],
-        user_id=user.id,
-    )
-
-    FidesUserPermissions.create(
-        db=db, data={"user_id": user.id, "scopes": [], "roles": [VIEWER]}
-    )
-
-    db.add(client)
-    db.commit()
-    db.refresh(client)
-    yield user
-    user.delete(db)
diff --git a/tests/lib/test_client_model.py b/tests/lib/test_client_model.py
index 39f7b65e29..f2bfb10026 100644
--- a/tests/lib/test_client_model.py
+++ b/tests/lib/test_client_model.py
@@ -18,7 +18,7 @@
 )
 from fides.lib.models.client import ClientDetail, _get_root_client_detail
 from fides.lib.oauth.oauth_util import extract_payload
-from fides.lib.oauth.roles import ADMIN, VIEWER
+from fides.lib.oauth.roles import OWNER, VIEWER
 
 
 def test_create_client_and_secret(db, config):
@@ -133,23 +133,23 @@ def test_get_client_with_scopes(db, oauth_client, config):
     assert oauth_client.hashed_secret == "thisisatest"
 
 
-def test_get_client_with_roles(db, admin_client, config):
-    client = ClientDetail.get(db, object_id=admin_client.id, config=config)
+def test_get_client_with_roles(db, owner_client, config):
+    client = ClientDetail.get(db, object_id=owner_client.id, config=config)
     assert client
-    assert client.id == admin_client.id
+    assert client.id == owner_client.id
     assert client.scopes == []
-    assert client.roles == [ADMIN]
-    assert admin_client.hashed_secret == "thisisatest"
+    assert client.roles == [OWNER]
+    assert owner_client.hashed_secret == "thisisatest"
 
 
 def test_get_client_root_client(db, config):
     client = ClientDetail.get(
-        db, object_id="fidesadmin", config=config, scopes=SCOPE_REGISTRY, roles=[ADMIN]
+        db, object_id="fidesadmin", config=config, scopes=SCOPE_REGISTRY, roles=[OWNER]
     )
     assert client
     assert client.id == config.security.oauth_root_client_id
     assert client.scopes == SCOPE_REGISTRY
-    assert client.roles == [ADMIN]
+    assert client.roles == [OWNER]
 
 
 def test_get_root_client_no_scopes(db, config):
@@ -191,16 +191,16 @@ def test_client_create_access_code_jwe(oauth_client, config):
     assert token_data[JWE_PAYLOAD_ROLES] == []
 
 
-def test_client_create_access_code_jwe_admin_client(admin_client, config):
+def test_client_create_access_code_jwe_owner_client(owner_client, config):
 
-    jwe = admin_client.create_access_code_jwe(config.security.app_encryption_key)
+    jwe = owner_client.create_access_code_jwe(config.security.app_encryption_key)
 
     token_data = json.loads(extract_payload(jwe, config.security.app_encryption_key))
 
-    assert token_data[JWE_PAYLOAD_CLIENT_ID] == admin_client.id
+    assert token_data[JWE_PAYLOAD_CLIENT_ID] == owner_client.id
     assert token_data[JWE_PAYLOAD_SCOPES] == []
     assert token_data[JWE_ISSUED_AT] is not None
-    assert token_data[JWE_PAYLOAD_ROLES] == [ADMIN]
+    assert token_data[JWE_PAYLOAD_ROLES] == [OWNER]
 
 
 def test_client_create_access_code_jwe_viewer_client(viewer_client, config):
diff --git a/tests/lib/test_oauth_util.py b/tests/lib/test_oauth_util.py
index f75fd7cb0d..2ae02b4df0 100644
--- a/tests/lib/test_oauth_util.py
+++ b/tests/lib/test_oauth_util.py
@@ -9,7 +9,9 @@
 from fides.api.ops.api.v1.scope_registry import (
     DATASET_CREATE_OR_UPDATE,
     PRIVACY_REQUEST_READ,
+    SCOPE_REGISTRY,
     USER_DELETE,
+    USER_PERMISSION_READ,
     USER_READ,
 )
 from fides.api.ops.util.oauth_util import (
@@ -29,7 +31,15 @@
 from fides.lib.exceptions import AuthorizationError
 from fides.lib.oauth.jwt import generate_jwe
 from fides.lib.oauth.oauth_util import extract_payload, is_token_expired
-from fides.lib.oauth.roles import ADMIN, VIEWER
+from fides.lib.oauth.roles import (
+    APPROVER,
+    CONTRIBUTOR,
+    OWNER,
+    ROLES_TO_SCOPES_MAPPING,
+    VIEWER,
+    VIEWER_AND_APPROVER,
+    not_contributor_scopes,
+)
 
 
 @pytest.fixture
@@ -205,11 +215,11 @@ async def test_token_does_not_have_roles(self, db, config, user):
         )
         assert client == user.client
 
-    async def test_verify_oauth_client_roles(self, db, config, admin_user):
+    async def test_verify_oauth_client_roles(self, db, config, owner_user):
         """Test token has the correct role and the client also has the matching role"""
         payload = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
-            JWE_PAYLOAD_CLIENT_ID: admin_user.client.id,
+            JWE_PAYLOAD_ROLES: [OWNER],
+            JWE_PAYLOAD_CLIENT_ID: owner_user.client.id,
             JWE_ISSUED_AT: datetime.now().isoformat(),
         }
         token = generate_jwe(
@@ -221,12 +231,12 @@ async def test_verify_oauth_client_roles(self, db, config, admin_user):
             token,
             db=db,
         )
-        assert client == admin_user.client
+        assert client == owner_user.client
 
     async def test_no_roles_on_client(self, db, config, user):
         """Test token has the correct role but that role is not on the client"""
         payload = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
             JWE_PAYLOAD_CLIENT_ID: user.client.id,
             JWE_ISSUED_AT: datetime.now().isoformat(),
         }
@@ -244,7 +254,7 @@ async def test_no_roles_on_client(self, db, config, user):
     async def test_no_roles_on_client_but_has_scopes_coverage(self, db, config, user):
         """Test roles on token are outdated but token still has scopes coverage"""
         payload = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
             JWE_PAYLOAD_CLIENT_ID: user.client.id,
             JWE_ISSUED_AT: datetime.now().isoformat(),
             JWE_PAYLOAD_SCOPES: [USER_READ],
@@ -366,7 +376,7 @@ def test_inadequate_roles(self, viewer_client):
 
     def test_has_adequate_role_but_client_outdated(self, viewer_client):
         token_data = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
         }
         assert not _has_scope_via_role(
             token_data=token_data,
@@ -374,13 +384,13 @@ def test_has_adequate_role_but_client_outdated(self, viewer_client):
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
 
-    def test_has_adequate_role_and_token_valid(self, admin_client):
+    def test_has_adequate_role_and_token_valid(self, owner_client):
         token_data = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
         }
         assert _has_scope_via_role(
             token_data=token_data,
-            client=admin_client,
+            client=owner_client,
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
 
@@ -414,31 +424,31 @@ def test_has_direct_scope(self, oauth_client):
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
 
-    def test_has_scope_via_role(self, admin_client):
+    def test_has_scope_via_role(self, owner_client):
         token_data = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
         }
         assert not _has_direct_scopes(
             token_data,
-            admin_client,
+            owner_client,
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
         assert _has_scope_via_role(
             token_data,
-            admin_client,
+            owner_client,
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
 
         assert has_permissions(
             token_data,
-            admin_client,
+            owner_client,
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
 
     async def test_has_scope_directly_and_via_role(self):
         root_client = await get_root_client()
         token_data = {
-            JWE_PAYLOAD_ROLES: [ADMIN],
+            JWE_PAYLOAD_ROLES: [OWNER],
             JWE_PAYLOAD_SCOPES: [DATASET_CREATE_OR_UPDATE, USER_READ],
         }
         assert _has_direct_scopes(
@@ -480,3 +490,25 @@ async def test_has_no_direct_scopes_or_via_role(self):
             root_client,
             endpoint_scopes=SecurityScopes([DATASET_CREATE_OR_UPDATE]),
         )
+
+
+class TestRolesToScopesMapping:
+    def test_contributor_role(self):
+        for scope in not_contributor_scopes:  # Sanity check
+            assert not scope in ROLES_TO_SCOPES_MAPPING[CONTRIBUTOR]
+
+    def test_owner_role(self):
+        assert set(SCOPE_REGISTRY) == set(ROLES_TO_SCOPES_MAPPING[OWNER])
+
+    def test_viewer_role(self):
+        assert USER_PERMISSION_READ not in ROLES_TO_SCOPES_MAPPING[VIEWER]
+        for scope in ROLES_TO_SCOPES_MAPPING[VIEWER]:
+            assert not "create" in scope
+            assert not "update" in scope
+            assert not "delete" in scope
+
+    def test_approver_roles(self):
+        approver_scopes = set(ROLES_TO_SCOPES_MAPPING[APPROVER])
+        viewer_and_approver_scopes = set(ROLES_TO_SCOPES_MAPPING[VIEWER_AND_APPROVER])
+        assert approver_scopes.issubset(viewer_and_approver_scopes)
+        assert not viewer_and_approver_scopes.issubset(approver_scopes)
diff --git a/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py b/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
index 57345a30f4..7ceed4f84b 100644
--- a/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
@@ -33,7 +33,7 @@
 from fides.api.ops.schemas.messaging.messaging import MessagingActionType
 from fides.api.ops.schemas.redis_cache import Identity
 from fides.lib.models.client import ClientDetail
-from fides.lib.oauth.roles import ADMIN, PRIVACY_REQUEST_MANAGER, VIEWER
+from fides.lib.oauth.roles import APPROVER, OWNER, VIEWER
 from tests.fixtures.application_fixtures import integration_secrets
 
 page_size = Params().size
@@ -90,17 +90,17 @@ def test_patch_connections_viewer_role(
         response = api_client.patch(url, headers=auth_header, json=payload)
         assert 403 == response.status_code
 
-    def test_patch_connections_privacy_request_manager_role(
+    def test_patch_connections_approver_role(
         self, api_client: TestClient, generate_role_header, url, payload
     ) -> None:
-        auth_header = generate_role_header(roles=[PRIVACY_REQUEST_MANAGER])
+        auth_header = generate_role_header(roles=[APPROVER])
         response = api_client.patch(url, headers=auth_header, json=payload)
         assert 403 == response.status_code
 
-    def test_patch_connection_admin_role(
+    def test_patch_connection_owner_role(
         self, url, api_client, db: Session, generate_role_header
     ):
-        auth_header = generate_role_header(roles=[ADMIN])
+        auth_header = generate_role_header(roles=[OWNER])
         payload = [
             {
                 "name": "My Post-Execution Webhook",
diff --git a/tests/ops/api/v1/endpoints/test_oauth_endpoints.py b/tests/ops/api/v1/endpoints/test_oauth_endpoints.py
index d69e9d4f39..dc815b4987 100644
--- a/tests/ops/api/v1/endpoints/test_oauth_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_oauth_endpoints.py
@@ -37,7 +37,7 @@
 from fides.lib.models.client import ClientDetail
 from fides.lib.oauth.jwt import generate_jwe
 from fides.lib.oauth.oauth_util import extract_payload
-from fides.lib.oauth.roles import ADMIN
+from fides.lib.oauth.roles import OWNER
 
 
 class TestCreateClient:
@@ -432,7 +432,7 @@ def test_get_access_token_root_client(self, url, api_client):
         assert data["client_id"] == extracted_token[JWE_PAYLOAD_CLIENT_ID]
         assert extracted_token[JWE_PAYLOAD_SCOPES] == SCOPE_REGISTRY
 
