From ddc755d460d41bfc700e3f66e5bdbfb16f21f7be Mon Sep 17 00:00:00 2001
From: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
Date: Wed, 8 Nov 2023 17:21:33 -0500
Subject: [PATCH 1/7] empty commit to start release 2.24.0


From c9a465d790fb15756a739f2979aceb6c0ae6c0c4 Mon Sep 17 00:00:00 2001
From: jpople <jeremy@ethyca.com>
Date: Thu, 9 Nov 2023 12:53:51 -0500
Subject: [PATCH 2/7] Disable editing fields for GVL vendors (#4327)

---
 CHANGELOG.md                                  |  29 ++++-
 .../admin-ui/cypress/e2e/systems-plus.cy.ts   |   5 +
 .../admin-ui/src/features/plus/plus.slice.ts  |   1 +
 .../src/features/system/GVLNotice.tsx         |  28 +++++
 .../src/features/system/SystemFormTabs.tsx    |   6 +
 .../features/system/SystemInformationForm.tsx | 104 ++++++++++++++++--
 .../src/features/system/VendorSelector.tsx    |   4 +-
 .../dictionary-form/DictSuggestionInputs.tsx  |   6 +
 .../dictionary-form/dict-suggestion.slice.ts  |  12 +-
 .../PrivacyDeclarationDisplayGroup.tsx        |  54 +++++----
 .../PrivacyDeclarationForm.tsx                |  53 +++++++--
 .../admin-ui/src/pages/add-systems/manual.tsx |   6 +
 .../src/pages/systems/configure/[id].tsx      |  24 +++-
 13 files changed, 278 insertions(+), 54 deletions(-)
 create mode 100644 clients/admin-ui/src/features/system/GVLNotice.tsx

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eeb6914383..692b26cd55 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,10 @@ The types of changes are:
 - Erasure support for Ada Chatbot [#4382](https://github.com/ethyca/fides/pull/4382)
 - Erasure support for Typeform [#4366](https://github.com/ethyca/fides/pull/4366)
 
+## Added
+
+- Added notice that a system is GVL when adding/editing from system form [#4327](https://github.com/ethyca/fides/pull/4327)
+
 ### Changed
 - Add filtering and pagination to bulk vendor add table [#4351](https://github.com/ethyca/fides/pull/4351)
 - Determine if the TCF overlay needs to surface based on backend calculated version hash [#4356](https://github.com/ethyca/fides/pull/4356)
@@ -62,6 +66,7 @@ The types of changes are:
 - Updated double toggle styling in favor of single toggles with a radio group to select legal basis [#4376](https://github.com/ethyca/fides/pull/4376)
 
 ### Fixed
+
 - Handle invalid `fides_string` when passed in as an override [#4350](https://github.com/ethyca/fides/pull/4350)
 - Bug where vendor opt-ins would not initialize properly based on a `fides_string` in the TCF overlay [#4368](https://github.com/ethyca/fides/pull/4368)
 
@@ -97,6 +102,7 @@ The types of changes are:
 - Removes overflow styling for embedded modal in Fides.js [#4345](https://github.com/ethyca/fides/pull/4345)
 
 ### Changed
+
 - Derive cookie storage info, privacy policy and legitimate interest disclosure URLs, and data retention data from the data map instead of directly from gvl.json [#4286](https://github.com/ethyca/fides/pull/4286)
 - Updated TCF Version for backend consent reporting [#4305](https://github.com/ethyca/fides/pull/4305)
 - Update Version Hash Contents [#4313](https://github.com/ethyca/fides/pull/4313)
@@ -106,9 +112,11 @@ The types of changes are:
 ## [2.22.1](https://github.com/ethyca/fides/compare/2.22.0...2.22.1)
 
 ### Added
+
 - Custom fields are now included in system history change tracking [#4294](https://github.com/ethyca/fides/pull/4294)
 
 ### Security
+
 - Added hostname checks for external SaaS connector URLs [CVE-2023-46124](https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4)
 - Use a Pydantic URL type for privacy policy URLs [CVE-2023-46126](https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83)
 - Remove the CONFIG_READ scope from the Viewer role [CVE-2023-46125](https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89)
@@ -116,6 +124,7 @@ The types of changes are:
 ## [2.22.0](https://github.com/ethyca/fides/compare/2.21.0...2.22.0)
 
 ### Added
+
 - Added an option to link to vendor tab from an experience config description [#4191](https://github.com/ethyca/fides/pull/4191)
 - Added two toggles for vendors in the TCF overlay, one for Consent, and one for Legitimate Interest [#4189](https://github.com/ethyca/fides/pull/4189)
 - Added two toggles for purposes in the TCF overlay, one for Consent, and one for Legitimate Interest [#4234](https://github.com/ethyca/fides/pull/4234)
@@ -124,6 +133,7 @@ The types of changes are:
 - Support for `gvl` prefixed vendor IDs [#4247](https://github.com/ethyca/fides/pull/4247)
 
 ### Changed
+
 - Removed `TCF_ENABLED` environment variable from the privacy center in favor of dynamically figuring out which `fides-js` bundle to send [#4131](https://github.com/ethyca/fides/pull/4131)
 - Updated copy of info boxes on each TCF tab [#4191](https://github.com/ethyca/fides/pull/4191)
 - Clarified messages for error messages presented during connector upload [#4198](https://github.com/ethyca/fides/pull/4198)
@@ -143,6 +153,7 @@ The types of changes are:
 - Changed naming convention "fides_string" instead of "tc_string" for developer friendly consent API's [#4267](https://github.com/ethyca/fides/pull/4267)
 
 ### Fixed
+
 - TCF overlay can initialize its consent preferences from a cookie [#4124](https://github.com/ethyca/fides/pull/4124)
 - Various improvements to the TCF modal such as vendor storage disclosures, vendor counts, privacy policies, etc. [#4167](https://github.com/ethyca/fides/pull/4167)
 - An issue where Braze could not mask an email due to formatting [#4187](https://github.com/ethyca/fides/pull/4187)
@@ -157,6 +168,7 @@ The types of changes are:
 ## [2.21.0](https://github.com/ethyca/fides/compare/2.20.2...2.21.0)
 
 ### Added
+
 - "Add a vendor" flow to configuring consent page [#4107](https://github.com/ethyca/fides/pull/4107)
 - Initial TCF Backend Support [#3804](https://github.com/ethyca/fides/pull/3804)
 - Add initial layer to TCF modal [#3956](https://github.com/ethyca/fides/pull/3956)
@@ -174,6 +186,7 @@ The types of changes are:
 - Added fides.css customization for Plus users [#4136](https://github.com/ethyca/fides/pull/4136)
 
 ### Changed
+
 - Added further config options to customize the privacy center [#4090](https://github.com/ethyca/fides/pull/4090)
 - CORS configuration page [#4073](https://github.com/ethyca/fides/pull/4073)
 - Refactored `fides.js` components so that they can take data structures that are not necessarily privacy notices [#3870](https://github.com/ethyca/fides/pull/3870)
@@ -183,12 +196,14 @@ The types of changes are:
 - Misc copy changes for the system history table and modal [#4146](https://github.com/ethyca/fides/pull/4146)
 
 ### Fixed
-- Allows CDN to cache empty experience responses from fides.js API  [#4113](https://github.com/ethyca/fides/pull/4113)
+
+- Allows CDN to cache empty experience responses from fides.js API [#4113](https://github.com/ethyca/fides/pull/4113)
 - Fixed `identity_special_purpose` unique constraint definition [#4174](https://github.com/ethyca/fides/pull/4174/files)
 
 ## [2.20.2](https://github.com/ethyca/fides/compare/2.20.1...2.20.2)
 
 ### Fixed
+
 - added version_added, version_deprecated, and replaced_by to data use, data subject, and data category APIs [#4135](https://github.com/ethyca/fides/pull/4135)
 - Update fides.js to not fetch experience client-side if pre-fetched experience is empty [#4149](https://github.com/ethyca/fides/pull/4149)
 - Erasure privacy requests now pause for input if there are any manual process integrations [#4115](https://github.com/ethyca/fides/pull/4115)
@@ -203,6 +218,7 @@ The types of changes are:
 ## [2.20.0](https://github.com/ethyca/fides/compare/2.19.1...2.20.0)
 
 ### Added
+
 - Initial page for configuring consent [#4069](https://github.com/ethyca/fides/pull/4069)
 - Vendor cookie table for configuring consent [#4082](https://github.com/ethyca/fides/pull/4082)
 
@@ -239,7 +255,6 @@ The types of changes are:
 - System history UI with diff modal [#4021](https://github.com/ethyca/fides/pull/4021)
 - Relax system legal basis for transfers to be any string [#4049](https://github.com/ethyca/fides/pull/4049)
 
-
 ## [2.19.0](https://github.com/ethyca/fides/compare/2.18.0...2.19.0)
 
 ### Added
@@ -258,7 +273,7 @@ The types of changes are:
 - Fixed dataset issue that was preventing the Vend connector from loading during server startup [#3923](https://github.com/ethyca/fides/pull/3923)
 - Adding version check to version-dependent migration script [#3951](https://github.com/ethyca/fides/pull/3951)
 - Fixed a bug where some fields were not saving correctly on the system form [#3975](https://github.com/ethyca/fides/pull/3975)
-- Changed "retention period" field in privacy declaration form from number input to text input  [#3980](https://github.com/ethyca/fides/pull/3980)
+- Changed "retention period" field in privacy declaration form from number input to text input [#3980](https://github.com/ethyca/fides/pull/3980)
 - Fixed issue where unsaved changes modal appears incorrectly [#4005](https://github.com/ethyca/fides/pull/4005)
 - Fixed banner resurfacing after user consent for pre-fetch experience [#4009](https://github.com/ethyca/fides/pull/4009)
 
@@ -272,6 +287,7 @@ The types of changes are:
 - Admin ui supports fides cloud config API [#4034](https://github.com/ethyca/fides/pull/4034)
 
 ### Security
+
 - Resolve custom integration upload RCE vulnerability [CVE-2023-41319](https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h)
 
 ## [2.18.0](https://github.com/ethyca/fides/compare/2.17.0...2.18.0)
@@ -286,6 +302,7 @@ The types of changes are:
 - Changes in the `data` directory now trigger a server reload (for local development) [#3874](https://github.com/ethyca/fides/pull/3874)
 
 ### Fixed
+
 - Fix datamap zoom for low system counts [#3835](https://github.com/ethyca/fides/pull/3835)
 - Fixed connector forms with external dataset reference fields [#3873](https://github.com/ethyca/fides/pull/3873)
 - Fix ability to make server side API calls from privacy-center [#3895](https://github.com/ethyca/fides/pull/3895)
@@ -332,6 +349,7 @@ The types of changes are:
 - Erasure support for Heap [#3599](https://github.com/ethyca/fides/pull/3599)
 
 ### Fixed
+
 - Privacy notice UI's list of possible regions now matches the backend's list [#3787](https://github.com/ethyca/fides/pull/3787)
 - Admin UI "property does not existing" build issue [#3831](https://github.com/ethyca/fides/pull/3831)
 - Flagging sensitive inputs as passwords to mask values during entry [#3843](https://github.com/ethyca/fides/pull/3843)
@@ -376,23 +394,28 @@ The types of changes are:
 - Enable privacy notice and privacy experience feature flags by default [#3773](https://github.com/ethyca/fides/pull/3773)
 