-        assert extracted_token[JWE_PAYLOAD_ROLES] == [ADMIN]
+        assert extracted_token[JWE_PAYLOAD_ROLES] == [OWNER]
 
     def test_get_access_token(self, db, url, api_client):
         new_client, secret = ClientDetail.create_client_and_secret(
@@ -567,10 +567,11 @@ def test_get_role_scope_mapping(
         response_body = json.loads(response.text)
 
         assert 200 == response.status_code
-        assert set(response_body["admin"]) == set(SCOPE_REGISTRY)
+        assert set(response_body["owner"]) == set(SCOPE_REGISTRY)
         assert set(response_body.keys()) == {
-            "admin",
-            "viewer_and_privacy_request_manager",
-            "privacy_request_manager",
+            "owner",
+            "viewer_and_approver",
+            "approver",
             "viewer",
+            "contributor",
         }
diff --git a/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py b/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
index bec5b99f2c..611d651156 100644
--- a/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py
@@ -92,7 +92,7 @@
 from fides.lib.models.audit_log import AuditLog, AuditLogAction
 from fides.lib.models.client import ClientDetail
 from fides.lib.oauth.jwt import generate_jwe
-from fides.lib.oauth.roles import PRIVACY_REQUEST_MANAGER, VIEWER
+from fides.lib.oauth.roles import APPROVER, VIEWER
 
 page_size = Params().size
 
@@ -592,10 +592,10 @@ def test_get_privacy_requests_wrong_scope(
         response = api_client.get(url, headers=auth_header)
         assert 403 == response.status_code
 
-    def test_get_privacy_requests_privacy_request_manager_role(
+    def test_get_privacy_requests_approver_role(
         self, api_client: TestClient, generate_role_header, url
     ):
-        auth_header = generate_role_header(roles=[PRIVACY_REQUEST_MANAGER])
+        auth_header = generate_role_header(roles=[APPROVER])
         response = api_client.get(url, headers=auth_header)
         assert 200 == response.status_code
 
@@ -1827,13 +1827,13 @@ def test_approve_privacy_request_viewer_role(
     @mock.patch(
         "fides.api.ops.service.privacy_request.request_runner_service.run_privacy_request.delay"
     )
-    def test_approve_privacy_request_privacy_request_manager_role(
+    def test_approve_privacy_request_approver_role(
         self, _, url, api_client, generate_role_header, privacy_request, db
     ):
         privacy_request.status = PrivacyRequestStatus.pending
         privacy_request.save(db=db)
 
-        auth_header = generate_role_header(roles=[PRIVACY_REQUEST_MANAGER])
+        auth_header = generate_role_header(roles=[APPROVER])
         body = {"request_ids": [privacy_request.id]}
         response = api_client.patch(url, headers=auth_header, json=body)
         assert response.status_code == 200
diff --git a/tests/ops/api/v1/endpoints/test_user_endpoints.py b/tests/ops/api/v1/endpoints/test_user_endpoints.py
index 82f3918c05..cdc5c5044d 100644
--- a/tests/ops/api/v1/endpoints/test_user_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_user_endpoints.py
@@ -44,7 +44,7 @@
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
 from fides.lib.oauth.jwt import generate_jwe
 from fides.lib.oauth.oauth_util import extract_payload
-from fides.lib.oauth.roles import ADMIN, VIEWER
+from fides.lib.oauth.roles import OWNER, VIEWER
 from tests.conftest import generate_auth_header_for_user
 
 page_size = Params().size
@@ -437,8 +437,8 @@ def test_delete_user_as_root(self, api_client, db, user):
         assert permissions_search is None
 
         # Admin client who made the request is not deleted
-        admin_client_search = ClientDetail.get_by(db, field="id", value=user.client.id)
-        assert admin_client_search is not None
+        owner_client_search = ClientDetail.get_by(db, field="id", value=user.client.id)
+        assert owner_client_search is not None
 
 
 class TestGetUsers:
@@ -1007,17 +1007,17 @@ def test_login_uses_existing_client_with_scopes(self, db, url, user, api_client)
         assert "user_data" in list(response.json().keys())
         assert response.json()["user_data"]["id"] == user.id
 
-    def test_login_uses_existing_client_with_roles(self, url, admin_user, api_client):
+    def test_login_uses_existing_client_with_roles(self, url, owner_user, api_client):
         body = {
-            "username": admin_user.username,
+            "username": owner_user.username,
             "password": str_to_b64_str("TESTdcnG@wzJeu0&%3Qe2fGo7"),
         }
 
-        existing_client_id = admin_user.client.id
+        existing_client_id = owner_user.client.id
         response = api_client.post(url, headers={}, json=body)
         assert response.status_code == HTTP_200_OK
 
-        assert admin_user.client is not None
+        assert owner_user.client is not None
         assert "token_data" in list(response.json().keys())
         token = response.json()["token_data"]["access_token"]
         token_data = json.loads(
@@ -1025,10 +1025,10 @@ def test_login_uses_existing_client_with_roles(self, url, admin_user, api_client
         )
         assert token_data["client-id"] == existing_client_id
         assert token_data["scopes"] == []
-        assert token_data["roles"] == [ADMIN]  # Uses roles on existing client
+        assert token_data["roles"] == [OWNER]  # Uses roles on existing client
 
         assert "user_data" in list(response.json().keys())
-        assert response.json()["user_data"]["id"] == admin_user.id
+        assert response.json()["user_data"]["id"] == owner_user.id
 
     def test_login_as_root_user(self, api_client, url):
         body = {
@@ -1046,7 +1046,7 @@ def test_login_as_root_user(self, api_client, url):
         )
         assert token_data["client-id"] == CONFIG.security.oauth_root_client_id
         assert token_data["scopes"] == SCOPE_REGISTRY  # Uses all scopes
-        assert token_data["roles"] == [ADMIN]  # Uses admin role
+        assert token_data["roles"] == [OWNER]  # Uses owner role
 
         assert "user_data" in list(response.json().keys())
         data = response.json()["user_data"]
diff --git a/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py b/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
index 470f8745bc..39ab61a222 100644
--- a/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
@@ -23,7 +23,7 @@
 from fides.lib.models.client import ClientDetail
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
-from fides.lib.oauth.roles import ADMIN, VIEWER
+from fides.lib.oauth.roles import OWNER, VIEWER
 from tests.conftest import generate_auth_header_for_user, generate_role_header_for_user
 
 
@@ -198,7 +198,7 @@ def test_create_roles_on_permission_object_and_client(
         db.add(client)
         db.commit()
 
-        body = {"user_id": user.id, "roles": [ADMIN]}
+        body = {"user_id": user.id, "roles": [OWNER]}
         response = api_client.post(
             f"{V1_URL_PREFIX}/user/{user.id}/permission", headers=auth_header, json=body
         )
@@ -207,9 +207,9 @@ def test_create_roles_on_permission_object_and_client(
         assert HTTP_201_CREATED == response.status_code
         assert response_body["id"] == permissions.id
         assert permissions.scopes == []
-        assert permissions.roles == [ADMIN]
+        assert permissions.roles == [OWNER]
         db.refresh(client)
-        assert client.roles == [ADMIN]
+        assert client.roles == [OWNER]
         user.delete(db)
 
 
@@ -406,7 +406,7 @@ def test_edit_user_roles(self, db, api_client, generate_auth_header) -> None:
             user_id=user.id,
         )
 
-        body = {"id": permissions.id, "roles": [ADMIN]}
+        body = {"id": permissions.id, "roles": [OWNER]}
         response = api_client.put(
             f"{V1_URL_PREFIX}/user/{user.id}/permission", headers=auth_header, json=body
         )
@@ -415,15 +415,15 @@ def test_edit_user_roles(self, db, api_client, generate_auth_header) -> None:
         assert (
             response_body["scopes"] == []
         ), "Scopes removed as they were not specified in the request"
-        assert response_body["roles"] == [ADMIN]
+        assert response_body["roles"] == [OWNER]
 
         client: ClientDetail = ClientDetail.get_by(db, field="user_id", value=user.id)
         assert client.scopes == []
-        assert client.roles == [ADMIN]
+        assert client.roles == [OWNER]
 
         db.refresh(permissions)
         assert permissions.scopes == []
-        assert permissions.roles == [ADMIN]
+        assert permissions.roles == [OWNER]
 
         user.delete(db)
 
@@ -574,7 +574,7 @@ def test_get_current_root_user_permissions(
         assert response_body["id"] == oauth_root_client.id
         assert response_body["user_id"] == oauth_root_client.id
         assert response_body["scopes"] == SCOPE_REGISTRY
-        assert response_body["roles"] == [ADMIN]
+        assert response_body["roles"] == [OWNER]
 
     def test_get_root_user_permissions_by_non_root_user(
         self, db, api_client, oauth_root_client, auth_user
@@ -650,12 +650,12 @@ def test_get_other_user_roles_as_viewer(
         )
         assert response.status_code == 403
 
-    def test_get_other_user_roles_as_admin(self, db, api_client, auth_user, admin_user):
+    def test_get_other_user_roles_as_owner(self, db, api_client, auth_user, owner_user):
         FidesUserPermissions.create(
             db=db, data={"user_id": auth_user.id, "roles": [VIEWER]}
         )
 
-        auth_header = generate_role_header_for_user(admin_user, roles=[ADMIN])
+        auth_header = generate_role_header_for_user(owner_user, roles=[OWNER])
 
         response = api_client.get(
             f"{V1_URL_PREFIX}/user/{auth_user.id}/permission",

From 2afc8b64cf46e1ee67fb78afb3bc4549a96a99e3 Mon Sep 17 00:00:00 2001
From: Dawn Pattison <pattisdr@users.noreply.github.com>
Date: Fri, 3 Mar 2023 15:06:51 -0600
Subject: [PATCH 13/16] Make Scopes Easier to Use in the UI (#2741)

Return the "total scopes" that the user has via their roles or that they were assigned directly.
---
 CHANGELOG.md                                  |  1 +
 scripts/setup/user.py                         |  2 -
 .../ops/api/v1/endpoints/oauth_endpoints.py   |  4 +-
 src/fides/api/ops/api/v1/scope_registry.py    |  5 +-
 src/fides/api/ops/schemas/user_permission.py  | 41 +++++++-----
 .../lib/models/fides_user_permissions.py      | 13 ++++
 src/fides/lib/oauth/roles.py                  |  2 +-
 tests/conftest.py                             |  8 ++-
 tests/fixtures/application_fixtures.py        |  1 -
 .../test_user_permission_endpoints.py         | 51 +++++++++++++-
 .../models/test_fidesopsuserpermissions.py    | 67 ++++++++++++++++++-
 tests/ops/schemas/test_user_permission.py     |  7 +-
 12 files changed, 167 insertions(+), 35 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b452e1b1b..aebac88cd8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ The types of changes are:
 * Redesigned the default/init config file to be auto-documented. Also updates the `fides init` logic and analytics consent logic [#2694](https://github.com/ethyca/fides/pull/2694)
 * Change how config creation/import is handled across the application [#2622](https://github.com/ethyca/fides/pull/2622)
 * Updates Roles->Scopes Mapping [#2744](https://github.com/ethyca/fides/pull/2744)
+* Return user scopes as an enum, as well as total scopes [#2741](https://github.com/ethyca/fides/pull/2741)
 