 ### Security
+
 - Resolve Zip bomb file upload vulnerability [CVE-2023-37480](https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6)
 - Resolve SVG bomb (billion laughs) file upload vulnerability [CVE-2023-37481](https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5)
 
 ## [2.15.1](https://github.com/ethyca/fides/compare/2.15.0...2.15.1)
 
 ### Added
+
 - Set `sslmode` to `prefer` if connecting to Redshift via ssh [#3685](https://github.com/ethyca/fides/pull/3685)
 
 ### Changed
+
 - Privacy center action cards are now able to expand to accommodate longer text [#3669](https://github.com/ethyca/fides/pull/3669)
 - Update integration endpoint permissions [#3707](https://github.com/ethyca/fides/pull/3707)
 
 ### Fixed
+
 - Handle names with a double underscore when processing access and erasure requests [#3688](https://github.com/ethyca/fides/pull/3688)
 - Allow Privacy Notices banner and modal to scroll as needed [#3713](https://github.com/ethyca/fides/pull/3713)
 
 ### Security
+
 - Resolve path traversal vulnerability in webserver API [CVE-2023-36827](https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq)
 
 ## [2.15.0](https://github.com/ethyca/fides/compare/2.14.1...2.15.0)
diff --git a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
index 6434a74930..f4591dd41b 100644
--- a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
+++ b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
@@ -55,6 +55,11 @@ describe("System management with Plus features", () => {
       );
     });
 
+    it("locks editing for a GVL vendor when TCF is enabled", () => {
+      cy.getSelectValueContainer("input-vendor_id").type("Aniview{enter}");
+      cy.getByTestId("locked-for-GVL-notice");
+    });
+
     // some DictSuggestionTextInputs don't get populated right, causing
     // the form to be mistakenly marked as dirty and the "unsaved changes"
     // modal to pop up incorrectly when switching tabs
diff --git a/clients/admin-ui/src/features/plus/plus.slice.ts b/clients/admin-ui/src/features/plus/plus.slice.ts
index 4054572e0e..788bd9bf17 100644
--- a/clients/admin-ui/src/features/plus/plus.slice.ts
+++ b/clients/admin-ui/src/features/plus/plus.slice.ts
@@ -355,6 +355,7 @@ export const {
   useGetAllDictionaryEntriesQuery,
   useGetFidesCloudConfigQuery,
   useGetDictionaryDataUsesQuery,
+  useLazyGetDictionaryDataUsesQuery,
   useGetAllSystemVendorsQuery,
   usePostSystemVendorsMutation,
   useGetSystemHistoryQuery,
diff --git a/clients/admin-ui/src/features/system/GVLNotice.tsx b/clients/admin-ui/src/features/system/GVLNotice.tsx
new file mode 100644
index 0000000000..38a57e92ea
--- /dev/null
+++ b/clients/admin-ui/src/features/system/GVLNotice.tsx
@@ -0,0 +1,28 @@
+import { Box, Link } from "@fidesui/react";
+
+import EmptyTableState from "~/features/common/table/EmptyTableState";
+
+const GVLNotice = () => (
+  <Box mb="6" maxW="720px" data-testid="locked-for-GVL-notice">
+    <EmptyTableState
+      title="This system is part of the TCF Global Vendor List (GVL)"
+      description={
+        <>
+          As a result, the system fields are not editable as they come directly
+          from Fides Compass and the Global Vendor List (GVL). In some cases
+          where the legal basis has been declared to be flexible, you may update
+          the legal basis for particular data uses.{" "}
+          <Link
+            href="https://fid.es/tcf_gvl"
+            isExternal
+            color="complimentary.500"
+          >
+            For more information on the Global Vendor List, click here.
+          </Link>
+        </>
+      }
+    />
+  </Box>
+);
+
+export default GVLNotice;
diff --git a/clients/admin-ui/src/features/system/SystemFormTabs.tsx b/clients/admin-ui/src/features/system/SystemFormTabs.tsx
index ab62b8fcde..efc236e089 100644
--- a/clients/admin-ui/src/features/system/SystemFormTabs.tsx
+++ b/clients/admin-ui/src/features/system/SystemFormTabs.tsx
@@ -14,6 +14,10 @@ import {
 import { useSystemOrDatamapRoute } from "~/features/common/hooks/useSystemOrDatamapRoute";
 import { DEFAULT_TOAST_PARAMS } from "~/features/common/toast";
 import ConnectionForm from "~/features/datastore-connections/system_portal_config/ConnectionForm";
+import {
+  setLockedForGVL,
+  setSuggestions,
+} from "~/features/system/dictionary-form/dict-suggestion.slice";
 import PrivacyDeclarationStep from "~/features/system/privacy-declarations/PrivacyDeclarationStep";
 import { SystemResponse } from "~/types/api";
 
@@ -145,6 +149,8 @@ const SystemFormTabs = ({
      */
     if (isCreate) {
       dispatch(setActiveSystem(undefined));
+      dispatch(setSuggestions("initial"));
+      dispatch(setLockedForGVL(false));
     }
     return () => {
       // on unmount, unset the active system
diff --git a/clients/admin-ui/src/features/system/SystemInformationForm.tsx b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
index e0a56a144a..7aa8262f3f 100644
--- a/clients/admin-ui/src/features/system/SystemInformationForm.tsx
+++ b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
@@ -25,13 +25,23 @@ import {
   CustomSwitch,
   CustomTextInput,
 } from "~/features/common/form/inputs";
-import { getErrorMessage, isErrorResult } from "~/features/common/helpers";
+import {
+  extractVendorSource,
+  getErrorMessage,
+  isErrorResult,
+  VendorSources,
+} from "~/features/common/helpers";
 import { FormGuard } from "~/features/common/hooks/useIsAnyFormDirty";
 import {
   selectAllDictEntries,
   useGetAllDictionaryEntriesQuery,
+  useLazyGetDictionaryDataUsesQuery,
 } from "~/features/plus/plus.slice";
-import { setSuggestions } from "~/features/system/dictionary-form/dict-suggestion.slice";
+import {
+  selectLockedForGVL,
+  setLockedForGVL,
+  setSuggestions,
+} from "~/features/system/dictionary-form/dict-suggestion.slice";
 import {
   DictSuggestionNumberInput,
   DictSuggestionSelect,
@@ -39,6 +49,7 @@ import {
   DictSuggestionTextArea,
   DictSuggestionTextInput,
 } from "~/features/system/dictionary-form/DictSuggestionInputs";
+import { transformDictDataUseToDeclaration } from "~/features/system/dictionary-form/helpers";
 import {
   defaultInitialValues,
   FormValues,
@@ -123,8 +134,10 @@ const SystemInformationForm = ({
   useGetAllDictionaryEntriesQuery(undefined, {
     skip: !features.dictionaryService,
   });
+  const [getDictionaryDataUseTrigger] = useLazyGetDictionaryDataUsesQuery();
 
   const dictionaryOptions = useAppSelector(selectAllDictEntries);
+  const lockedForGVL = useAppSelector(selectLockedForGVL);
 
   const systems = useAppSelector(selectAllSystems);
   const isEditing = useMemo(
@@ -153,7 +166,35 @@ const SystemInformationForm = ({
     values: FormValues,
     formikHelpers: FormikHelpers<FormValues>
   ) => {
-    const systemBody = transformFormValuesToSystem(values);
+    let dictionaryDeclarations;
+    if (lockedForGVL && values.privacy_declarations.length === 0) {
+      const dataUseQueryResult = await getDictionaryDataUseTrigger({
+        vendor_id: values.vendor_id!,
+      });
+      if (dataUseQueryResult.isError) {
+        const dataUseErrorMsg = getErrorMessage(
+          dataUseQueryResult.error,
+          `A problem occurred while fetching data uses from the GVL for your system.  Please try again.`
+        );
+        toast({ status: "error", description: dataUseErrorMsg });
+      } else if (
+        dataUseQueryResult.data &&
+        dataUseQueryResult.data.items.length > 0
+      ) {
+        dictionaryDeclarations = dataUseQueryResult.data.items.map((dec) => ({
+          ...transformDictDataUseToDeclaration(dec),
+          name: dec.name ?? "",
+        }));
+      }
+    }
+
+    const valuesToSubmit = {
+      ...values,
+      privacy_declarations:
+        dictionaryDeclarations ?? values.privacy_declarations,
+    };
+
+    const systemBody = transformFormValuesToSystem(valuesToSubmit);
 
     const handleResult = (
       result:
@@ -191,6 +232,19 @@ const SystemInformationForm = ({
     handleResult(result);
   };
 
+  const handleVendorSelected = (newVendorId: string) => {
+    console.log("hello from handleVendorSelected");
+    if (
+      features.tcf &&
+      extractVendorSource(newVendorId) === VendorSources.GVL
+    ) {
+      dispatch(setSuggestions("showing"));
+      dispatch(setLockedForGVL(true));
+    } else {
+      dispatch(setLockedForGVL(false));
+    }
+  };
+
   const isLoading =
     updateSystemMutationResult.isLoading ||
     createSystemMutationResult.isLoading ||
@@ -219,7 +273,10 @@ const SystemInformationForm = ({
 