 ### Developer Experience
 
diff --git a/scripts/setup/user.py b/scripts/setup/user.py
index 30de0e55e6..56ec171275 100644
--- a/scripts/setup/user.py
+++ b/scripts/setup/user.py
@@ -4,9 +4,7 @@
 from loguru import logger
 
 from fides.api.ops.api.v1 import urn_registry as urls
-from fides.api.ops.api.v1.scope_registry import SCOPE_REGISTRY
 from fides.core.config import CONFIG
-from fides.lib.oauth.roles import OWNER
 
 from . import constants
 
diff --git a/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py b/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
index 437a5f7987..d4409e9015 100644
--- a/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
+++ b/src/fides/api/ops/api/v1/endpoints/oauth_endpoints.py
@@ -21,7 +21,7 @@
     CLIENT_UPDATE,
     SCOPE_READ,
     SCOPE_REGISTRY,
-    SCOPE_REGISTRY_ENUM,
+    ScopeRegistryEnum,
 )
 from fides.api.ops.api.v1.urn_registry import (
     CLIENT,
@@ -193,7 +193,7 @@ def set_client_scopes(
 @router.get(
     SCOPE,
     dependencies=[Security(verify_oauth_client, scopes=[SCOPE_READ])],
-    response_model=List[SCOPE_REGISTRY_ENUM],
+    response_model=List[ScopeRegistryEnum],
 )
 def read_scopes() -> List[str]:
     """Returns a list of all scopes available for assignment in the system"""
diff --git a/src/fides/api/ops/api/v1/scope_registry.py b/src/fides/api/ops/api/v1/scope_registry.py
index 22d65ec022..c75496f933 100644
--- a/src/fides/api/ops/api/v1/scope_registry.py
+++ b/src/fides/api/ops/api/v1/scope_registry.py
@@ -231,7 +231,8 @@
 
 SCOPE_REGISTRY = list(SCOPE_DOCS.keys())
 
-_SCOPE_REGISTRY_DICT = {key: key for key in SCOPE_REGISTRY}
 # mypy doesn't like taking the dictionary to generate the enum
 # https://github.com/python/mypy/issues/5317
-SCOPE_REGISTRY_ENUM = Enum("ScopeRegistry", _SCOPE_REGISTRY_DICT)  # type: ignore
+ScopeRegistryEnum = Enum(  # type: ignore[misc]
+    "ScopeRegistryEnum", {scope: scope for scope in SCOPE_REGISTRY}  # type: ignore
+)
diff --git a/src/fides/api/ops/schemas/user_permission.py b/src/fides/api/ops/schemas/user_permission.py
index d6126df15d..c9f30f12bb 100644
--- a/src/fides/api/ops/schemas/user_permission.py
+++ b/src/fides/api/ops/schemas/user_permission.py
@@ -1,12 +1,10 @@
 from typing import List, Optional
 
-from fastapi import HTTPException
 from pydantic import validator
-from starlette.status import HTTP_422_UNPROCESSABLE_ENTITY
 
-from fides.api.ops.api.v1.scope_registry import SCOPE_REGISTRY
+from fides.api.ops.api.v1.scope_registry import SCOPE_REGISTRY, ScopeRegistryEnum
 from fides.api.ops.schemas.base_class import BaseSchema
-from fides.lib.oauth.roles import RoleRegistry
+from fides.lib.oauth.roles import RoleRegistryEnum
 
 
 class UserPermissionsCreate(BaseSchema):
@@ -16,20 +14,8 @@ class UserPermissionsCreate(BaseSchema):
     but we also will continue to support the ability to be assigned specific individual scopes.
     """
 
-    scopes: List[str] = []
-    roles: List[RoleRegistry] = []
-
-    @validator("scopes")
-    @classmethod
-    def validate_scopes(cls, scopes: List[str]) -> List[str]:
-        """Validates that all incoming scopes are valid"""
-        diff = set(scopes).difference(set(SCOPE_REGISTRY))
-        if len(diff) > 0:
-            raise HTTPException(
-                status_code=HTTP_422_UNPROCESSABLE_ENTITY,
-                detail=f"Invalid Scope(s) {diff}. Scopes must be one of {SCOPE_REGISTRY}.",
-            )
-        return scopes
+    scopes: List[ScopeRegistryEnum] = []
+    roles: List[RoleRegistryEnum] = []
 
     class Config:
         """So roles are strings when we add to the db"""
@@ -50,3 +36,22 @@ class UserPermissionsResponse(UserPermissionsCreate):
 
     id: str
     user_id: str
+    scopes: List[ScopeRegistryEnum]
+    total_scopes: List[ScopeRegistryEnum]
+
+    class Config:
+        use_enum_values = True
+
+    @validator("scopes", pre=True)
+    def validate_obsolete_scopes(
+        cls, scopes: List[ScopeRegistryEnum]
+    ) -> List[ScopeRegistryEnum]:
+        """Filter out obsolete scopes if the scope registry has changed"""
+        return [scope for scope in scopes or [] if scope in SCOPE_REGISTRY]
+
+    @validator("total_scopes", pre=True)
+    def validate_obsolete_total_scopes(
+        cls, total_scopes: List[ScopeRegistryEnum]
+    ) -> List[ScopeRegistryEnum]:
+        """Filter out obsolete total scopes if the scope registry has changed"""
+        return [scope for scope in total_scopes or [] if scope in SCOPE_REGISTRY]
diff --git a/src/fides/lib/models/fides_user_permissions.py b/src/fides/lib/models/fides_user_permissions.py
index 8c37bcc9db..ba07c60060 100644
--- a/src/fides/lib/models/fides_user_permissions.py
+++ b/src/fides/lib/models/fides_user_permissions.py
@@ -1,8 +1,11 @@
+from typing import List
+
 from sqlalchemy import ARRAY, Column, ForeignKey, String
 from sqlalchemy.orm import backref, relationship
 
 from fides.lib.db.base_class import Base
 from fides.lib.models.fides_user import FidesUser
+from fides.lib.oauth.roles import ROLES_TO_SCOPES_MAPPING
 
 
 class FidesUserPermissions(Base):
@@ -15,3 +18,13 @@ class FidesUserPermissions(Base):
         FidesUser,
         backref=backref("permissions", cascade="all,delete", uselist=False),
     )
+
+    @property
+    def total_scopes(self) -> List[str]:
+        """Returns the total model-level scopes the user has, either 1) scopes they are assigned directly,
+        or 2) Roles they have via their scopes."""
+        all_scopes = self.scopes or []
+        for role in self.roles:
+            all_scopes += ROLES_TO_SCOPES_MAPPING.get(role, [])
+
+        return sorted(list(set(all_scopes)))
diff --git a/src/fides/lib/oauth/roles.py b/src/fides/lib/oauth/roles.py
index 1d3371540f..4a1daeff8a 100644
--- a/src/fides/lib/oauth/roles.py
+++ b/src/fides/lib/oauth/roles.py
@@ -39,7 +39,7 @@
 VIEWER_AND_APPROVER = "viewer_and_approver"
 
 
-class RoleRegistry(Enum):
+class RoleRegistryEnum(Enum):
     """Enum of available roles
 
     Owner - Full admin
diff --git a/tests/conftest.py b/tests/conftest.py
index ad5ed49dc2..c5e6ab258f 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -43,7 +43,13 @@
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
 from fides.lib.oauth.jwt import generate_jwe
-from fides.lib.oauth.roles import APPROVER, CONTRIBUTOR, VIEWER_AND_APPROVER
+from fides.lib.oauth.roles import (
+    APPROVER,
+    CONTRIBUTOR,
+    OWNER,
+    VIEWER,
+    VIEWER_AND_APPROVER,
+)
 from tests.fixtures.application_fixtures import *
 from tests.fixtures.bigquery_fixtures import *
 from tests.fixtures.email_fixtures import *
diff --git a/tests/fixtures/application_fixtures.py b/tests/fixtures/application_fixtures.py
index 529dfb8127..083f5f5cab 100644
--- a/tests/fixtures/application_fixtures.py
+++ b/tests/fixtures/application_fixtures.py
@@ -71,7 +71,6 @@
 from fides.lib.models.client import ClientDetail
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
-from fides.lib.oauth.roles import OWNER, VIEWER
 
 logging.getLogger("faker").setLevel(logging.ERROR)
 # disable verbose faker logging
diff --git a/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py b/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
index 39ab61a222..6900301c53 100644
--- a/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_user_permission_endpoints.py
@@ -23,7 +23,7 @@
 from fides.lib.models.client import ClientDetail
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
-from fides.lib.oauth.roles import OWNER, VIEWER
+from fides.lib.oauth.roles import OWNER, ROLES_TO_SCOPES_MAPPING, VIEWER
 from tests.conftest import generate_auth_header_for_user, generate_role_header_for_user
 
 
@@ -61,7 +61,11 @@ def test_create_user_permissions_invalid_scope(
 
         response = api_client.post(url, headers=auth_header, json=body)
         assert HTTP_422_UNPROCESSABLE_ENTITY == response.status_code
-        assert "Invalid Scope(s) {'not a real scope'}" in response.json()["detail"]
+        assert response.json()["detail"][0]["loc"] == ["body", "scopes", 0]
+        assert (
+            "value is not a valid enumeration member"
+            in response.json()["detail"][0]["msg"]
+        )
         user.delete(db)
 
     def test_create_user_permissions_invalid_user_id(
@@ -248,7 +252,11 @@ def test_edit_user_permissions_invalid_scope(
             f"{V1_URL_PREFIX}/user/{user.id}/permission", headers=auth_header, json=body
         )
         assert HTTP_422_UNPROCESSABLE_ENTITY == response.status_code
-        assert "Invalid Scope(s) {'not a real scope'}" in response.json()["detail"]
+        assert response.json()["detail"][0]["loc"] == ["body", "scopes", 0]
+        assert (
+            "value is not a valid enumeration member"
+            in response.json()["detail"][0]["msg"]
+        )
         user.delete(db)
 
     def test_edit_user_permissions_invalid_user_id(
@@ -519,6 +527,37 @@ def test_get_user_permissions(
         assert response_body["user_id"] == user.id
         assert response_body["scopes"] == [PRIVACY_REQUEST_READ]
         assert response_body["roles"] == []
+        assert response_body["total_scopes"] == [PRIVACY_REQUEST_READ]
+
+    def test_get_user_permissions_outdated_scope(
+        self, db, api_client, user, auth_user, permissions
+    ) -> None:
+        user.permissions.scopes = [PRIVACY_REQUEST_READ, "OLD_DEPRECATED_SCOPE"]
+        user.permissions.save(db)
+
+        scopes = [USER_PERMISSION_READ]
+        ClientDetail.create_client_and_secret(
+            db,
+            CONFIG.security.oauth_client_id_length_bytes,
+            CONFIG.security.oauth_client_secret_length_bytes,
+            scopes=scopes,
+            user_id=auth_user.id,
+        )
+        auth_header = generate_auth_header_for_user(auth_user, scopes)
+
+        response = api_client.get(
+            f"{V1_URL_PREFIX}/user/{user.id}/permission",
+            headers=auth_header,
+        )
+        response_body = response.json()
+        assert HTTP_200_OK == response.status_code
+        assert response_body["id"] == permissions.id
+        assert response_body["user_id"] == user.id
+        assert response_body["scopes"] == [
+            PRIVACY_REQUEST_READ
+        ]  # Deprecated scope ignored
+        assert response_body["roles"] == []
+        assert response_body["total_scopes"] == [PRIVACY_REQUEST_READ]
 
     def test_get_user_with_no_permissions_as_root(
         self, db, api_client, auth_user, root_auth_header
@@ -534,6 +573,7 @@ def test_get_user_with_no_permissions_as_root(
         resp = response.json()
         assert resp["scopes"] == []
         assert resp["roles"] == []
+        assert resp["total_scopes"] == []
         assert resp["user_id"] == auth_user.id
 
     def test_get_current_user_permissions(self, db, api_client, auth_user) -> None:
@@ -560,6 +600,7 @@ def test_get_current_user_permissions(self, db, api_client, auth_user) -> None:
         assert response_body["id"] == permissions.id
         assert response_body["user_id"] == auth_user.id
         assert response_body["scopes"] == scopes
+        assert response_body["total_scopes"] == scopes
         assert response_body["roles"] == []
 
     def test_get_current_root_user_permissions(
@@ -575,6 +616,7 @@ def test_get_current_root_user_permissions(
         assert response_body["user_id"] == oauth_root_client.id
         assert response_body["scopes"] == SCOPE_REGISTRY
         assert response_body["roles"] == [OWNER]
+        assert response_body["total_scopes"] == sorted(SCOPE_REGISTRY)
 
     def test_get_root_user_permissions_by_non_root_user(
         self, db, api_client, oauth_root_client, auth_user
@@ -617,6 +659,7 @@ def test_get_own_user_roles(self, db, api_client, auth_user):
         assert resp["scopes"] == []
         assert resp["roles"] == [VIEWER]
         assert resp["user_id"] == auth_user.id
+        assert resp["total_scopes"] == sorted(ROLES_TO_SCOPES_MAPPING[VIEWER])
 
     def test_get_other_user_roles_as_root(
         self, db, api_client, auth_user, root_auth_header
@@ -634,6 +677,7 @@ def test_get_other_user_roles_as_root(
         assert resp["scopes"] == []
         assert resp["roles"] == [VIEWER]
         assert resp["user_id"] == auth_user.id
+        assert resp["total_scopes"] == sorted(ROLES_TO_SCOPES_MAPPING[VIEWER])
 
     def test_get_other_user_roles_as_viewer(
         self, db, api_client, auth_user, viewer_user
@@ -666,3 +710,4 @@ def test_get_other_user_roles_as_owner(self, db, api_client, auth_user, owner_us
         assert resp["scopes"] == []
         assert resp["roles"] == [VIEWER]
         assert resp["user_id"] == auth_user.id
+        assert resp["total_scopes"] == sorted(ROLES_TO_SCOPES_MAPPING[VIEWER])
diff --git a/tests/ops/models/test_fidesopsuserpermissions.py b/tests/ops/models/test_fidesopsuserpermissions.py
index 5371035e7f..24969f167a 100644
--- a/tests/ops/models/test_fidesopsuserpermissions.py
+++ b/tests/ops/models/test_fidesopsuserpermissions.py
@@ -1,9 +1,13 @@
 import pytest
 from sqlalchemy.orm import Session
 
-from fides.api.ops.api.v1.scope_registry import PRIVACY_REQUEST_READ
+from fides.api.ops.api.v1.scope_registry import (
+    PRIVACY_REQUEST_CREATE,
+    PRIVACY_REQUEST_READ,
+)
 from fides.lib.models.fides_user import FidesUser
 from fides.lib.models.fides_user_permissions import FidesUserPermissions
+from fides.lib.oauth.roles import ROLES_TO_SCOPES_MAPPING, VIEWER
 
 
 class TestFidesUserPermissions:
@@ -31,3 +35,64 @@ def test_create_user_permissions_bad_payload(self, db: Session) -> None:
                 db=db,
                 data={},
             )
+
+    def test_total_scopes(self, db):
+        user = FidesUser.create(
+            db=db,
+            data={"username": "user_1", "password": "test_password"},
+        )
+
+        permissions: FidesUserPermissions = FidesUserPermissions.create(
+            db=db,
+            data={
+                "user_id": user.id,
+                "scopes": [PRIVACY_REQUEST_CREATE],
+                "roles": [VIEWER],
+            },
+        )
+        assert permissions.scopes == [PRIVACY_REQUEST_CREATE]
+        assert len(permissions.total_scopes) == 1 + len(ROLES_TO_SCOPES_MAPPING[VIEWER])
+        assert PRIVACY_REQUEST_CREATE in permissions.total_scopes
+        user.delete(db)
+
+    def test_total_scopes_no_roles(self, db):
+        user = FidesUser.create(
+            db=db,
+            data={"username": "user_1", "password": "test_password"},
+        )
+
+        permissions: FidesUserPermissions = FidesUserPermissions.create(
+            db=db,
+            data={"user_id": user.id, "scopes": [PRIVACY_REQUEST_CREATE]},
+        )
+        assert permissions.scopes == [PRIVACY_REQUEST_CREATE]
+        assert permissions.total_scopes == [PRIVACY_REQUEST_CREATE]
+        user.delete(db)
+
+    def test_total_scopes_no_direct_scopes(self, db):
+        user = FidesUser.create(
+            db=db,
+            data={"username": "user_1", "password": "test_password"},
+        )
+
+        permissions: FidesUserPermissions = FidesUserPermissions.create(
+            db=db,
+            data={"user_id": user.id, "roles": [VIEWER]},
+        )
+        assert permissions.total_scopes == sorted(ROLES_TO_SCOPES_MAPPING[VIEWER])
+
+        user.delete(db)
+
+    def test_total_scopes_no_roles_or_direct_scopes(self, db):
+        user = FidesUser.create(
+            db=db,
+            data={"username": "user_1", "password": "test_password"},
+        )
+
+        permissions: FidesUserPermissions = FidesUserPermissions.create(
+            db=db,
+            data={"user_id": user.id},
+        )
+        assert permissions.total_scopes == []
+
+        user.delete(db)
diff --git a/tests/ops/schemas/test_user_permission.py b/tests/ops/schemas/test_user_permission.py
index a7ce4ae006..c497d81b9f 100644
--- a/tests/ops/schemas/test_user_permission.py
+++ b/tests/ops/schemas/test_user_permission.py
@@ -1,5 +1,6 @@
 import pytest
 from fastapi import HTTPException
+from pydantic import ValidationError
 from starlette.status import HTTP_422_UNPROCESSABLE_ENTITY
 
 from fides.api.ops.api.v1.scope_registry import USER_DELETE, USER_PERMISSION_CREATE
@@ -14,9 +15,7 @@ def test_scope_validation(self):
 
     def test_catch_invalid_scopes(self):
         invalid_scopes = ["not a real scope", "invalid scope here"]
-        with pytest.raises(HTTPException) as exc:
+        with pytest.raises(ValidationError) as exc:
             UserPermissionsCreate(scopes=invalid_scopes)
 
-        assert exc.value.status_code == HTTP_422_UNPROCESSABLE_ENTITY
-        assert invalid_scopes[0] in exc.value.detail
-        assert invalid_scopes[1] in exc.value.detail
+        assert len(exc.value.errors()) == 2

From 8b34c5346ce4f31c43d5781a16fc231ec2de63a4 Mon Sep 17 00:00:00 2001
From: SteveDMurphy <steven.d.murphy@gmail.com>
Date: Fri, 3 Mar 2023 22:14:05 +0000
Subject: [PATCH 14/16] add changelog item

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index aebac88cd8..56cfd6c1c5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The types of changes are:
 * Access and erasure support for Delighted [#2244](https://github.com/ethyca/fides/pull/2244)
 * Improve "Upload a new dataset YAML" [#1531](https://github.com/ethyca/fides/pull/2258)
 * Access and erasure support for Yotpo [#2708](https://github.com/ethyca/fides/pull/2708)
+* Allow SendGrid template usage [#2728](https://github.com/ethyca/fides/pull/2728)
 
 ### Changed
 

From 29b68dfeb89210618573ae59f411ccb7640b3e33 Mon Sep 17 00:00:00 2001
From: LKCSmith <99051851+LKCSmith@users.noreply.github.com>
Date: Sun, 5 Mar 2023 17:39:25 -0600
Subject: [PATCH 15/16] 2455/Configuration updates post-API (#2677)

Co-authored-by: Adam Sachs <adam@ethyca.com>
Co-authored-by: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
---
 .../cypress/e2e/privacy-requests.cy.ts        |  45 ++++++--
 .../messaging_configuration.json              |   7 ++
 clients/admin-ui/cypress/support/stubs.ts     |   4 +
 .../admin-ui/src/features/common/Layout.tsx   |  28 +++--
 .../MailgunEmailConfiguration.tsx             |  61 +++++-----
 .../configuration/MessagingConfiguration.tsx  |  65 ++++++-----
 .../configuration/S3StorageConfiguration.tsx  | 107 ++++++++++--------
 .../configuration/StorageConfiguration.tsx    |  28 +++--
 .../TwilioEmailConfiguration.tsx              |  63 ++++++-----
 .../configuration/TwilioSMS.tsx               |  35 +++---
 .../features/privacy-requests/constants.ts    |  11 ++
 .../privacy-requests.slice.ts                 |   8 +-
 .../src/features/privacy-requests/types.ts    |  48 ++++----
 .../src/pages/privacy-requests/configure.tsx  |  11 +-
 14 files changed, 319 insertions(+), 202 deletions(-)
 create mode 100644 clients/admin-ui/cypress/fixtures/privacy-requests/messaging_configuration.json

diff --git a/clients/admin-ui/cypress/e2e/privacy-requests.cy.ts b/clients/admin-ui/cypress/e2e/privacy-requests.cy.ts
index 6ea5c33d5f..8810b977d4 100644
--- a/clients/admin-ui/cypress/e2e/privacy-requests.cy.ts
+++ b/clients/admin-ui/cypress/e2e/privacy-requests.cy.ts
@@ -138,7 +138,7 @@ describe("Privacy Requests", () => {
       cy.getByTestId("option-local").click();
       cy.wait("@createConfigurationSettings").then((interception) => {
         const { body } = interception.request;
-        expect(body.fides.storage.active_default_storage_type).to.eql("local");
+        expect(body.storage.active_default_storage_type).to.eql("local");
       });
 
       cy.wait("@createStorage").then((interception) => {
@@ -146,25 +146,52 @@ describe("Privacy Requests", () => {
         expect(body.type).to.eql("local");
         expect(body.format).to.eql("json");
       });
-
-      cy.contains("Configure active storage type saved successfully");
-      cy.contains("Configure storage type details saved successfully");
     });
 