             <SystemFormInputGroup heading="System details">
               {features.dictionaryService ? (
-                <VendorSelector options={dictionaryOptions} />
+                <VendorSelector
+                  options={dictionaryOptions}
+                  onVendorSelected={handleVendorSelected}
+                />
               ) : null}
               <DictSuggestionTextInput
                 id="name"
@@ -228,6 +285,7 @@ const SystemInformationForm = ({
                 isRequired
                 label="System name"
                 tooltip="Give the system a unique, and relevant name for reporting purposes. e.g. “Email Data Warehouse”"
+                disabled={lockedForGVL}
               />
               {passedInSystem?.fides_key && (
                 <CustomTextInput
@@ -244,6 +302,7 @@ const SystemInformationForm = ({
                 name="description"
                 label="Description"
                 tooltip="What services does this system perform?"
+                disabled={lockedForGVL}
               />
               <CustomCreatableSelect
                 id="tags"
@@ -260,6 +319,7 @@ const SystemInformationForm = ({
                 }
                 tooltip="Are there any tags to associate with this system?"
                 isMulti
+                isDisabled={lockedForGVL}
               />
             </SystemFormInputGroup>
             <SystemFormInputGroup heading="Dataset reference">
@@ -270,26 +330,26 @@ const SystemInformationForm = ({
                 tooltip="Is there a dataset configured for this system?"
                 isMulti
                 variant="stacked"
+                isDisabled={lockedForGVL}
               />
             </SystemFormInputGroup>
             <SystemFormInputGroup heading="Data processing properties">
               <Stack spacing={0}>
                 <Box mb={4}>
-                  <CustomSwitch
+                  <DictSuggestionSwitch
                     name="processes_personal_data"
                     label="This system processes personal data"
                     tooltip="Does this system process personal data?"
-                    variant="stacked"
+                    disabled={lockedForGVL}
                   />
                 </Box>
                 <Box padding={4} borderRadius={4} backgroundColor="gray.50">
                   <Stack spacing={0}>
-                    <CustomSwitch
+                    <DictSuggestionSwitch
                       name="exempt_from_privacy_regulations"
                       label="This system is exempt from privacy regulations"
                       tooltip="Is this system exempt from privacy regulations?"
-                      disabled={!values.processes_personal_data}
-                      variant="stacked"
+                      disabled={!values.processes_personal_data || lockedForGVL}
                     />
                     <Collapse
                       in={values.exempt_from_privacy_regulations}
@@ -302,6 +362,7 @@ const SystemInformationForm = ({
                           tooltip="Why is this system exempt from privacy regulation?"
                           variant="stacked"
                           isRequired={values.exempt_from_privacy_regulations}
+                          disabled={lockedForGVL}
                         />
                       </Box>
                     </Collapse>
@@ -323,6 +384,7 @@ const SystemInformationForm = ({
                         name="uses_profiling"
                         label="This system performs profiling"
                         tooltip="Does this system perform profiling that could have a legal effect?"
+                        disabled={lockedForGVL}
                       />
                       <Collapse
                         in={values.uses_profiling}
@@ -338,6 +400,7 @@ const SystemInformationForm = ({
                             options={legalBasisForProfilingOptions}
                             tooltip="What is the legal basis under which profiling is performed?"
                             isMulti
+                            disabled={lockedForGVL}
                             isRequired={values.uses_profiling}
                           />
                         </Box>
@@ -348,6 +411,7 @@ const SystemInformationForm = ({
                         name="does_international_transfers"
                         label="This system transfers data"
                         tooltip="Does this system transfer data to other countries or international organizations?"
+                        disabled={lockedForGVL}
                       />
                       <Collapse
                         in={values.does_international_transfers}
@@ -364,6 +428,7 @@ const SystemInformationForm = ({
                             tooltip="What is the legal basis under which the data is transferred?"
                             isMulti
                             isRequired={values.does_international_transfers}
+                            disabled={lockedForGVL}
                           />
                         </Box>
                       </Collapse>
@@ -374,6 +439,7 @@ const SystemInformationForm = ({
                         label="This system requires Data Privacy Assessments"
                         tooltip="Does this system require (DPA/DPIA) assessments?"
                         variant="stacked"
+                        isDisabled={lockedForGVL}
                       />
                       <Collapse
                         in={values.requires_data_protection_assessments}
@@ -385,6 +451,7 @@ const SystemInformationForm = ({
                             name="dpa_location"
                             tooltip="Where is the DPA/DPIA stored?"
                             variant="stacked"
+                            disabled={lockedForGVL}
                             isRequired={
                               values.requires_data_protection_assessments
                             }
@@ -408,21 +475,25 @@ const SystemInformationForm = ({
                   name="uses_cookies"
                   label="This system uses cookies"
                   tooltip="Does this system use cookies?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionSwitch
                   name="cookie_refresh"
                   label="This system refreshes cookies"
                   tooltip="Does this system automatically refresh cookies?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionSwitch
                   name="uses_non_cookie_access"
                   label="This system uses non-cookie trackers"
                   tooltip="Does this system use other types of trackers?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionNumberInput
                   name="cookie_max_age_seconds"
                   label="Maximum duration (seconds)"
                   tooltip="What is the maximum amount of time a cookie will live?"
+                  disabled={lockedForGVL}
                 />
               </SystemFormInputGroup>
               <SystemFormInputGroup heading="Administrative properties">
@@ -438,18 +509,21 @@ const SystemInformationForm = ({
                   name="privacy_policy"
                   label="Privacy policy URL"
                   tooltip="Where can the privacy policy be located?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionTextInput
                   id="legal_name"
                   name="legal_name"
                   label="Legal name"
                   tooltip="What is the legal name of the business?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionTextArea
                   id="legal_address"
                   name="legal_address"
                   label="Legal address"
                   tooltip="What is the legal address for the business?"
+                  disabled={lockedForGVL}
                 />
                 <CustomTextInput
                   label="Department"
@@ -458,7 +532,8 @@ const SystemInformationForm = ({
                   variant="stacked"
                   disabled={
                     !values.processes_personal_data ||
-                    values.exempt_from_privacy_regulations
+                    values.exempt_from_privacy_regulations ||
+                    lockedForGVL
                   }
                 />
                 <DictSuggestionSelect
@@ -469,7 +544,8 @@ const SystemInformationForm = ({
                   isMulti
                   disabled={
                     !values.processes_personal_data ||
-                    values.exempt_from_privacy_regulations
+                    values.exempt_from_privacy_regulations ||
+                    lockedForGVL
                   }
                 />
                 <DictSuggestionTextInput
@@ -477,6 +553,7 @@ const SystemInformationForm = ({
                   id="dpo"
                   label="Legal contact (DPO)"
                   tooltip="What is the official privacy contact information?"
+                  disabled={lockedForGVL}
                 />
                 <CustomTextInput
                   label="Joint controller"
@@ -485,7 +562,8 @@ const SystemInformationForm = ({
                   variant="stacked"
                   disabled={
                     !values.processes_personal_data ||
-                    values.exempt_from_privacy_regulations
+                    values.exempt_from_privacy_regulations ||
+                    lockedForGVL
                   }
                 />
                 <DictSuggestionTextInput
@@ -493,11 +571,13 @@ const SystemInformationForm = ({
                   name="data_security_practices"
                   id="data_security_practices"
                   tooltip="Which data security practices are employed to keep the data safe?"
+                  disabled={lockedForGVL}
                 />
                 <DictSuggestionTextInput
                   label="Legitimate interest disclosure URL"
                   name="legitimate_interest_disclosure_url"
                   id="legitimate_interest_disclosure_url"
+                  disabled={lockedForGVL}
                 />
               </SystemFormInputGroup>
               {values.fides_key ? (
diff --git a/clients/admin-ui/src/features/system/VendorSelector.tsx b/clients/admin-ui/src/features/system/VendorSelector.tsx
index e460d81a67..090686631b 100644
--- a/clients/admin-ui/src/features/system/VendorSelector.tsx
+++ b/clients/admin-ui/src/features/system/VendorSelector.tsx
@@ -11,9 +11,10 @@ import { DictSuggestionToggle } from "~/features/system/dictionary-form/ToggleDi
 interface Props {
   disabled?: boolean;
   options: DictOption[];
+  onVendorSelected: (vendorId: string) => void;
 }
 
-const VendorSelector = ({ disabled, options }: Props) => {
+const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
   const [initialField, meta, { setValue }] = useField({ name: "vendor_id" });
   const isInvalid = !!(meta.touched && meta.error);
   const field = { ...initialField, value: initialField.value ?? "" };
@@ -35,6 +36,7 @@ const VendorSelector = ({ disabled, options }: Props) => {
   const handleChange = (newValue: SingleValue<Option>) => {
     if (newValue) {
       setValue(newValue.value);
+      onVendorSelected(newValue.value);
     }
   };
 
diff --git a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
index 6786ee63e6..96e7b7f8ba 100644
--- a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
+++ b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
@@ -154,6 +154,7 @@ export const DictSuggestionTextInput = ({
 export const DictSuggestionTextArea = ({
   label,
   tooltip,
+  disabled,
   isRequired = false,
   dictField,
   name,
@@ -183,6 +184,7 @@ export const DictSuggestionTextArea = ({
               ? "complimentary.500"
               : "gray.800"
           }
+          isDisabled={disabled}
         />
         <ErrorMessage
           isInvalid={isInvalid}
@@ -200,6 +202,7 @@ export const DictSuggestionSwitch = ({
   dictField,
   name,
   id,
+  disabled,
 }: Props) => {
   const { field, isInvalid, error } = useDictSuggestion(
     name,
@@ -225,6 +228,7 @@ export const DictSuggestionSwitch = ({
             mr={2}
             data-testid={`input-${field.name}`}
             size="sm"
+            isDisabled={disabled}
           />
         </HStack>
       </Box>
@@ -375,6 +379,7 @@ export const DictSuggestionNumberInput = ({
   dictField,
   name,
   id,
+  disabled,
 }: Props) => {
   const { field, isInvalid, error, isShowingSuggestions } = useDictSuggestion(
     name,
@@ -411,6 +416,7 @@ export const DictSuggestionNumberInput = ({
                 ? "complimentary.500"
                 : "gray.800"
             }
+            isDisabled={disabled}
           >
             <NumberInputField />
             <NumberInputStepper>
diff --git a/clients/admin-ui/src/features/system/dictionary-form/dict-suggestion.slice.ts b/clients/admin-ui/src/features/system/dictionary-form/dict-suggestion.slice.ts
index f4822434cc..f1b9ccfc50 100644
--- a/clients/admin-ui/src/features/system/dictionary-form/dict-suggestion.slice.ts
+++ b/clients/admin-ui/src/features/system/dictionary-form/dict-suggestion.slice.ts
@@ -8,9 +8,11 @@ export type Suggestions = "showing" | "hiding" | "initial";
 
 type State = {
   suggestions: Suggestions;
+  lockedForGVL: boolean;
 };
 const initialState: State = {
   suggestions: "initial",
+  lockedForGVL: false,
 };
 
 export const dictSuggestionsSlice = createSlice({
@@ -28,10 +30,13 @@ export const dictSuggestionsSlice = createSlice({
     setSuggestions: (draftState, action: PayloadAction<Suggestions>) => {
       draftState.suggestions = action.payload;
     },
+    setLockedForGVL: (draftState, action: PayloadAction<boolean>) => {
+      draftState.lockedForGVL = action.payload;
+    },
   },
 });
 
-export const { toggleSuggestions, setSuggestions } =
+export const { toggleSuggestions, setSuggestions, setLockedForGVL } =
   dictSuggestionsSlice.actions;
 
 const selectDictSuggestionSlice = (state: RootState) => state.dictSuggestions;
@@ -40,3 +45,8 @@ export const selectSuggestions = createSelector(
   selectDictSuggestionSlice,
   (state) => state.suggestions
 );
+
+export const selectLockedForGVL = createSelector(
+  selectDictSuggestionSlice,
+  (state) => state.lockedForGVL
+);
diff --git a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationDisplayGroup.tsx b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationDisplayGroup.tsx
index 26f5d81e0b..e0ea5549e8 100644
--- a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationDisplayGroup.tsx
+++ b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationDisplayGroup.tsx
@@ -13,6 +13,8 @@ import {
   Text,
 } from "@fidesui/react";
 
+import { useAppSelector } from "~/app/hooks";
+import { selectLockedForGVL } from "~/features/system/dictionary-form/dict-suggestion.slice";
 import { DataUse, PrivacyDeclarationResponse } from "~/types/api";
 
 import { SparkleIcon } from "../../common/Icon/SparkleIcon";
@@ -25,7 +27,7 @@ const PrivacyDeclarationRow = ({
 }: {
   declaration: PrivacyDeclarationResponse;
   title?: string;
-  handleDelete: (dec: PrivacyDeclarationResponse) => void;
+  handleDelete?: (dec: PrivacyDeclarationResponse) => void;
   handleEdit: (dec: PrivacyDeclarationResponse) => void;
 }) => (
   <>
@@ -42,15 +44,17 @@ const PrivacyDeclarationRow = ({
           </LinkOverlay>
         </LinkBox>
         <Spacer />
-        <IconButton
-          aria-label="delete-declaration"
-          variant="outline"
-          zIndex={2}
-          size="sm"
-          onClick={() => handleDelete(declaration)}
-        >
-          <DeleteIcon />
-        </IconButton>
+        {handleDelete ? (
+          <IconButton
+            aria-label="delete-declaration"
+            variant="outline"
+            zIndex={2}
+            size="sm"
+            onClick={() => handleDelete(declaration)}
+          >
+            <DeleteIcon />
+          </IconButton>
+        ) : null}
       </HStack>
     </Box>
     <Divider />
@@ -126,6 +130,8 @@ export const PrivacyDeclarationDisplayGroup = ({
     return "";
   };
 