     it("Can configure S3 storage", () => {
       cy.getByTestId("option-s3").click();
       cy.wait("@createConfigurationSettings").then((interception) => {
         const { body } = interception.request;
-        expect(body.fides.storage.active_default_storage_type).to.eql("s3");
+        expect(body.storage.active_default_storage_type).to.eql("s3");
       });
       cy.wait("@getStorageDetails");
+    });
+  });
+
+  describe("Message Configuration", () => {
+    beforeEach(() => {
+      cy.visit("/privacy-requests/configure/messaging");
+    });
+
+    it("Can configure Mailgun email", () => {
+      cy.getByTestId("option-mailgun").click();
+      cy.getByTestId("input-domain").type("test-domain");
       cy.getByTestId("save-btn").click();
-      cy.wait("@createStorage").then((interception) => {
+      cy.wait("@createMessagingConfiguration").then((interception) => {
         const { body } = interception.request;
-        expect(body.type).to.eql("s3");
+        expect(body.service_type).to.eql("MAILGUN");
+        cy.contains(
+          "Mailgun email successfully updated. You can now enter your security key."
+        );
+      });
+    });
+
+    it("Can configure Twilio email", () => {
+      cy.getByTestId("option-twilio-email").click();
+      cy.getByTestId("input-email").type("test-email");
+      cy.getByTestId("save-btn").click();
+      cy.wait("@createMessagingConfiguration").then(() => {
+        cy.contains(
+          "Twilio email successfully updated. You can now enter your security key."
+        );
+      });
+    });
+
+    it("Can configure Twilio SMS", () => {
+      cy.getByTestId("option-twilio-sms").click();
+      cy.wait("@createMessagingConfiguration").then(() => {
+        cy.contains("Messaging provider saved successfully.");
       });
-      cy.contains("S3 storage credentials successfully updated.");
-      cy.contains("Configure active storage type saved successfully.");
     });
   });
 });
diff --git a/clients/admin-ui/cypress/fixtures/privacy-requests/messaging_configuration.json b/clients/admin-ui/cypress/fixtures/privacy-requests/messaging_configuration.json
new file mode 100644
index 0000000000..bc68c8d43d
--- /dev/null
+++ b/clients/admin-ui/cypress/fixtures/privacy-requests/messaging_configuration.json
@@ -0,0 +1,7 @@
+{
+    "details": {
+      "domain": "test-domain",
+        "is_eu_domain": "false"
+    },
+    "service_type": "MAILGUN"
+  }
diff --git a/clients/admin-ui/cypress/support/stubs.ts b/clients/admin-ui/cypress/support/stubs.ts
index 4dc4164831..e9dd66b991 100644
--- a/clients/admin-ui/cypress/support/stubs.ts
+++ b/clients/admin-ui/cypress/support/stubs.ts
@@ -85,6 +85,10 @@ export const stubPrivacyRequestsConfigurationCrud = () => {
   cy.intercept("PUT", "/api/v1/storage/default/*/secret", {
     fixture: "/privacy-requests/settings_configuration.json",
   }).as("createStorageSecrets");
+
+  cy.intercept("PUT", "/api/v1/messaging/default", {
+    fixture: "/privacy-requests/messaging_configuration.json",
+  }).as("createMessagingConfiguration");
 };
 
 export const CONNECTION_STRING =
diff --git a/clients/admin-ui/src/features/common/Layout.tsx b/clients/admin-ui/src/features/common/Layout.tsx
index 3f1da20560..353a96af32 100644
--- a/clients/admin-ui/src/features/common/Layout.tsx
+++ b/clients/admin-ui/src/features/common/Layout.tsx
@@ -24,14 +24,24 @@ const Layout = ({
 }) => {
   const features = useFeatures();
   const router = useRouter();
-  const { data: activeMessagingProvider } =
-    useGetActiveMessagingProviderQuery();
-  const { data: activeStorage } = useGetActiveStorageQuery();
-  const showConfigurationNotificationBanner =
-    (!activeStorage || !activeMessagingProvider) &&
-    features.flags.privacyRequestsConfiguration &&
-    (router.pathname === "/privacy-requests" ||
-      router.pathname === "/datastore-connection");
+  const isValidNotificationRoute =
+    router.pathname === "/privacy-requests" ||
+    router.pathname === "/datastore-connection";
+  const skip = !(
+    features.flags.privacyRequestsConfiguration && isValidNotificationRoute
+  );
+
+  const { data: activeMessagingProvider } = useGetActiveMessagingProviderQuery(
+    undefined,
+    { skip }
+  );
+
+  const { data: activeStorage } = useGetActiveStorageQuery(undefined, {
+    skip,
+  });
+
+  const showNotificationBanner =
+    (!activeMessagingProvider || !activeStorage) && isValidNotificationRoute;
 
   return (
     <div data-testid={title}>
@@ -50,7 +60,7 @@ const Layout = ({
               <NavSideBar />
             </Box>
             <Flex direction="column" flex={1} minWidth={0}>
-              {showConfigurationNotificationBanner ? (
+              {showNotificationBanner ? (
                 <ConfigurationNotificationBanner />
               ) : null}
               {children}
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
index 72e61d747d..dfa52c4bbd 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
@@ -5,6 +5,7 @@ import { useState } from "react";
 import { CustomTextInput } from "~/features/common/form/inputs";
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
+import { messagingProviders } from "~/features/privacy-requests/constants";
 import {
   useCreateMessagingConfigurationMutation,
   useCreateMessagingConfigurationSecretsMutation,
@@ -19,7 +20,7 @@ const MailgunEmailConfiguration = () => {
     useState<ConnectionStep>("");
   const { handleError } = useAPIHelper();
   const { data: messagingDetails } = useGetMessagingConfigurationDetailsQuery({
-    type: "mailgun",
+    type: messagingProviders.mailgun,
   });
   const [createMessagingConfiguration] =
     useCreateMessagingConfigurationMutation();
@@ -28,7 +29,7 @@ const MailgunEmailConfiguration = () => {
 
   const handleMailgunConfiguration = async (value: { domain: string }) => {
     const result = await createMessagingConfiguration({
-      type: "mailgun",
+      service_type: messagingProviders.mailgun,
       details: {
         is_eu_domain: "false",
         domain: value.domain,
@@ -49,7 +50,10 @@ const MailgunEmailConfiguration = () => {
     api_key: string;
   }) => {
     const result = await createMessagingConfigurationSecrets({
-      mailgun_api_key: value.api_key,
+      details: {
+        mailgun_api_key: value.api_key,
+      },
+      service_type: messagingProviders.mailgun,
     });
 
     if (isErrorResult(result)) {
@@ -64,7 +68,7 @@ const MailgunEmailConfiguration = () => {
   };
 
   const initialAPIKeyValue = {
-    api_key: messagingDetails?.key ?? "",
+    api_key: "",
   };
 
   return (
@@ -76,19 +80,22 @@ const MailgunEmailConfiguration = () => {
         <Formik
           initialValues={initialValues}
           onSubmit={handleMailgunConfiguration}
+          enableReinitialize
         >
-          {({ isSubmitting, resetForm }) => (
+          {({ isSubmitting, handleReset }) => (
             <Form>
               <Stack mt={5} spacing={5}>
                 <CustomTextInput
                   name="domain"
                   label="Domain"
                   placeholder="Enter domain"
+                  data-testid="option-twilio-domain"
+                  isRequired
                 />
               </Stack>
               <Box mt={10}>
                 <Button
-                  onClick={() => resetForm()}
+                  onClick={handleReset}
                   mr={2}
                   size="sm"
                   variant="outline"
@@ -112,7 +119,7 @@ const MailgunEmailConfiguration = () => {
       {configurationStep === "apiKey" ? (
         // TODO: configurationStep === "testConnection" will be set after https://github.com/ethyca/fides/issues/2237
         <>
-          <Divider />
+          <Divider mt={10} />
           <Heading fontSize="md" fontWeight="semibold" mt={10}>
             Security key
           </Heading>
@@ -121,31 +128,33 @@ const MailgunEmailConfiguration = () => {
               initialValues={initialAPIKeyValue}
               onSubmit={handleMailgunAPIKeyConfiguration}
             >
-              {({ isSubmitting, resetForm }) => (
+              {({ isSubmitting, handleReset }) => (
                 <Form>
                   <CustomTextInput
                     name="api_key"
                     label="API key"
-                    placeholder="Optional"
                     type="password"
+                    isRequired
                   />
-                  <Button
-                    onClick={() => resetForm()}
-                    mr={2}
-                    size="sm"
-                    variant="outline"
-                  >
-                    Cancel
-                  </Button>
-                  <Button
-                    isDisabled={isSubmitting}
-                    type="submit"
-                    colorScheme="primary"
-                    size="sm"
-                    data-testid="save-btn"
-                  >
-                    Save
-                  </Button>
+                  <Box mt={10}>
+                    <Button
+                      onClick={handleReset}
+                      mr={2}
+                      size="sm"
+                      variant="outline"
+                    >
+                      Cancel
+                    </Button>
+                    <Button
+                      isDisabled={isSubmitting}
+                      type="submit"
+                      colorScheme="primary"
+                      size="sm"
+                      data-testid="save-btn"
+                    >
+                      Save
+                    </Button>
+                  </Box>
                 </Form>
               )}
             </Formik>
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/MessagingConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/MessagingConfiguration.tsx
index 1a50d8f717..8b9259e51b 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/MessagingConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/MessagingConfiguration.tsx
@@ -10,14 +10,16 @@ import {
   Text,
 } from "@fidesui/react";
 import NextLink from "next/link";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
 import Layout from "~/features/common/Layout";
+import { messagingProviders } from "~/features/privacy-requests/constants";
 import {
   useCreateConfigurationSettingsMutation,
   useCreateMessagingConfigurationMutation,
+  useGetActiveMessagingProviderQuery,
 } from "~/features/privacy-requests/privacy-requests.slice";
 
 import MailgunEmailConfiguration from "./MailgunEmailConfiguration";
@@ -31,34 +33,41 @@ const MessagingConfiguration = () => {
   const [createMessagingConfiguration] =
     useCreateMessagingConfigurationMutation();
   const [saveActiveConfiguration] = useCreateConfigurationSettingsMutation();
+  const { data: activeMessagingProvider } =
+    useGetActiveMessagingProviderQuery();
+
+  useEffect(() => {
+    if (activeMessagingProvider) {
+      setMessagingValue(activeMessagingProvider?.service_type);
+    }
+  }, [activeMessagingProvider]);
 
   const handleChange = async (value: string) => {
     const result = await saveActiveConfiguration({
-      fides: {
-        notifications: {
-          notification_service_type: value,
-          send_request_completion_notification: true,
-          send_request_receipt_notification: true,
-          send_request_review_notification: true,
-          subject_identity_verification_required: true,
-        },
+      notifications: {
+        notification_service_type: value,
+        send_request_completion_notification: true,
+        send_request_receipt_notification: true,
+        send_request_review_notification: true,
+      },
+      execution: {
+        subject_identity_verification_required: true,
       },
     });
 
     if (isErrorResult(result)) {
       handleError(result.error);
-    } else if (value !== "twilio_text") {
-      successAlert(`Configured storage type successfully.`);
+    } else if (value !== messagingProviders.twilio_text) {
       setMessagingValue(value);
     } else {
       const twilioTextResult = await createMessagingConfiguration({
-        type: "twilio_text",
+        service_type: messagingProviders.twilio_text,
       });
 