+  const lockedForGVL = useAppSelector(selectLockedForGVL);
+
   return (
     <PrivacyDeclarationTabTable
       heading={heading}
@@ -141,18 +147,20 @@ export const PrivacyDeclarationDisplayGroup = ({
         ) : null
       }
       footerButton={
-        <Button
-          onClick={handleAdd}
-          size="xs"
-          px={2}
-          py={1}
-          backgroundColor="primary.800"
-          color="white"
-          fontWeight="600"
-          rightIcon={<AddIcon />}
-        >
-          Add data use
-        </Button>
+        !lockedForGVL ? (
+          <Button
+            onClick={handleAdd}
+            size="xs"
+            px={2}
+            py={1}
+            backgroundColor="primary.800"
+            color="white"
+            fontWeight="600"
+            rightIcon={<AddIcon />}
+          >
+            Add data use
+          </Button>
+        ) : null
       }
     >
       {declarations.map((pd) => (
@@ -160,7 +168,7 @@ export const PrivacyDeclarationDisplayGroup = ({
           declaration={pd}
           key={pd.id}
           title={declarationTitle(pd)}
-          handleDelete={handleDelete}
+          handleDelete={!lockedForGVL ? handleDelete : undefined}
           handleEdit={handleEdit}
         />
       ))}
diff --git a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationForm.tsx b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationForm.tsx
index f5d19c5d4e..f62008d8b5 100644
--- a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationForm.tsx
+++ b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationForm.tsx
@@ -7,6 +7,7 @@ import { Form, Formik, FormikHelpers } from "formik";
 import { useMemo } from "react";
 import * as Yup from "yup";
 
+import { useAppSelector } from "~/app/hooks";
 import {
   CustomFieldsList,
   CustomFieldValues,
@@ -19,6 +20,7 @@ import {
   CustomTextInput,
 } from "~/features/common/form/inputs";
 import { FormGuard } from "~/features/common/hooks/useIsAnyFormDirty";
+import { selectLockedForGVL } from "~/features/system/dictionary-form/dict-suggestion.slice";
 import SystemFormInputGroup from "~/features/system/SystemFormInputGroup";
 import {
   DataCategory,
@@ -108,9 +110,11 @@ export const PrivacyDeclarationFormComponents = ({
   values,
   includeCustomFields,
   privacyDeclarationId,
+  lockedForGVL,
 }: DataProps & {
   values: FormValues;
   privacyDeclarationId?: string;
+  lockedForGVL?: boolean;
 }) => {
   const legalBasisForProcessingOptions = useMemo(
     () =>
@@ -157,6 +161,7 @@ export const PrivacyDeclarationFormComponents = ({
           label="Declaration name (optional)"
           name="name"
           tooltip="Would you like to append anything to the system name?"
+          disabled={lockedForGVL}
           variant="stacked"
         />
         <CustomSelect
@@ -170,7 +175,7 @@ export const PrivacyDeclarationFormComponents = ({
           tooltip="For which business purposes is this data processed?"
           variant="stacked"
           isRequired
-          isDisabled={!!privacyDeclarationId}
+          isDisabled={!!privacyDeclarationId || lockedForGVL}
         />
         <CustomSelect
           name="data_categories"
@@ -182,6 +187,7 @@ export const PrivacyDeclarationFormComponents = ({
           tooltip="Which categories of personal data are collected for this purpose?"
           isMulti
           isRequired
+          isDisabled={lockedForGVL}
           variant="stacked"
         />
         <CustomSelect
@@ -193,6 +199,7 @@ export const PrivacyDeclarationFormComponents = ({
           }))}
           tooltip="Who are the subjects for this personal data?"
           isMulti
+          isDisabled={lockedForGVL}
           variant="stacked"
         />
         {/* <CustomSelect
@@ -210,6 +217,7 @@ export const PrivacyDeclarationFormComponents = ({
             options={legalBasisForProcessingOptions}
             tooltip="What is the legal basis under which personal data is processed for this purpose?"
             variant="stacked"
+            isDisabled={lockedForGVL}
           />
           <Collapse
             in={values.legal_basis_for_processing === "Legitimate interests"}
@@ -222,6 +230,7 @@ export const PrivacyDeclarationFormComponents = ({
                 label="Impact assessment location"
                 tooltip="Where is the legitimate interest impact assessment stored?"
                 variant="stacked"
+                disabled={lockedForGVL}
               />
             </Box>
           </Collapse>
@@ -232,6 +241,7 @@ export const PrivacyDeclarationFormComponents = ({
             label="This legal basis is flexible"
             tooltip="Has the vendor declared that the legal basis may be overridden?"
             variant="stacked"
+            isDisabled={lockedForGVL}
           />
         </Box>
         <CustomTextInput
@@ -239,6 +249,7 @@ export const PrivacyDeclarationFormComponents = ({
           label="Retention period (days)"
           tooltip="How long is personal data retained for this purpose?"
           variant="stacked"
+          disabled={lockedForGVL}
         />
       </SystemFormInputGroup>
       <SystemFormInputGroup heading="Features">
@@ -250,6 +261,7 @@ export const PrivacyDeclarationFormComponents = ({
           variant="stacked"
           options={[]}
           disableMenu
+          isDisabled={lockedForGVL}
           isMulti
         />
       </SystemFormInputGroup>
@@ -261,6 +273,7 @@ export const PrivacyDeclarationFormComponents = ({
           tooltip="Is there a dataset configured for this system?"
           isMulti
           variant="stacked"
+          isDisabled={lockedForGVL}
         />
       </SystemFormInputGroup>
       <SystemFormInputGroup heading="Special category data">
@@ -270,6 +283,7 @@ export const PrivacyDeclarationFormComponents = ({
             label="This system processes special category data"
             tooltip="Is this system processing special category data as defined by GDPR Article 9?"
             variant="stacked"
+            isDisabled={lockedForGVL}
           />
           <Collapse
             in={values.processes_special_category_data}
@@ -284,6 +298,7 @@ export const PrivacyDeclarationFormComponents = ({
                 isRequired={values.processes_special_category_data}
                 tooltip="What is the legal basis under which the special category data is processed?"
                 variant="stacked"
+                isDisabled={lockedForGVL}
               />
             </Box>
           </Collapse>
@@ -296,6 +311,7 @@ export const PrivacyDeclarationFormComponents = ({
             label="This system shares data with 3rd parties for this purpose"
             tooltip="Does this system disclose, sell, or share personal data collected for this business use with 3rd parties?"
             variant="stacked"
+            isDisabled={lockedForGVL}
           />
           <Collapse
             in={values.data_shared_with_third_parties}
@@ -308,6 +324,7 @@ export const PrivacyDeclarationFormComponents = ({
                 label="Third parties"
                 tooltip="Which type of third parties is the data shared with?"
                 variant="stacked"
+                disabled={lockedForGVL}
               />
               <CustomSelect
                 name="shared_categories"
@@ -319,6 +336,7 @@ export const PrivacyDeclarationFormComponents = ({
                 tooltip="Which categories of personal data does this system share with third parties?"
                 variant="stacked"
                 isMulti
+                disabled={lockedForGVL}
               />
             </Stack>
           </Collapse>
@@ -336,6 +354,7 @@ export const PrivacyDeclarationFormComponents = ({
           isMulti
           tooltip="Which cookies are placed on consumer domains for this purpose?"
           variant="stacked"
+          isDisabled={lockedForGVL}
         />
       </SystemFormInputGroup>
       {includeCustomFields ? (
@@ -442,6 +461,8 @@ export const PrivacyDeclarationForm = ({
     privacyDeclarationId: passedInInitialValues?.id,
   });
 
+  const lockedForGVL = useAppSelector(selectLockedForGVL);
+
   return (
     <Formik
       enableReinitialize
@@ -453,7 +474,11 @@ export const PrivacyDeclarationForm = ({
         <Form data-testid="declaration-form">
           <FormGuard id="PrivacyDeclaration" name="New Privacy Declaration" />
           <Stack spacing={4}>
-            <PrivacyDeclarationFormComponents values={values} {...dataProps} />
+            <PrivacyDeclarationFormComponents
+              values={values}
+              lockedForGVL={lockedForGVL}
+              {...dataProps}
+            />
             <Flex w="100%">
               <Button
                 variant="outline"
@@ -463,16 +488,20 @@ export const PrivacyDeclarationForm = ({
               >
                 Cancel
               </Button>
-              <Spacer />
-              <Button
-                colorScheme="primary"
-                size="sm"
-                type="submit"
-                disabled={!dirty}
-                data-testid="save-btn"
-              >
-                Save
-              </Button>
+              {!lockedForGVL ? (
+                <>
+                  <Spacer />
+                  <Button
+                    colorScheme="primary"
+                    size="sm"
+                    type="submit"
+                    disabled={!dirty}
+                    data-testid="save-btn"
+                  >
+                    Save
+                  </Button>
+                </>
+              ) : null}
             </Flex>
           </Stack>
         </Form>
diff --git a/clients/admin-ui/src/pages/add-systems/manual.tsx b/clients/admin-ui/src/pages/add-systems/manual.tsx
index 5dc99f0200..048f160708 100644
--- a/clients/admin-ui/src/pages/add-systems/manual.tsx
+++ b/clients/admin-ui/src/pages/add-systems/manual.tsx
@@ -4,10 +4,13 @@ import NextLink from "next/link";
 import { useRouter } from "next/router";
 import React, { useMemo } from "react";
 
+import { useAppSelector } from "~/app/hooks";
 import { useSystemOrDatamapRoute } from "~/features/common/hooks/useSystemOrDatamapRoute";
 import Layout from "~/features/common/Layout";
 import { ADD_SYSTEMS_ROUTE } from "~/features/common/nav/v2/routes";
 import ConnectionTypeLogo from "~/features/datastore-connections/ConnectionTypeLogo";
+import { selectLockedForGVL } from "~/features/system/dictionary-form/dict-suggestion.slice";
+import GVLNotice from "~/features/system/GVLNotice";
 import SystemFormTabs from "~/features/system/SystemFormTabs";
 import { ConnectionSystemTypeMap } from "~/types/api";
 
@@ -39,6 +42,8 @@ const NewManualSystem: NextPage = () => {
     return JSON.parse(value);
   }, [connectorType]);
 
+  const lockedForGVL = useAppSelector(selectLockedForGVL);
+
   return (
     <Layout title="Describe your system">
       <Box mb={4}>
@@ -62,6 +67,7 @@ const NewManualSystem: NextPage = () => {
           </Breadcrumb>
         </Box>
       </Box>
+      {lockedForGVL ? <GVLNotice /> : null}
       <Box w={{ base: "100%", md: "75%" }}>
         <Text fontSize="sm" mb={8}>
           {DESCRIBE_SYSTEM_COPY}
diff --git a/clients/admin-ui/src/pages/systems/configure/[id].tsx b/clients/admin-ui/src/pages/systems/configure/[id].tsx
index 0c5fa32da8..a1fac0e903 100644
--- a/clients/admin-ui/src/pages/systems/configure/[id].tsx
+++ b/clients/admin-ui/src/pages/systems/configure/[id].tsx
@@ -12,7 +12,9 @@ import NextLink from "next/link";
 import { useRouter } from "next/router";
 import { useEffect, useState } from "react";
 