       if (isErrorResult(twilioTextResult)) {
         handleError(twilioTextResult.error);
       } else {
-        successAlert(`Configure messaging provider saved successfully.`);
+        successAlert(`Messaging provider saved successfully.`);
         setMessagingValue(value);
       }
     }
@@ -118,36 +127,38 @@ const MessagingConfiguration = () => {
         >
           <Stack direction="row">
             <Radio
-              key="mailgun-email"
-              value="mailgun-email"
-              data-testid="option-mailgun-email"
+              key={messagingProviders.mailgun}
+              value={messagingProviders.mailgun}
+              data-testid="option-mailgun"
               mr={5}
             >
-              Mailgun email
+              Mailgun Email
             </Radio>
             <Radio
-              key="twilio-email"
-              value="twilio-email"
+              key={messagingProviders.twilio_email}
+              value={messagingProviders.twilio_email}
               data-testid="option-twilio-email"
             >
-              Twilio email
+              Twilio Email
             </Radio>
             <Radio
-              key="twilio-text"
-              value="twilio-text"
-              data-testid="option-twilio-text"
+              key={messagingProviders.twilio_text}
+              value={messagingProviders.twilio_text}
+              data-testid="option-twilio-sms"
             >
-              Twilio sms
+              Twilio SMS
             </Radio>
           </Stack>
         </RadioGroup>
-        {messagingValue === "mailgun-email" ? (
+        {messagingValue === messagingProviders.mailgun ? (
           <MailgunEmailConfiguration />
         ) : null}
-        {messagingValue === "twilio-email" ? (
+        {messagingValue === messagingProviders.twilio_email ? (
           <TwilioEmailConfiguration />
         ) : null}
-        {messagingValue === "twilio-text" ? <TwilioSMSConfiguration /> : null}
+        {messagingValue === messagingProviders.twilio_text ? (
+          <TwilioSMSConfiguration />
+        ) : null}
       </Box>
     </Layout>
   );
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/S3StorageConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/S3StorageConfiguration.tsx
index 1aa2083c15..6f71480d34 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/S3StorageConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/S3StorageConfiguration.tsx
@@ -1,31 +1,38 @@
-import { Button, Divider, Heading, Stack } from "@fidesui/react";
+import { Box, Button, Divider, Heading, Stack } from "@fidesui/react";
 import { Form, Formik } from "formik";
 import { useState } from "react";
 
 import { CustomSelect, CustomTextInput } from "~/features/common/form/inputs";
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
+import { storageTypes } from "~/features/privacy-requests/constants";
 import {
   useCreateStorageMutation,
   useCreateStorageSecretsMutation,
 } from "~/features/privacy-requests/privacy-requests.slice";
 
+interface SavedStorageDetails {
+  storageDetails: {
+    details: {
+      auth_method: string;
+      bucket: string;
+    };
+    format: string;
+  };
+}
 interface StorageDetails {
-  type: string;
-  details: {
+  storageDetails: {
     auth_method: string;
     bucket: string;
+    format: string;
   };
-  format: string;
 }
 interface SecretsStorageData {
   aws_access_key_id: string;
   aws_secret_access_key: string;
 }
 
-const S3StorageConfiguration = ({
-  storageDetails: { auth_method, bucket, format },
-}: any) => {
+const S3StorageConfiguration = ({ storageDetails }: SavedStorageDetails) => {
   const [authMethod, setAuthMethod] = useState("");
   const [saveStorageDetails] = useCreateStorageMutation();
   const [setStorageSecrets] = useCreateStorageSecretsMutation();
@@ -34,12 +41,10 @@ const S3StorageConfiguration = ({
   const { successAlert } = useAlert();
 
   const initialValues = {
-    type: "s3",
-    details: {
-      auth_method: auth_method ?? "",
-      bucket: bucket ?? "",
-    },
-    format: format ?? "",
+    type: storageTypes.s3,
+    auth_method: storageDetails?.details?.auth_method ?? "",
+    bucket: storageDetails?.details?.bucket ?? "",
+    format: storageDetails?.format ?? "",
   };
 
   const initialSecretValues = {
@@ -48,13 +53,13 @@ const S3StorageConfiguration = ({
   };
 
   const handleSubmitStorageConfiguration = async (
-    newValues: StorageDetails
+    newValues: StorageDetails["storageDetails"]
   ) => {
     const result = await saveStorageDetails({
-      type: "s3",
+      type: storageTypes.s3,
       details: {
-        auth_method: newValues.details.auth_method,
-        bucket: newValues.details.bucket,
+        auth_method: newValues.auth_method,
+        bucket: newValues.bucket,
       },
       format: newValues.format,
     });
@@ -62,15 +67,18 @@ const S3StorageConfiguration = ({
     if (isErrorResult(result)) {
       handleError(result.error);
     } else {
-      setAuthMethod(newValues.details.auth_method);
+      setAuthMethod(newValues.auth_method);
       successAlert(`S3 storage credentials successfully updated.`);
     }
   };
 
   const handleSubmitStorageSecrets = async (newValues: SecretsStorageData) => {
     const result = await setStorageSecrets({
-      aws_access_key_id: newValues.aws_access_key_id,
-      aws_secret_access_key: newValues.aws_secret_access_key,
+      details: {
+        aws_access_key_id: newValues.aws_access_key_id,
+        aws_secret_access_key: newValues.aws_secret_access_key,
+      },
+      type: storageTypes.s3,
     });
 
     if (isErrorResult(result)) {
@@ -89,8 +97,9 @@ const S3StorageConfiguration = ({
         <Formik
           initialValues={initialValues}
           onSubmit={handleSubmitStorageConfiguration}
+          enableReinitialize
         >
-          {({ isSubmitting, resetForm }) => (
+          {({ isSubmitting, handleReset }) => (
             <Form>
               <Stack mt={5} spacing={5}>
                 <CustomSelect
@@ -100,6 +109,8 @@ const S3StorageConfiguration = ({
                     { label: "json", value: "json" },
                     { label: "csv", value: "csv" },
                   ]}
+                  data-testid="format"
+                  isRequired
                 />
                 <CustomSelect
                   name="auth_method"
@@ -108,16 +119,19 @@ const S3StorageConfiguration = ({
                     { label: "secret_keys", value: "secret_keys" },
                     { label: "automatic", value: "automatic" },
                   ]}
+                  data-testid="auth_method"
+                  isRequired
                 />
                 <CustomTextInput
+                  data-testid="bucket"
                   name="bucket"
                   label="Bucket"
-                  placeholder="Optional"
+                  isRequired
                 />
               </Stack>
 
               <Button
-                onClick={() => resetForm()}
+                onClick={() => handleReset()}
                 mt={5}
                 mr={2}
                 size="sm"
@@ -145,45 +159,46 @@ const S3StorageConfiguration = ({
           <Heading fontSize="md" fontWeight="semibold" mt={5}>
             Storage destination
           </Heading>
-          Use the key returned in the last step to provide and authenticate your
-          storage destination’s secrets:
           <Stack>
             <Formik
               initialValues={initialSecretValues}
               onSubmit={handleSubmitStorageSecrets}
             >
-              {({ isSubmitting, resetForm }) => (
+              {({ isSubmitting, handleReset }) => (
                 <Form>
                   <Stack mt={5} spacing={5}>
                     <CustomTextInput
-                      name="aws_access_key_ID"
+                      name="aws_access_key_id"
                       label="AWS access key ID"
                     />
 
                     <CustomTextInput
                       name="aws_secret_access_key"
                       label="AWS secret access key"
+                      type="password"
                     />
                   </Stack>
-                  <Button
-                    onClick={() => resetForm()}
-                    mt={5}
-                    mr={2}
-                    size="sm"
-                    variant="outline"
-                  >
-                    Cancel
-                  </Button>
-                  <Button
-                    mt={5}
-                    isDisabled={isSubmitting}
-                    type="submit"
-                    colorScheme="primary"
-                    size="sm"
-                    data-testid="save-btn"
-                  >
-                    Save
-                  </Button>
+                  <Box mt={10}>
+                    <Button
+                      onClick={() => handleReset()}
+                      mt={5}
+                      mr={2}
+                      size="sm"
+                      variant="outline"
+                    >
+                      Cancel
+                    </Button>
+                    <Button
+                      mt={5}
+                      isDisabled={isSubmitting}
+                      type="submit"
+                      colorScheme="primary"
+                      size="sm"
+                      data-testid="save-btn"
+                    >
+                      Save
+                    </Button>
+                  </Box>
                 </Form>
               )}
             </Formik>
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/StorageConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/StorageConfiguration.tsx
index 49ed5bee75..0a3a2d75c6 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/StorageConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/StorageConfiguration.tsx
@@ -10,14 +10,16 @@ import {
   Text,
 } from "@fidesui/react";
 import NextLink from "next/link";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
 import Layout from "~/features/common/Layout";
+import { storageTypes } from "~/features/privacy-requests/constants";
 import {
   useCreateConfigurationSettingsMutation,
   useCreateStorageMutation,
+  useGetActiveStorageQuery,
   useGetStorageDetailsQuery,
 } from "~/features/privacy-requests/privacy-requests.slice";
 
@@ -27,37 +29,43 @@ const StorageConfiguration = () => {
   const { successAlert } = useAlert();
   const { handleError } = useAPIHelper();
   const [storageValue, setStorageValue] = useState("");
-  const [saveStorageType, { isLoading }] = useCreateStorageMutation();
-  const [saveActiveStorage] = useCreateConfigurationSettingsMutation();
+
+  const { data: activeStorage } = useGetActiveStorageQuery();
   const { data: storageDetails } = useGetStorageDetailsQuery({
     type: storageValue,
   });
+  const [saveStorageType, { isLoading }] = useCreateStorageMutation();
+  const [saveActiveStorage] = useCreateConfigurationSettingsMutation();
+
+  useEffect(() => {
+    if (activeStorage) {
+      setStorageValue(activeStorage.type);
+    }
+  }, [activeStorage]);
 
   const handleChange = async (value: string) => {
-    if (value === "local") {
+    if (value === storageTypes.local) {
       const storageDetailsResult = await saveStorageType({
         type: value,
+        details: {},
         format: "json",
       });
       if (isErrorResult(storageDetailsResult)) {
         handleError(storageDetailsResult.error);
       } else {
-        successAlert(`Configure storage type details saved successfully.`);
+        successAlert(`Configured storage details successfully.`);
       }
     }
 
     const activeStorageResults = await saveActiveStorage({
-      fides: {
-        storage: {
-          active_default_storage_type: value,
-        },
+      storage: {
+        active_default_storage_type: value,
       },
     });
 
     if (isErrorResult(activeStorageResults)) {
       handleError(activeStorageResults.error);
     } else {
-      successAlert(`Configure active storage type saved successfully.`);
       setStorageValue(value);
     }
   };
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
index ce828e184c..94f3adb9e3 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
@@ -5,6 +5,7 @@ import { useState } from "react";
 import { CustomTextInput } from "~/features/common/form/inputs";
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
+import { messagingProviders } from "~/features/privacy-requests/constants";
 import {
   useCreateMessagingConfigurationMutation,
   useCreateMessagingConfigurationSecretsMutation,
@@ -16,7 +17,7 @@ const TwilioEmailConfiguration = () => {
   const { successAlert } = useAlert();
   const { handleError } = useAPIHelper();
   const { data: messagingDetails } = useGetMessagingConfigurationDetailsQuery({
-    type: "twilio_email",
+    type: messagingProviders.twilio_email,
   });
   const [createMessagingConfiguration] =
     useCreateMessagingConfigurationMutation();
@@ -25,7 +26,7 @@ const TwilioEmailConfiguration = () => {
 
   const handleTwilioEmailConfiguration = async (value: { email: string }) => {
     const result = await createMessagingConfiguration({
-      type: "twilio_email",
+      service_type: messagingProviders.twilio_email,
       details: {
         twilio_email_from: value.email,
       },
@@ -45,7 +46,10 @@ const TwilioEmailConfiguration = () => {
     api_key: string;
   }) => {
     const result = await createMessagingConfigurationSecrets({
-      twilio_api_key: value.api_key,
+      details: {
+        twilio_api_key: value.api_key,
+      },
+      service_type: messagingProviders.twilio_email,
     });
 