-import { useAppDispatch } from "~/app/hooks";
+import { useAppDispatch, useAppSelector } from "~/app/hooks";
+import { useFeatures } from "~/features/common/features";
+import { extractVendorSource, VendorSources } from "~/features/common/helpers";
 import Layout from "~/features/common/Layout";
 import { SYSTEM_ROUTE } from "~/features/common/nav/v2/routes";
 import { errorToastParams, successToastParams } from "~/features/common/toast";
@@ -21,7 +23,12 @@ import {
   setActiveSystem,
   useGetSystemByFidesKeyQuery,
 } from "~/features/system";
+import {
+  selectLockedForGVL,
+  setLockedForGVL,
+} from "~/features/system/dictionary-form/dict-suggestion.slice";
 import EditSystemFlow from "~/features/system/EditSystemFlow";
+import GVLNotice from "~/features/system/GVLNotice";
 
 const INTEGRATION_TAB_INDEX = 3; // this needs to be updated if the order of the tabs changes
 
@@ -41,10 +48,20 @@ const ConfigureSystem: NextPage = () => {
     skip: !systemId,
   });
   const { isLoading: isDictionaryLoading } = useGetAllDictionaryEntriesQuery();
+  const { tcf: isTCFEnabled } = useFeatures();
+
+  const lockedForGVL = useAppSelector(selectLockedForGVL);
 
   useEffect(() => {
     dispatch(setActiveSystem(system));
-  }, [system, dispatch]);
+    if (system) {
+      const locked =
+        isTCFEnabled &&
+        !!system.vendor_id &&
+        extractVendorSource(system.fides_key) === VendorSources.GVL;
+      dispatch(setLockedForGVL(locked));
+    }
+  }, [system, dispatch, isTCFEnabled]);
 
   useEffect(() => {
     const { status } = router.query;
@@ -83,6 +100,7 @@ const ConfigureSystem: NextPage = () => {
       <Heading mb={2} fontSize="2xl" fontWeight="semibold">
         Configure your system
       </Heading>
+
       <Box mb={8}>
         <Breadcrumb fontWeight="medium" fontSize="sm" color="gray.600">
           <BreadcrumbItem>
@@ -93,6 +111,8 @@ const ConfigureSystem: NextPage = () => {
           </BreadcrumbItem>
         </Breadcrumb>
       </Box>
+
+      {lockedForGVL ? <GVLNotice /> : null}
       {!system && !isLoading && !isDictionaryLoading ? (
         <Text data-testid="system-not-found">
           Could not find a system with id {systemId}

From ce3dd39ee8213cf32503f61cbdeb31223b662078 Mon Sep 17 00:00:00 2001
From: Adrian Galvan <adrian@ethyca.com>
Date: Thu, 9 Nov 2023 20:04:44 -0800
Subject: [PATCH 3/7] Adding support for configuring enabled actions (#4374)

Co-authored-by: Adam Sachs <adam@ethyca.com>
---
 CHANGELOG.md                                  |   4 +-
 .../e2e/system-integrations-plus.cy.ts        |  81 ++++++++
 .../cypress/e2e/system-integrations.cy.ts     |  23 +++
 .../fixtures/connectors/connection_types.json |   3 +-
 .../forms/ConnectorParameters.tsx             |  26 ++-
 .../forms/ConnectorParametersForm.tsx         |  85 +++++++-
 .../system_portal_config/types.ts             |   1 +
 .../admin-ui/src/features/plus/plus.slice.ts  |  42 ++++
 .../models/ConnectionConfigurationResponse.ts |   2 +
 .../api/models/ConnectionSystemTypeMap.ts     |   2 +
 .../v1/endpoints/privacy_request_endpoints.py |  16 +-
 src/fides/api/common_exceptions.py            |   4 +
 src/fides/api/models/manual_webhook.py        |  33 ++--
 .../connection_config.py                      |   6 +-
 .../connection_secrets_mysql.py               |   2 +-
 .../connection_secrets_postgres.py            |   2 +-
 .../connection_secrets_redshift.py            |   2 +-
 .../connection_type_system_map.py             |   4 +-
 .../saas_config_template_values.py            |  23 ++-
 .../api/schemas/saas/connector_template.py    |   4 +-
 src/fides/api/schemas/saas/saas_config.py     |  30 +++
 .../saas/connector_registry_service.py        |  42 ++--
 .../privacy_request/request_runner_service.py |   4 +-
 src/fides/api/task/graph_task.py              |  49 ++++-
 src/fides/api/util/connection_type.py         |  57 ++----
 .../test_connection_config_endpoints.py       |  92 ++++++---
 .../test_connection_template_endpoints.py     |  69 ++++++-
 .../test_policy_webhook_endpoints.py          |   1 +
 tests/ops/api/v1/endpoints/test_system.py     |  77 +++++++-
 tests/ops/graph/test_graph.py                 |   3 +
 .../saas/connector_runner.py                  |   8 +-
 .../integration_tests/test_enabled_actions.py | 187 ++++++++++++++++++
 tests/ops/models/test_manual_webhook.py       |  27 +++
 .../test_connector_registry_service.py        |   3 -
 .../test_connector_template_loaders.py        |   6 +-
 tests/ops/task/test_graph_task.py             |  91 +++++++++
 tests/ops/util/test_connection_type.py        |  32 ++-
 37 files changed, 991 insertions(+), 152 deletions(-)
 create mode 100644 clients/admin-ui/cypress/e2e/system-integrations-plus.cy.ts
 create mode 100644 tests/ops/integration_tests/test_enabled_actions.py

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 692b26cd55..60b0653f2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,10 +28,8 @@ The types of changes are:
 - Erasure support for Qualtrics [#4371](https://github.com/ethyca/fides/pull/4371)
 - Erasure support for Ada Chatbot [#4382](https://github.com/ethyca/fides/pull/4382)
 - Erasure support for Typeform [#4366](https://github.com/ethyca/fides/pull/4366)
-
-## Added
-
 - Added notice that a system is GVL when adding/editing from system form [#4327](https://github.com/ethyca/fides/pull/4327)
+- Added the ability to select the request types to enable per integration (for plus users) [#4374](https://github.com/ethyca/fides/pull/4374)
 
 ### Changed
 - Add filtering and pagination to bulk vendor add table [#4351](https://github.com/ethyca/fides/pull/4351)
diff --git a/clients/admin-ui/cypress/e2e/system-integrations-plus.cy.ts b/clients/admin-ui/cypress/e2e/system-integrations-plus.cy.ts
new file mode 100644
index 0000000000..9d55ad8738
--- /dev/null
+++ b/clients/admin-ui/cypress/e2e/system-integrations-plus.cy.ts
@@ -0,0 +1,81 @@
+import { stubPlus, stubSystemCrud } from "cypress/support/stubs";
+
+import { SYSTEM_ROUTE } from "~/features/common/nav/v2/routes";
+
+describe("System integrations", () => {
+  beforeEach(() => {
+    cy.login();
+    cy.intercept("GET", "/api/v1/system", {
+      fixture: "systems/systems.json",
+    }).as("getSystems");
+    cy.intercept("GET", "/api/v1/connection_type*", {
+      fixture: "connectors/connection_types.json",
+    }).as("getConnectionTypes");
+    cy.intercept("GET", "/api/v1/connection_type/postgres/secret", {
+      fixture: "connectors/postgres_secret.json",
+    }).as("getPostgresConnectorSecret");
+    stubPlus(true);
+    stubSystemCrud();
+    cy.visit(SYSTEM_ROUTE);
+  });
+
+  it("should render the integration configuration panel when navigating to integrations tab", () => {
+    cy.getByTestId("system-fidesctl_system").within(() => {
+      cy.getByTestId("more-btn").click();
+      cy.getByTestId("edit-btn").click();
+    });
+    cy.getByTestId("tab-Integrations").click();
+    cy.getByTestId("tab-panel-Integrations").should("exist");
+  });
+
+  describe("Integration search", () => {
+    beforeEach(() => {
+      cy.getByTestId("system-fidesctl_system").within(() => {
+        cy.getByTestId("more-btn").click();
+        cy.getByTestId("edit-btn").click();
+      });
+      cy.getByTestId("tab-Integrations").click();
+      cy.getByTestId("select-dropdown-btn").click();
+    });
+
+    it("should display Shopify when searching with upper case letters", () => {
+      cy.getByTestId("input-search-integrations").type("Sho");
+      cy.getByTestId("select-dropdown-list")
+        .find('[role="menuitem"] p')
+        .should("contain.text", "Shopify");
+    });
+
+    it("should display Shopify when searching with lower case letters", () => {
+      cy.getByTestId("input-search-integrations").type("sho");
+      cy.getByTestId("select-dropdown-list")
+        .find('[role="menuitem"] p')
+        .should("contain.text", "Shopify");
+    });
+  });
+
+  describe("Integration form contents", () => {
+    beforeEach(() => {
+      cy.getByTestId("system-fidesctl_system").within(() => {
+        cy.getByTestId("more-btn").click();
+        cy.getByTestId("edit-btn").click();
+      });
+      cy.getByTestId("tab-Integrations").click();
+      cy.getByTestId("select-dropdown-btn").click();
+
+      cy.getByTestId("input-search-integrations").type("PostgreSQL");
+      cy.getByTestId("select-dropdown-list")
+        .contains('[role="menuitem"]', "PostgreSQL")
+        .click();
+    });
+
+    // Verify Postgres shows access and erasure by default
+    it("should display Request types (enabled-actions) field", () => {
+      cy.getByTestId("enabled-actions").should("exist");
+      cy.getByTestId("enabled-actions").within(() => {
+        cy.contains("access");
+        cy.contains("erasure");
+        cy.contains("consent").should("not.exist");
+      });
+    });
+  });
+});
diff --git a/clients/admin-ui/cypress/e2e/system-integrations.cy.ts b/clients/admin-ui/cypress/e2e/system-integrations.cy.ts
index 8b0535d744..e4f523a878 100644
--- a/clients/admin-ui/cypress/e2e/system-integrations.cy.ts
+++ b/clients/admin-ui/cypress/e2e/system-integrations.cy.ts
@@ -11,6 +11,9 @@ describe("System integrations", () => {
     cy.intercept("GET", "/api/v1/connection_type*", {
       fixture: "connectors/connection_types.json",
     }).as("getConnectionTypes");
+    cy.intercept("GET", "/api/v1/connection_type/postgres/secret", {
+      fixture: "connectors/postgres_secret.json",
+    }).as("getPostgresConnectorSecret");
     stubPlus(false);
     stubSystemCrud();
     cy.visit(SYSTEM_ROUTE);
@@ -49,4 +52,24 @@ describe("System integrations", () => {
         .should("contain.text", "Shopify");
     });
   });
+
+  describe("Integration form contents", () => {
+    beforeEach(() => {
+      cy.getByTestId("system-fidesctl_system").within(() => {
+        cy.getByTestId("more-btn").click();
+        cy.getByTestId("edit-btn").click();
+      });
+      cy.getByTestId("tab-Integrations").click();
+      cy.getByTestId("select-dropdown-btn").click();
+
+      cy.getByTestId("input-search-integrations").type("PostgreSQL");
+      cy.getByTestId("select-dropdown-list")
+        .contains('[role="menuitem"]', "PostgreSQL")
+        .click();
+    });
+
+    it("should not Request types (enabled-actions) field", () => {
+      cy.getByTestId("enabled-actions").should("not.exist");
+    });
+  });
 });
diff --git a/clients/admin-ui/cypress/fixtures/connectors/connection_types.json b/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
index e3426a058c..01c55ea9e9 100644
--- a/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
+++ b/clients/admin-ui/cypress/fixtures/connectors/connection_types.json
@@ -34,7 +34,8 @@
       "identifier": "postgres",
       "type": "database",
       "human_readable": "PostgreSQL",
-      "encoded_icon": null
+      "encoded_icon": null,
+      "supported_actions": ["access", "erasure"]
     },
     {
       "identifier": "redshift",
diff --git a/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParameters.tsx b/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParameters.tsx
index 700ebd6460..f61734eacf 100644
--- a/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParameters.tsx
+++ b/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParameters.tsx
@@ -18,11 +18,16 @@ import { useMemo, useState } from "react";
 