     if (isErrorResult(result)) {
@@ -57,11 +61,11 @@ const TwilioEmailConfiguration = () => {
   };
 
   const initialValues = {
-    email: messagingDetails?.email ?? "",
+    email: messagingDetails?.details.twilio_email_from ?? "",
   };
 
   const initialAPIKeyValues = {
-    api_key: messagingDetails?.key ?? "",
+    api_key: "",
   };
 
   return (
@@ -73,19 +77,21 @@ const TwilioEmailConfiguration = () => {
         <Formik
           initialValues={initialValues}
           onSubmit={handleTwilioEmailConfiguration}
+          enableReinitialize
         >
-          {({ isSubmitting, resetForm }) => (
+          {({ isSubmitting, handleReset }) => (
             <Form>
               <Stack mt={5} spacing={5}>
                 <CustomTextInput
                   name="email"
                   label="Email"
                   placeholder="Enter email"
+                  isRequired
                 />
               </Stack>
               <Box mt={10}>
                 <Button
-                  onClick={() => resetForm()}
+                  onClick={() => handleReset()}
                   mr={2}
                   size="sm"
                   variant="outline"
@@ -108,7 +114,7 @@ const TwilioEmailConfiguration = () => {
       </Stack>
       {configurationStep === "configureTwilioEmailSecrets" ? (
         <>
-          <Divider />
+          <Divider mt={10} />
           <Heading fontSize="md" fontWeight="semibold" mt={10}>
             Security key
           </Heading>
@@ -117,32 +123,35 @@ const TwilioEmailConfiguration = () => {
               initialValues={initialAPIKeyValues}
               onSubmit={handleTwilioEmailConfigurationSecrets}
             >
-              {({ isSubmitting, resetForm }) => (
+              {({ isSubmitting, handleReset }) => (
                 <Form>
                   <Stack mt={5} spacing={5}>
                     <CustomTextInput
-                      name="api-key"
+                      name="api_key"
                       label="API key"
                       type="password"
+                      isRequired
                     />
                   </Stack>
-                  <Button
-                    onClick={() => resetForm()}
-                    mr={2}
-                    size="sm"
-                    variant="outline"
-                  >
-                    Cancel
-                  </Button>
-                  <Button
-                    isDisabled={isSubmitting}
-                    type="submit"
-                    colorScheme="primary"
-                    size="sm"
-                    data-testid="save-btn"
-                  >
-                    Save
-                  </Button>
+                  <Box mt={10}>
+                    <Button
+                      onClick={() => handleReset()}
+                      mr={2}
+                      size="sm"
+                      variant="outline"
+                    >
+                      Cancel
+                    </Button>
+                    <Button
+                      isDisabled={isSubmitting}
+                      type="submit"
+                      colorScheme="primary"
+                      size="sm"
+                      data-testid="save-btn"
+                    >
+                      Save
+                    </Button>
+                  </Box>
                 </Form>
               )}
             </Formik>
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
index be088e52d8..97e5191380 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
@@ -4,17 +4,12 @@ import { Form, Formik } from "formik";
 import { CustomTextInput } from "~/features/common/form/inputs";
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
-import {
-  useCreateMessagingConfigurationSecretsMutation,
-  useGetMessagingConfigurationDetailsQuery,
-} from "~/features/privacy-requests/privacy-requests.slice";
+import { messagingProviders } from "~/features/privacy-requests/constants";
+import { useCreateMessagingConfigurationSecretsMutation } from "~/features/privacy-requests/privacy-requests.slice";
 
 const TwilioSMSConfiguration = () => {
   const { successAlert } = useAlert();
   const { handleError } = useAPIHelper();
-  const { data: messagingDetails } = useGetMessagingConfigurationDetailsQuery({
-    type: "twilio_text",
-  });
   const [createMessagingConfigurationSecrets] =
     useCreateMessagingConfigurationSecretsMutation();
 
@@ -25,10 +20,13 @@ const TwilioSMSConfiguration = () => {
     phone: string;
   }) => {
     const result = await createMessagingConfigurationSecrets({
-      twilio_account_sid: value.account_sid,
-      twilio_auth_token: value.auth_token,
-      twilio_messaging_service_sid: value.messaging_service_sid,
-      twilio_sender_phone_number: value.phone,
+      details: {
+        twilio_account_sid: value.account_sid,
+        twilio_auth_token: value.auth_token,
+        twilio_messaging_service_sid: value.messaging_service_sid,
+        twilio_sender_phone_number: value.phone,
+      },
+      service_type: messagingProviders.twilio_text,
     });
 
     if (isErrorResult(result)) {
@@ -39,10 +37,10 @@ const TwilioSMSConfiguration = () => {
   };
 
   const initialValues = {
-    account_sid: messagingDetails?.twilio_account_sid ?? "",
-    auth_token: messagingDetails?.twilio_auth_token ?? "",
-    messaging_service_sid: messagingDetails?.twilio_messaging_service_sid ?? "",
-    phone: messagingDetails?.twilio_sender_phone_number ?? "",
+    account_sid: "",
+    auth_token: "",
+    messaging_service_sid: "",
+    phone: "",
   };
 
   return (
@@ -54,20 +52,23 @@ const TwilioSMSConfiguration = () => {
         <Formik
           initialValues={initialValues}
           onSubmit={handleTwilioTextConfigurationSecrets}
+          enableReinitialize
         >
-          {({ isSubmitting, resetForm }) => (
+          {({ isSubmitting, handleReset }) => (
             <Form>
               <Stack mt={5} spacing={5}>
                 <CustomTextInput
                   name="account_sid"
                   label="Account SID"
                   placeholder="Enter account SID"
+                  isRequired
                 />
                 <CustomTextInput
                   name="auth_token"
                   label="Auth token"
                   placeholder="Enter auth token"
                   type="password"
+                  isRequired
                 />
                 <CustomTextInput
                   name="messaging_service_sid"
@@ -82,7 +83,7 @@ const TwilioSMSConfiguration = () => {
               </Stack>
               <Box mt={10}>
                 <Button
-                  onClick={() => resetForm()}
+                  onClick={() => handleReset()}
                   mr={2}
                   size="sm"
                   variant="outline"
diff --git a/clients/admin-ui/src/features/privacy-requests/constants.ts b/clients/admin-ui/src/features/privacy-requests/constants.ts
index 7e2628bcf0..8f65cb2cdc 100644
--- a/clients/admin-ui/src/features/privacy-requests/constants.ts
+++ b/clients/admin-ui/src/features/privacy-requests/constants.ts
@@ -13,3 +13,14 @@ export const SubjectRequestStatusMap = new Map<string, string>([
   ["Unverified", "identity_unverified"],
   ["Requires input", "requires_input"],
 ]);
+
+export const messagingProviders = {
+  mailgun: "MAILGUN",
+  twilio_email: "TWILIO_EMAIL",
+  twilio_text: "TWILIO_TEXT",
+};
+
+export const storageTypes = {
+  local: "local",
+  s3: "s3",
+};
diff --git a/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts b/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
index 99238bbc9e..d4b67a75dc 100644
--- a/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
+++ b/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
@@ -383,7 +383,7 @@ export const privacyRequestApi = createApi({
       query: (params) => ({
         url: `storage/default/${params.type}/secret`,
         method: "PUT",
-        body: params,
+        body: params.details,
       }),
     }),
     getActiveMessagingProvider: build.query<any, void>({
@@ -401,7 +401,7 @@ export const privacyRequestApi = createApi({
       ConfigMessagingDetailsRequest
     >({
       query: (params) => ({
-        url: `messaging/default/${params.type}`,
+        url: `messaging/default`,
         method: "PUT",
         body: params,
       }),
@@ -411,9 +411,9 @@ export const privacyRequestApi = createApi({
       ConfigMessagingSecretsRequest
     >({
       query: (params) => ({
-        url: `messaging/default/${params.type}/secret`,
+        url: `messaging/default/${params.service_type}/secret`,
         method: "PUT",
-        body: params,
+        body: params.details,
       }),
     }),
     uploadManualWebhookData: build.mutation<
diff --git a/clients/admin-ui/src/features/privacy-requests/types.ts b/clients/admin-ui/src/features/privacy-requests/types.ts
index 9379177f92..e787b9118e 100644
--- a/clients/admin-ui/src/features/privacy-requests/types.ts
+++ b/clients/admin-ui/src/features/privacy-requests/types.ts
@@ -112,27 +112,27 @@ export type RetryRequests = {
 };
 
 export interface MessagingConfigResponse {
-  fides: {
-    storage: {
-      active_default_storage_type: string;
-    };
+  storage: {
+    active_default_storage_type: string;
   };
 }
 
 export interface StorageConfigResponse {
-  fides: {
-    notifications: {
-      notification_service_type: string;
-      send_request_completion_notification: boolean;
-      send_request_receipt_notification: boolean;
-      send_request_review_notification: boolean;
-      subject_identity_verification_required: boolean;
-    };
+  notifications: {
+    notification_service_type: string;
+    send_request_completion_notification: boolean;
+    send_request_receipt_notification: boolean;
+    send_request_review_notification: boolean;
+  };
+  execution: {
+    subject_identity_verification_required: true;
   };
 }
 
 export interface ConfigStorageDetailsRequest {
   type: string;
+  auth_method?: string;
+  bucket?: string;
   details?: {
     auth_method?: string;
     bucket?: string;
@@ -143,8 +143,10 @@ export interface ConfigStorageDetailsRequest {
 
 export interface ConfigStorageSecretsDetailsRequest {
   type?: string;
-  aws_access_key_id: string;
-  aws_secret_access_key: string;
+  details?: {
+    aws_access_key_id: string;
+    aws_secret_access_key: string;
+  };
 }
 
 export interface ConfigMessagingRequest {
@@ -152,7 +154,7 @@ export interface ConfigMessagingRequest {
 }
 
 export interface ConfigMessagingDetailsRequest {
-  type: string;
+  service_type: string;
   details?: {
     is_eu_domain?: string;
     domain?: string;
@@ -161,11 +163,13 @@ export interface ConfigMessagingDetailsRequest {
 }
 
 export interface ConfigMessagingSecretsRequest {
-  type?: string;
-  mailgun_api_key?: string;
-  twilio_api_key?: string;
-  twilio_account_sid?: string;
-  twilio_auth_token?: string;
-  twilio_messaging_service_sid?: string;
-  twilio_sender_phone_number?: string;
+  service_type?: string;
+  details?: {
+    twilio_api_key?: string;
+    mailgun_api_key?: string;
+    twilio_account_sid?: string;
+    twilio_auth_token?: string;
+    twilio_messaging_service_sid?: string;
+    twilio_sender_phone_number?: string;
+  };
 }
diff --git a/clients/admin-ui/src/pages/privacy-requests/configure.tsx b/clients/admin-ui/src/pages/privacy-requests/configure.tsx
index 9a349670cb..50e86fe54e 100644
--- a/clients/admin-ui/src/pages/privacy-requests/configure.tsx
+++ b/clients/admin-ui/src/pages/privacy-requests/configure.tsx
@@ -41,16 +41,16 @@ const ConfigurePrivacyRequests: NextPage = () => (
           borderWidth="1px"
           rounded="md"
           borderColor="gray.300"
-          _hover={{ borderColor: "complimentary.500" }}
+          _hover={{ borderColor: "complimentary.500", cursor: "pointer" }}
           mr={5}
+          minHeight="100%"
         >
           <Heading mb={2} size="sm">
             Configure messaging provider
           </Heading>
-          Fides supports email (Mailgun & Twillio) and SMS (Twillio) server
+          Fides supports email (Mailgun & Twilio) and SMS (Twilio) server
           configurations for sending processing notices to privacy request
-          subjects. You&apos;ll need to set up config variables to send out
-          messages from Fides. Configure your settings here.
+          subjects. Configure your settings here.
         </LinkBox>
       </NextLink>
       <NextLink href="/privacy-requests/configure/storage" passHref>
@@ -59,7 +59,8 @@ const ConfigurePrivacyRequests: NextPage = () => (
           borderWidth="1px"
           rounded="md"
           borderColor="gray.300"
-          _hover={{ borderColor: "complimentary.500" }}
+          _hover={{ borderColor: "complimentary.500", cursor: "pointer" }}
+          minHeight="100%"
         >
           <Heading mb={2} size="sm">
             Configure storage