 import { useAppDispatch, useAppSelector } from "~/app/hooks";
 import DocsLink from "~/features/common/DocsLink";
+import { useFeatures } from "~/features/common/features";
 import RightArrow from "~/features/common/Icon/RightArrow";
 import { DEFAULT_TOAST_PARAMS } from "~/features/common/toast";
 import { useGetConnectionTypeSecretSchemaQuery } from "~/features/connection-type";
 import TestConnectionMessage from "~/features/datastore-connections/system_portal_config/TestConnectionMessage";
 import TestData from "~/features/datastore-connections/TestData";
+import {
+  useCreatePlusSaasConnectionConfigMutation,
+  usePatchPlusSystemConnectionConfigsMutation,
+} from "~/features/plus/plus.slice";
 import {
   ConnectionConfigSecretsRequest,
   selectActiveSystem,
@@ -33,6 +38,7 @@ import {
 } from "~/features/system/system.slice";
 import {
   AccessLevel,
+  ActionType,
   BulkPutConnectionConfiguration,
   ConnectionConfigurationResponse,
   ConnectionSystemTypeMap,
@@ -80,6 +86,9 @@ const createSaasConnector = async (
     instance_key: generateIntegrationKey(systemFidesKey, connectionOption),
     saas_connector_type: connectionOption.identifier,
     secrets: {},
+    ...(values.enabled_actions
+      ? { enabled_actions: values.enabled_actions }
+      : {}),
   };
 
   const params: CreateSaasConnectionConfig = {
@@ -111,6 +120,7 @@ export const patchConnectionConfig = async (
     ? connectionConfig.key
     : generateIntegrationKey(systemFidesKey, connectionOption);
 
+  // the enabled_actions are conditionally added if plus is enabled
   const params1: Omit<ConnectionConfigurationResponse, "created_at" | "name"> =
     {
       access: AccessLevel.WRITE,
@@ -120,6 +130,9 @@ export const patchConnectionConfig = async (
       description: values.description,
       disabled: false,
       key,
+      ...(values.enabled_actions
+        ? { enabled_actions: values.enabled_actions as ActionType[] }
+        : {}),
     };
   const payload = await patchFunc({
     systemFidesKey,
@@ -211,15 +224,20 @@ export const useConnectorForm = ({
   });
 
   const [createSassConnectionConfig] = useCreateSassConnectionConfigMutation();
+  const [createPlusSaasConnectionConfig] =
+    useCreatePlusSaasConnectionConfigMutation();
   const [getAuthorizationUrl] = useLazyGetAuthorizationUrlQuery();
   const [updateSystemConnectionSecrets] =
     usePatchSystemConnectionSecretsMutation();
   const [patchDatastoreConnection] = usePatchSystemConnectionConfigsMutation();
+  const [patchPlusDatastoreConnection] =
+    usePatchPlusSystemConnectionConfigsMutation();
   const [deleteDatastoreConnection, deleteDatastoreConnectionResult] =
     useDeleteSystemConnectionConfigMutation();
   const { data: allDatasetConfigs } = useGetConnectionConfigDatasetConfigsQuery(
     connectionConfig?.key || ""
   );
+  const { plus: isPlusEnabled } = useFeatures();
 
   const originalSecrets = useMemo(
     () => (connectionConfig ? { ...connectionConfig.secrets } : {}),
@@ -255,7 +273,9 @@ export const useConnectorForm = ({
           secretsSchema!,
           connectionOption,
           systemFidesKey,
-          createSassConnectionConfig
+          isPlusEnabled
+            ? createPlusSaasConnectionConfig
+            : createSassConnectionConfig
         );
         // eslint-disable-next-line no-param-reassign
         connectionConfig = response.connection;
@@ -265,7 +285,9 @@ export const useConnectorForm = ({
           connectionOption,
           systemFidesKey,
           connectionConfig!,
-          patchDatastoreConnection
+          isPlusEnabled
+            ? patchPlusDatastoreConnection
+            : patchDatastoreConnection
         );
         if (
           !connectionConfig &&
diff --git a/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParametersForm.tsx b/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParametersForm.tsx
index 056b275bbf..6f91c09991 100644
--- a/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParametersForm.tsx
+++ b/clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/ConnectorParametersForm.tsx
@@ -1,4 +1,5 @@
 import {
+  Box,
   Button,
   ButtonGroup,
   CircleHelpIcon,
@@ -16,7 +17,7 @@ import {
   Tooltip,
   VStack,
 } from "@fidesui/react";
-import { Option } from "common/form/inputs";
+import { Option, SelectInput } from "common/form/inputs";
 import {
   ConnectionTypeSecretSchemaProperty,
   ConnectionTypeSecretSchemaReponse,
@@ -28,6 +29,7 @@ import _ from "lodash";
 import React from "react";
 import { DatastoreConnectionStatus } from "src/features/datastore-connections/types";
 
+import { useFeatures } from "~/features/common/features";
 import DisableConnectionModal from "~/features/datastore-connections/DisableConnectionModal";
 import DatasetConfigField from "~/features/datastore-connections/system_portal_config/forms/fields/DatasetConfigField/DatasetConfigField";
 import {
@@ -95,6 +97,7 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
 }) => {
   const [trigger, { isLoading, isFetching }] =
     useLazyGetDatastoreConnectionStatusQuery();
+  const { plus: isPlusEnabled } = useFeatures();
 
   const validateField = (label: string, value: string, type?: string) => {
     let error;
@@ -228,6 +231,9 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
         connectionConfig.connection_type === ConnectionType.SAAS
           ? (connectionConfig.saas_config?.fides_key as string)
           : connectionConfig.key;
+      initialValues.enabled_actions = (
+        connectionConfig.enabled_actions || []
+      ).map((action) => action.toString());
 
       // @ts-ignore
       initialValues.secrets = { ...connectionConfig.secrets };
@@ -248,6 +254,13 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
 
       return initialValues;
     }
+
+    if (_.isEmpty(initialValues.enabled_actions)) {
+      initialValues.enabled_actions = connectionOption.supported_actions.map(
+        (action) => action.toString()
+      );
+    }
+
     return fillInDefaults(initialValues, secretsSchema);
   };
 
@@ -351,7 +364,7 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
                 <Field id="instance_key" name="instance_key">
                   {({ field }: { field: FieldInputProps<string> }) => (
                     <FormControl display="flex">
-                      {getFormLabel("instance_key", "Integration Identifier")}
+                      {getFormLabel("instance_key", "Integration identifier")}
                       <VStack align="flex-start" w="inherit">
                         <Input
                           {...field}
@@ -386,7 +399,6 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
                 </Field>
               )}
               {/* Dynamic connector secret fields */}
-
               {connectionOption.type !== SystemType.MANUAL && secretsSchema
                 ? Object.entries(secretsSchema.properties).map(
                     ([key, item]) => {
@@ -398,6 +410,73 @@ const ConnectorParametersForm: React.FC<ConnectorParametersFormProps> = ({
                     }
                   )
                 : null}
+              {isPlusEnabled &&
+                connectionOption.supported_actions.length > 1 && (
+                  <Field
+                    id="enabled_actions"
+                    name="enabled_actions"
+                    validate={(value: string[]) => {
+                      let error;
+                      if (!value || value.length === 0) {
+                        error = "At least one request type must be selected";
+                      }
+                      return error;
+                    }}
+                  >
+                    {({
+                      field,
+                      form,
+                    }: {
+                      field: FieldInputProps<string>;
+                      form: any;
+                    }) => (
+                      <FormControl
+                        data-testid="enabled-actions"
+                        display="flex"
+                        isInvalid={
+                          form.touched.enabled_actions &&
+                          form.errors.enabled_actions
+                        }
+                        isRequired
+                      >
+                        {/* Known as enabled_actions throughout the front-end and back-end but it's displayed to the user as "Request types" */}
+                        {getFormLabel("enabled_actions", "Request types")}
+                        <VStack align="flex-start" w="inherit">
+                          <Box width="100%">
+                            <SelectInput
+                              options={connectionOption.supported_actions.map(
+                                (action) => ({
+                                  label: action,
+                                  value: action,
+                                })
+                              )}
+                              fieldName={field.name}
+                              size="sm"
+                              isMulti
+                            />
+                          </Box>
+                          <FormErrorMessage>
+                            {props.errors.enabled_actions}
+                          </FormErrorMessage>
+                        </VStack>
+                        <Tooltip
+                          aria-label="The request types that are supported for this integration."
+                          hasArrow
+                          label="The request types that are supported for this integration."
+                          placement="right-start"
+                          openDelay={500}
+                        >
+                          <Flex alignItems="center" h="32px">
+                            <CircleHelpIcon
+                              marginLeft="8px"
+                              _hover={{ cursor: "pointer" }}
+                            />
+                          </Flex>
+                        </Tooltip>
+                      </FormControl>
+                    )}
+                  </Field>
+                )}
               {SystemType.DATABASE === connectionOption.type &&
               !isCreatingConnectionConfig ? (
                 <DatasetConfigField
diff --git a/clients/admin-ui/src/features/datastore-connections/system_portal_config/types.ts b/clients/admin-ui/src/features/datastore-connections/system_portal_config/types.ts
index 6cb19f8280..3f0f6bfb6d 100644
--- a/clients/admin-ui/src/features/datastore-connections/system_portal_config/types.ts
+++ b/clients/admin-ui/src/features/datastore-connections/system_portal_config/types.ts
@@ -12,6 +12,7 @@ export type ConnectionConfigFormValues = {
   description: string;
   name: string;
   instance_key?: string;
+  enabled_actions?: string[];
   [key: string]: any;
 };
 
diff --git a/clients/admin-ui/src/features/plus/plus.slice.ts b/clients/admin-ui/src/features/plus/plus.slice.ts
index 788bd9bf17..34d1ef53cb 100644
--- a/clients/admin-ui/src/features/plus/plus.slice.ts
+++ b/clients/admin-ui/src/features/plus/plus.slice.ts
@@ -1,17 +1,21 @@
 import { createSelector } from "@reduxjs/toolkit";
 