From 26e9091ed639a33519de17cdb84c514fb48aff25 Mon Sep 17 00:00:00 2001
From: LKCSmith <99051851+LKCSmith@users.noreply.github.com>
Date: Sun, 5 Mar 2023 22:32:08 -0600
Subject: [PATCH 16/16] 2237/Test connection button (#2727)

Co-authored-by: Adam Sachs <adam@ethyca.com>
Co-authored-by: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
---
 .../MailgunEmailConfiguration.tsx             |  12 +-
 .../TestMessagingProviderConnectionButton.tsx | 123 ++++++++++++++++++
 .../TwilioEmailConfiguration.tsx              |  12 +-
 .../configuration/TwilioSMS.tsx               |  18 ++-
 .../privacy-requests.slice.ts                 |   8 ++
 5 files changed, 168 insertions(+), 5 deletions(-)
 create mode 100644 clients/admin-ui/src/features/privacy-requests/configuration/TestMessagingProviderConnectionButton.tsx

diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
index dfa52c4bbd..c42c97e018 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/MailgunEmailConfiguration.tsx
@@ -12,6 +12,8 @@ import {
   useGetMessagingConfigurationDetailsQuery,
 } from "~/features/privacy-requests/privacy-requests.slice";
 
+import TestMessagingProviderConnectionButton from "./TestMessagingProviderConnectionButton";
+
 type ConnectionStep = "" | "apiKey" | "testConnection";
 
 const MailgunEmailConfiguration = () => {
@@ -60,6 +62,7 @@ const MailgunEmailConfiguration = () => {
       handleError(result.error);
     } else {
       successAlert(`Mailgun security key successfully updated.`);
+      setConfigurationStep("testConnection");
     }
   };
 
@@ -116,8 +119,8 @@ const MailgunEmailConfiguration = () => {
           )}
         </Formik>
       </Stack>
-      {configurationStep === "apiKey" ? (
-        // TODO: configurationStep === "testConnection" will be set after https://github.com/ethyca/fides/issues/2237
+      {configurationStep === "apiKey" ||
+      configurationStep === "testConnection" ? (
         <>
           <Divider mt={10} />
           <Heading fontSize="md" fontWeight="semibold" mt={10}>
@@ -161,6 +164,11 @@ const MailgunEmailConfiguration = () => {
           </Stack>
         </>
       ) : null}
+      {configurationStep === "testConnection" ? (
+        <TestMessagingProviderConnectionButton
+          messagingDetails={messagingDetails}
+        />
+      ) : null}
     </Box>
   );
 };
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/TestMessagingProviderConnectionButton.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/TestMessagingProviderConnectionButton.tsx
new file mode 100644
index 0000000000..9ffcd39ee5
--- /dev/null
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/TestMessagingProviderConnectionButton.tsx
@@ -0,0 +1,123 @@
+import { Box, Button, Divider, Heading, Stack } from "@fidesui/react";
+import { Form, Formik } from "formik";
+
+import { CustomTextInput } from "~/features/common/form/inputs";
+import { isErrorResult } from "~/features/common/helpers";
+import { useAlert, useAPIHelper } from "~/features/common/hooks";
+import { messagingProviders } from "~/features/privacy-requests/constants";
+import { useCreateTestConnectionMessageMutation } from "~/features/privacy-requests/privacy-requests.slice";
+
+interface MessagingDetails {
+  messagingDetails: {
+    details: {
+      api_version: string;
+      domain: string;
+      is_eu_domain: boolean;
+    };
+    key: string;
+    name: string;
+    service_type: string;
+  };
+}
+const TestMessagingProviderConnectionButton = ({
+  messagingDetails,
+}: MessagingDetails) => {
+  const { successAlert } = useAlert();
+  const { handleError } = useAPIHelper();
+  const [createTestConnectionMessage] =
+    useCreateTestConnectionMessageMutation();
+
+  const emailProvider =
+    messagingDetails.service_type === messagingProviders.twilio_email ||
+    messagingDetails.service_type === messagingProviders.mailgun;
+
+  const SMSProvider =
+    messagingDetails.service_type === messagingProviders.twilio_text;
+
+  const initialValues = {
+    email: "",
+    phone: "",
+  };
+
+  const handleTestConnection = async (value: {
+    email: string;
+    phone: string;
+  }) => {
+    if (emailProvider) {
+      const result = await createTestConnectionMessage({
+        email: value.email,
+      });
+
+      if (isErrorResult(result)) {
+        handleError(result.error);
+      } else {
+        successAlert(`Test message successfully sent.`);
+      }
+    }
+    if (SMSProvider) {
+      const result = await createTestConnectionMessage({
+        phone_number: value.phone,
+      });
+
+      if (isErrorResult(result)) {
+        handleError(result.error);
+      } else {
+        successAlert(`Test message successfully sent.`);
+      }
+    }
+  };
+
+  return (
+    <>
+      <Divider mt={10} />
+      <Heading fontSize="md" fontWeight="semibold" mt={10} mb={5}>
+        Test connection
+      </Heading>
+      <Stack>
+        <Formik initialValues={initialValues} onSubmit={handleTestConnection}>
+          {({ isSubmitting, resetForm }) => (
+            <Form>
+              {emailProvider ? (
+                <CustomTextInput
+                  name="email"
+                  label="Email"
+                  placeholder="youremail@domain.com"
+                  isRequired
+                />
+              ) : null}
+              {SMSProvider ? (
+                <CustomTextInput
+                  name="phone"
+                  label="Phone"
+                  placeholder="+10000000000"
+                  isRequired
+                />
+              ) : null}
+              <Box mt={10}>
+                <Button
+                  onClick={() => resetForm()}
+                  mr={2}
+                  size="sm"
+                  variant="outline"
+                >
+                  Cancel
+                </Button>
+                <Button
+                  isDisabled={isSubmitting}
+                  type="submit"
+                  colorScheme="primary"
+                  size="sm"
+                  data-testid="save-btn"
+                >
+                  Save
+                </Button>
+              </Box>
+            </Form>
+          )}
+        </Formik>
+      </Stack>
+    </>
+  );
+};
+
+export default TestMessagingProviderConnectionButton;
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
index 94f3adb9e3..a62f007096 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioEmailConfiguration.tsx
@@ -12,6 +12,8 @@ import {
   useGetMessagingConfigurationDetailsQuery,
 } from "~/features/privacy-requests/privacy-requests.slice";
 
+import TestMessagingProviderConnectionButton from "./TestMessagingProviderConnectionButton";
+
 const TwilioEmailConfiguration = () => {
   const [configurationStep, setConfigurationStep] = useState("");
   const { successAlert } = useAlert();
@@ -56,7 +58,7 @@ const TwilioEmailConfiguration = () => {
       handleError(result.error);
     } else {
       successAlert(`Twilio email secrets successfully updated.`);
-      setConfigurationStep("configureTwilioEmailSecrets");
+      setConfigurationStep("testConnection");
     }
   };
 
@@ -112,7 +114,8 @@ const TwilioEmailConfiguration = () => {
           )}
         </Formik>
       </Stack>
-      {configurationStep === "configureTwilioEmailSecrets" ? (
+      {configurationStep === "configureTwilioEmailSecrets" ||
+      configurationStep === "testConnection" ? (
         <>
           <Divider mt={10} />
           <Heading fontSize="md" fontWeight="semibold" mt={10}>
@@ -158,6 +161,11 @@ const TwilioEmailConfiguration = () => {
           </Stack>
         </>
       ) : null}
+      {configurationStep === "testConnection" ? (
+        <TestMessagingProviderConnectionButton
+          messagingDetails={messagingDetails}
+        />
+      ) : null}
     </Box>
   );
 };
diff --git a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
index 97e5191380..82fe82f096 100644
--- a/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/configuration/TwilioSMS.tsx
@@ -1,15 +1,25 @@
 import { Box, Button, Heading, Stack } from "@fidesui/react";
 import { Form, Formik } from "formik";
+import { useState } from "react";
 
 import { CustomTextInput } from "~/features/common/form/inputs";
 import { isErrorResult } from "~/features/common/helpers";
 import { useAlert, useAPIHelper } from "~/features/common/hooks";
 import { messagingProviders } from "~/features/privacy-requests/constants";
-import { useCreateMessagingConfigurationSecretsMutation } from "~/features/privacy-requests/privacy-requests.slice";
+import {
+  useCreateMessagingConfigurationSecretsMutation,
+  useGetMessagingConfigurationDetailsQuery,
+} from "~/features/privacy-requests/privacy-requests.slice";
+
+import TestMessagingProviderConnectionButton from "./TestMessagingProviderConnectionButton";
 
 const TwilioSMSConfiguration = () => {
   const { successAlert } = useAlert();
   const { handleError } = useAPIHelper();
+  const [configurationStep, setConfigurationStep] = useState("");
+  const { data: messagingDetails } = useGetMessagingConfigurationDetailsQuery({
+    type: "twilio_text",
+  });
   const [createMessagingConfigurationSecrets] =
     useCreateMessagingConfigurationSecretsMutation();
 
@@ -33,6 +43,7 @@ const TwilioSMSConfiguration = () => {
       handleError(result.error);
     } else {
       successAlert(`Twilio text secrets successfully updated.`);
+      setConfigurationStep("testConnection");
     }
   };
 
@@ -104,6 +115,11 @@ const TwilioSMSConfiguration = () => {
           )}
         </Formik>
       </Stack>
+      {configurationStep === "testConnection" ? (
+        <TestMessagingProviderConnectionButton
+          messagingDetails={messagingDetails}
+        />
+      ) : null}
     </Box>
   );
 };
diff --git a/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts b/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
index d4b67a75dc..db385c62ef 100644
--- a/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
+++ b/clients/admin-ui/src/features/privacy-requests/privacy-requests.slice.ts
@@ -416,6 +416,13 @@ export const privacyRequestApi = createApi({
         body: params.details,
       }),
     }),
+    createTestConnectionMessage: build.mutation<any, any>({
+      query: (params) => ({
+        url: `messaging/config/test`,
+        method: "POST",
+        body: params,
+      }),
+    }),
     uploadManualWebhookData: build.mutation<
       any,
       PatchUploadManualWebhookDataRequest
@@ -449,4 +456,5 @@ export const {
   useGetActiveStorageQuery,
   useCreateMessagingConfigurationMutation,
   useCreateMessagingConfigurationSecretsMutation,
+  useCreateTestConnectionMessageMutation,
 } = privacyRequestApi;