 import type { RootState } from "~/app/store";
+import { CONNECTION_ROUTE } from "~/constants";
 import { baseApi } from "~/features/common/api.slice";
 import {
   selectActiveCollection,
   selectActiveDatasetFidesKey,
   selectActiveField,
 } from "~/features/dataset/dataset.slice";
+import { CreateSaasConnectionConfig } from "~/features/datastore-connections";
+import { CreateSaasConnectionConfigResponse } from "~/features/datastore-connections/types";
 import { selectSystemsToClassify } from "~/features/system";
 import {
   AllowList,
   AllowListUpdate,
   BulkCustomFieldRequest,
+  BulkPutConnectionConfiguration,
   ClassificationResponse,
   ClassifyCollection,
   ClassifyDatasetResponse,
@@ -22,6 +26,7 @@ import {
   ClassifyStatusUpdatePayload,
   ClassifySystem,
   CloudConfig,
+  ConnectionConfigurationResponse,
   CustomAssetType,
   CustomFieldDefinition,
   CustomFieldDefinitionWithId,
@@ -327,6 +332,41 @@ const plusApi = baseApi.injectEndpoints({
       }),
       invalidatesTags: () => ["Custom Assets"],
     }),
+    patchPlusSystemConnectionConfigs: build.mutation<
+      BulkPutConnectionConfiguration,
+      {
+        systemFidesKey: string;
+        connectionConfigs: (Omit<
+          ConnectionConfigurationResponse,
+          "created_at"
+        > & {
+          enabled_actions?: string[];
+        })[];
+      }
+    >({
+      query: ({ systemFidesKey, connectionConfigs }) => ({
+        url: `/plus/system/${systemFidesKey}/connection`,
+        method: "PATCH",
+        body: connectionConfigs,
+      }),
+      invalidatesTags: ["Datamap", "System", "Datastore Connection"],
+    }),
+    createPlusSaasConnectionConfig: build.mutation<
+      CreateSaasConnectionConfigResponse,
+      CreateSaasConnectionConfig
+    >({
+      query: (params) => {
+        const url = `/plus/system/${params.systemFidesKey}${CONNECTION_ROUTE}/instantiate/${params.connectionConfig.saas_connector_type}`;
+
+        return {
+          url,
+          method: "POST",
+          body: { ...params.connectionConfig },
+        };
+      },
+      // Creating a connection config also creates a dataset behind the scenes
+      invalidatesTags: () => ["Datastore Connection", "Datasets", "System"],
+    }),
   }),
 });
 
@@ -360,6 +400,8 @@ export const {
   usePostSystemVendorsMutation,
   useGetSystemHistoryQuery,
   useUpdateCustomAssetMutation,
+  usePatchPlusSystemConnectionConfigsMutation,
+  useCreatePlusSaasConnectionConfigMutation,
 } = plusApi;
 
 export const selectHealth: (state: RootState) => HealthCheck | undefined =
diff --git a/clients/admin-ui/src/types/api/models/ConnectionConfigurationResponse.ts b/clients/admin-ui/src/types/api/models/ConnectionConfigurationResponse.ts
index b1143f050f..9060c70d33 100644
--- a/clients/admin-ui/src/types/api/models/ConnectionConfigurationResponse.ts
+++ b/clients/admin-ui/src/types/api/models/ConnectionConfigurationResponse.ts
@@ -3,6 +3,7 @@
 /* eslint-disable */
 
 import type { AccessLevel } from "./AccessLevel";
+import type { ActionType } from "./ActionType";
 import type { ConnectionType } from "./ConnectionType";
 import type { SaaSConfigBase } from "./SaaSConfigBase";
 
@@ -23,4 +24,5 @@ export type ConnectionConfigurationResponse = {
   saas_config?: SaaSConfigBase;
   secrets?: any;
   authorized?: boolean;
+  enabled_actions?: Array<ActionType>;
 };
diff --git a/clients/admin-ui/src/types/api/models/ConnectionSystemTypeMap.ts b/clients/admin-ui/src/types/api/models/ConnectionSystemTypeMap.ts
index 59f76dfe08..2216b965e6 100644
--- a/clients/admin-ui/src/types/api/models/ConnectionSystemTypeMap.ts
+++ b/clients/admin-ui/src/types/api/models/ConnectionSystemTypeMap.ts
@@ -2,6 +2,7 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { ActionType } from "./ActionType";
 import type { ConnectionType } from "./ConnectionType";
 import type { SystemType } from "./SystemType";
 
@@ -15,4 +16,5 @@ export type ConnectionSystemTypeMap = {
   encoded_icon?: string;
   authorization_required?: boolean;
   user_guide?: string;
+  supported_actions: Array<ActionType>;
 };
diff --git a/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py b/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py
index 341864ccfc..686f5479dd 100644
--- a/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py
+++ b/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py
@@ -1655,19 +1655,21 @@ def resume_privacy_request_from_requires_input(
             detail=f"Cannot resume privacy request from 'requires_input': privacy request '{privacy_request.id}' status = {privacy_request.status.value}.",  # type: ignore
         )
 
+    action_type = None
+    if privacy_request.policy.get_rules_for_action(ActionType.access):
+        action_type = ActionType.access
+    elif privacy_request.policy.get_rules_for_action(ActionType.erasure):
+        action_type = ActionType.erasure
+
     access_manual_webhooks: List[AccessManualWebhook] = AccessManualWebhook.get_enabled(
-        db
+        db, action_type
     )
     try:
         for manual_webhook in access_manual_webhooks:
             # check the access or erasure cache based on the privacy request's action type
-            if privacy_request.policy.get_rules_for_action(
-                action_type=ActionType.access
-            ):
+            if action_type == ActionType.access:
                 privacy_request.get_manual_webhook_access_input_strict(manual_webhook)
-            if privacy_request.policy.get_rules_for_action(
-                action_type=ActionType.erasure
-            ):
+            if action_type == ActionType.erasure:
                 privacy_request.get_manual_webhook_erasure_input_strict(manual_webhook)
     except (
         NoCachedManualWebhookEntry,
diff --git a/src/fides/api/common_exceptions.py b/src/fides/api/common_exceptions.py
index 952f165ea2..d1d26b311d 100644
--- a/src/fides/api/common_exceptions.py
+++ b/src/fides/api/common_exceptions.py
@@ -131,6 +131,10 @@ class CollectionDisabled(BaseException):
     """Collection is attached to disabled ConnectionConfig"""
 
 
+class ActionDisabled(BaseException):
+    """Collection is attached to a ConnectionConfig that has not enabled the given action"""
+
+
 class NotSupportedForCollection(BaseException):
     """The given action is not supported for this type of collection"""
 
diff --git a/src/fides/api/models/manual_webhook.py b/src/fides/api/models/manual_webhook.py
index 76108a1e86..a38ced8b83 100644
--- a/src/fides/api/models/manual_webhook.py
+++ b/src/fides/api/models/manual_webhook.py
@@ -1,7 +1,7 @@
 from typing import Any, Dict, List, Optional
 
 from pydantic import BaseConfig, create_model
-from sqlalchemy import Column, ForeignKey, String, text
+from sqlalchemy import Column, ForeignKey, String, or_, text
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.ext.mutable import MutableList
 from sqlalchemy.orm import Session, relationship
@@ -9,6 +9,7 @@
 from fides.api.db.base_class import Base
 from fides.api.models.connectionconfig import ConnectionConfig
 from fides.api.schemas.base_class import FidesSchema
+from fides.api.schemas.policy import ActionType
 
 
 class AccessManualWebhook(Base):
@@ -103,15 +104,25 @@ def empty_fields_dict(self) -> Dict[str, None]:
         }
 
     @classmethod
-    def get_enabled(cls, db: Session) -> List["AccessManualWebhook"]:
+    def get_enabled(
+        cls, db: Session, action_type: Optional[ActionType] = None
+    ) -> List["AccessManualWebhook"]:
         """Get all enabled access manual webhooks with fields"""
-        return (
-            db.query(cls)
-            .filter(
-                AccessManualWebhook.connection_config_id == ConnectionConfig.id,
-                ConnectionConfig.disabled.is_(False),
-                AccessManualWebhook.fields != text("'null'"),
-                AccessManualWebhook.fields != "[]",
-            )
-            .all()
+
+        query = db.query(cls).filter(
+            AccessManualWebhook.connection_config_id == ConnectionConfig.id,
+            ConnectionConfig.disabled.is_(False),
+            AccessManualWebhook.fields != text("'null'"),
+            AccessManualWebhook.fields != "[]",
         )
+
+        # Add action_type filter only if action_type is provided
+        if action_type is not None:
+            query = query.filter(
+                or_(
+                    ConnectionConfig.enabled_actions.contains([action_type]),
+                    ConnectionConfig.enabled_actions.is_(None),
+                )
+            )
+
+        return query.all()
diff --git a/src/fides/api/schemas/connection_configuration/connection_config.py b/src/fides/api/schemas/connection_configuration/connection_config.py
index 6bbba89105..ab8638e7ed 100644
--- a/src/fides/api/schemas/connection_configuration/connection_config.py
+++ b/src/fides/api/schemas/connection_configuration/connection_config.py
@@ -28,14 +28,13 @@ class CreateConnectionConfiguration(BaseModel):
     access: AccessLevel
     disabled: Optional[bool] = False
     description: Optional[str]
-    enabled_actions: Optional[List[ActionType]] = None
 
     class Config:
         """Restrict adding other fields through this schema and set orm_mode to support mapping to ConnectionConfig"""
 
         orm_mode = True
         use_enum_values = True
-        extra = Extra.forbid
+        extra = Extra.ignore
 
 
 class CreateConnectionConfigurationWithSecrets(CreateConnectionConfiguration):
@@ -46,7 +45,7 @@ class CreateConnectionConfigurationWithSecrets(CreateConnectionConfiguration):
 
     class Config:
         orm_mode = True
-        extra = Extra.forbid
+        extra = Extra.ignore
 
 
 def mask_sensitive_fields(
@@ -110,6 +109,7 @@ class ConnectionConfigurationResponse(BaseModel):
     saas_config: Optional[SaaSConfigBase]
     secrets: Optional[Dict[str, Any]]
     authorized: Optional[bool] = False
+    enabled_actions: Optional[List[ActionType]]
 
     @root_validator()
     def mask_sensitive_values(cls, values: Dict[str, Any]) -> Dict[str, Any]:
diff --git a/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py b/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py
index 71e9e9ab1e..44a0c8c010 100644
--- a/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py
+++ b/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py
@@ -37,7 +37,7 @@ class MySQLSchema(ConnectionConfigSecretsSchema):
     )
     ssh_required: bool = Field(
         False,
-        title="SSH Required",
+        title="SSH required",
         description="Indicates whether an SSH tunnel is required for the connection. Enable this option if your MySQL server is behind a firewall and requires SSH tunneling for remote connections.",
     )
 
diff --git a/src/fides/api/schemas/connection_configuration/connection_secrets_postgres.py b/src/fides/api/schemas/connection_configuration/connection_secrets_postgres.py
index f80f2a8310..0966c79981 100644
--- a/src/fides/api/schemas/connection_configuration/connection_secrets_postgres.py
+++ b/src/fides/api/schemas/connection_configuration/connection_secrets_postgres.py
@@ -41,7 +41,7 @@ class PostgreSQLSchema(ConnectionConfigSecretsSchema):
     )
     ssh_required: bool = Field(
         False,
-        title="SSH Required",
+        title="SSH required",
         description="Indicates whether an SSH tunnel is required for the connection. Enable this option if your PostgreSQL server is behind a firewall and requires SSH tunneling for remote connections.",
     )
 
diff --git a/src/fides/api/schemas/connection_configuration/connection_secrets_redshift.py b/src/fides/api/schemas/connection_configuration/connection_secrets_redshift.py
index d4c9008db0..ccff0d3941 100644
--- a/src/fides/api/schemas/connection_configuration/connection_secrets_redshift.py
+++ b/src/fides/api/schemas/connection_configuration/connection_secrets_redshift.py
@@ -40,7 +40,7 @@ class RedshiftSchema(ConnectionConfigSecretsSchema):
     )
     ssh_required: bool = Field(
         False,
-        title="SSH Required",
+        title="SSH required",
         description="Indicates whether an SSH tunnel is required for the connection. Enable this option if your Redshift database is behind a firewall and requires SSH tunneling for remote connections.",
     )
 
diff --git a/src/fides/api/schemas/connection_configuration/connection_type_system_map.py b/src/fides/api/schemas/connection_configuration/connection_type_system_map.py
index d31fb4c615..a94afefc9e 100644
--- a/src/fides/api/schemas/connection_configuration/connection_type_system_map.py
+++ b/src/fides/api/schemas/connection_configuration/connection_type_system_map.py
@@ -1,9 +1,10 @@
-from typing import Optional, Union
+from typing import List, Optional, Union
 
 from pydantic import BaseModel
 
 from fides.api.models.connectionconfig import ConnectionType
 from fides.api.schemas.connection_configuration.enums.system_type import SystemType
+from fides.api.schemas.policy import ActionType
 
 
 class ConnectionSystemTypeMap(BaseModel):
@@ -17,6 +18,7 @@ class ConnectionSystemTypeMap(BaseModel):
     encoded_icon: Optional[str]
     authorization_required: Optional[bool] = False
     user_guide: Optional[str]
+    supported_actions: List[ActionType]
 
     class Config:
         """Use enum values and set orm mode"""
diff --git a/src/fides/api/schemas/connection_configuration/saas_config_template_values.py b/src/fides/api/schemas/connection_configuration/saas_config_template_values.py
index 1ba0fad11f..f8485a5d1d 100644
--- a/src/fides/api/schemas/connection_configuration/saas_config_template_values.py
+++ b/src/fides/api/schemas/connection_configuration/saas_config_template_values.py
@@ -1,8 +1,9 @@
-from typing import Optional
+from typing import Any, Dict, Optional
 
 from fideslang.validation import FidesKey
-from pydantic import BaseModel
+from pydantic import BaseModel, Extra
 
+from fides.api.models.connectionconfig import AccessLevel, ConnectionType
 from fides.api.schemas.connection_configuration import connection_secrets_schemas
 
 
@@ -14,3 +15,21 @@ class SaasConnectionTemplateValues(BaseModel):
     description: Optional[str]  # For ConnectionConfig
     secrets: connection_secrets_schemas  # For ConnectionConfig
     instance_key: FidesKey  # For DatasetConfig.fides_key
+
+    class Config:
+        extra = Extra.ignore
+
+    def generate_config_data_from_template(
+        self, config_from_template: Dict
+    ) -> Dict[str, Any]:
+        """Generate a config data object (dict) based on the template values"""
+        data = {
+            "key": self.key if self.key else self.instance_key,
+            "description": self.description,
+            "connection_type": ConnectionType.saas,
+            "access": AccessLevel.write,  # does this need to be passed as a method arg instead?
+            "saas_config": config_from_template,
+        }
+        if self.name:
+            data["name"] = self.name
+        return data
diff --git a/src/fides/api/schemas/saas/connector_template.py b/src/fides/api/schemas/saas/connector_template.py
index 585507d9b7..6cec2450aa 100644
--- a/src/fides/api/schemas/saas/connector_template.py
+++ b/src/fides/api/schemas/saas/connector_template.py
@@ -1,8 +1,9 @@
-from typing import Optional
+from typing import List, Optional
 
 from fideslang.models import Dataset
 from pydantic import BaseModel, validator
 
+from fides.api.schemas.policy import ActionType
 from fides.api.schemas.saas.saas_config import SaaSConfig
 from fides.api.util.saas_util import load_config_from_string, load_dataset_from_string
 
@@ -19,6 +20,7 @@ class ConnectorTemplate(BaseModel):
     human_readable: str
     authorization_required: bool
     user_guide: Optional[str]
+    supported_actions: List[ActionType]
 
     @validator("config")
     def validate_config(cls, config: str) -> str:
diff --git a/src/fides/api/schemas/saas/saas_config.py b/src/fides/api/schemas/saas/saas_config.py
index 577f0ce9d1..4a2a41a40d 100644
--- a/src/fides/api/schemas/saas/saas_config.py
+++ b/src/fides/api/schemas/saas/saas_config.py
@@ -15,6 +15,7 @@
 )
 from fides.api.schemas.base_class import FidesSchema
 from fides.api.schemas.limiter.rate_limit_config import RateLimitConfig
+from fides.api.schemas.policy import ActionType
 from fides.api.schemas.saas.shared_schemas import HTTPMethod
 
 
@@ -478,6 +479,35 @@ def resolve_param_reference(
             reference = FidesDatasetReference.parse_obj(secrets[reference])
         return reference
 
+    @property
+    def supported_actions(self) -> List[ActionType]:
+        """Returns a list containing the privacy actions supported by the SaaS config."""
+
+        supported_actions = []
+
+        # check for access
+        if any(
+            requests.read
+            for requests in [endpoint.requests for endpoint in self.endpoints]
+        ):
+            supported_actions.append(ActionType.access)
+
+        # check for erasure
+        if (
+            any(
+                request.update or request.delete
+                for request in [endpoint.requests for endpoint in self.endpoints]
+            )
+            or self.data_protection_request
+        ):
+            supported_actions.append(ActionType.erasure)
+
+        # check for consent
+        if self.consent_requests:
+            supported_actions.append(ActionType.consent)
+
+        return supported_actions
+
 
 class SaaSConfigValidationDetails(FidesSchema):
     """
diff --git a/src/fides/api/service/connectors/saas/connector_registry_service.py b/src/fides/api/service/connectors/saas/connector_registry_service.py
index 8879a6d461..7799287aa4 100644
--- a/src/fides/api/service/connectors/saas/connector_registry_service.py
+++ b/src/fides/api/service/connectors/saas/connector_registry_service.py
@@ -13,11 +13,7 @@
 from fides.api.api.deps import get_api_session
 from fides.api.common_exceptions import ValidationError
 from fides.api.cryptography.cryptographic_util import str_to_b64_str
-from fides.api.models.connectionconfig import (
-    AccessLevel,
-    ConnectionConfig,
-    ConnectionType,
-)
+from fides.api.models.connectionconfig import ConnectionConfig
 from fides.api.models.custom_connector_template import CustomConnectorTemplate
 from fides.api.models.datasetconfig import DatasetConfig
 from fides.api.schemas.connection_configuration.saas_config_template_values import (
@@ -70,15 +66,15 @@ def _load_connector_templates(self) -> None:
         logger.info("Loading connectors templates from the data/saas directory")
         for file in os.listdir("data/saas/config"):
             if file.endswith(".yml"):
-                config_file = os.path.join("data/saas/config", file)
-                config_dict = load_config(config_file)
-                connector_type = config_dict["type"]
-                human_readable = config_dict["name"]
-                user_guide = config_dict.get("user_guide")
-                authentication = config_dict["client_config"].get("authentication")
+                config_path = os.path.join("data/saas/config", file)
+                config = SaaSConfig(**load_config(config_path))
+
+                connector_type = config.type
+
+                authentication = config.client_config.authentication
                 authorization_required = (
                     authentication is not None
-                    and authentication.get("strategy")
+                    and authentication.strategy
                     == OAuth2AuthorizationCodeAuthenticationStrategy.name
                 )
 
@@ -95,14 +91,15 @@ def _load_connector_templates(self) -> None:
                     FileConnectorTemplateLoader.get_connector_templates()[
                         connector_type
                     ] = ConnectorTemplate(
-                        config=load_yaml_as_string(config_file),
+                        config=load_yaml_as_string(config_path),
                         dataset=load_yaml_as_string(
                             f"data/saas/dataset/{connector_type}_dataset.yml"
                         ),
                         icon=icon,
-                        human_readable=human_readable,
+                        human_readable=config.name,
                         authorization_required=authorization_required,
-                        user_guide=user_guide,
+                        user_guide=config.user_guide,
+                        supported_actions=config.supported_actions,
                     )
                 except Exception:
                     logger.exception("Unable to load {} connector", connector_type)
@@ -175,6 +172,7 @@ def _register_template(
             human_readable=template.name,
             authorization_required=authorization_required,
             user_guide=config.user_guide,
+            supported_actions=config.supported_actions,
         )
 
         # register the template in the loader's template dictionary
@@ -327,17 +325,9 @@ def create_connection_config_from_template_no_save(
         template.config, "<instance_fides_key>", template_values.instance_key
     )
 
-    data = {
-        "key": template_values.key
-        if template_values.key
-        else template_values.instance_key,
-        "description": template_values.description,
-        "connection_type": ConnectionType.saas,
-        "access": AccessLevel.write,
-        "saas_config": config_from_template,
-    }
-    if template_values.name:
-        data["name"] = template_values.name
+    data = template_values.generate_config_data_from_template(
+        config_from_template=config_from_template
+    )
 
     if system_id:
         data["system_id"] = system_id
diff --git a/src/fides/api/service/privacy_request/request_runner_service.py b/src/fides/api/service/privacy_request/request_runner_service.py
index 95d58905f8..d1154ba3e7 100644
--- a/src/fides/api/service/privacy_request/request_runner_service.py
+++ b/src/fides/api/service/privacy_request/request_runner_service.py
@@ -109,7 +109,7 @@ def get_manual_webhook_access_inputs(
         return ManualWebhookResults(manual_data=manual_inputs, proceed=True)
 
     try:
-        for manual_webhook in AccessManualWebhook.get_enabled(db):
+        for manual_webhook in AccessManualWebhook.get_enabled(db, ActionType.access):
             manual_inputs[manual_webhook.connection_config.key] = [
                 privacy_request.get_manual_webhook_access_input_strict(manual_webhook)
             ]
@@ -135,7 +135,7 @@ def get_manual_webhook_erasure_inputs(
         # Don't fetch manual inputs unless this policy has an access rule
         return ManualWebhookResults(manual_data=manual_inputs, proceed=True)
     try:
-        for manual_webhook in AccessManualWebhook().get_enabled(db):
+        for manual_webhook in AccessManualWebhook().get_enabled(db, ActionType.erasure):
             manual_inputs[manual_webhook.connection_config.key] = [
                 privacy_request.get_manual_webhook_erasure_input_strict(manual_webhook)
             ]
diff --git a/src/fides/api/task/graph_task.py b/src/fides/api/task/graph_task.py
index 000652e53d..14eea60222 100644
--- a/src/fides/api/task/graph_task.py
+++ b/src/fides/api/task/graph_task.py
@@ -1,3 +1,4 @@
+# pylint: disable=too-many-lines
 import copy
 import traceback
 from abc import ABC
@@ -13,6 +14,7 @@
 from sqlalchemy.orm import Session
 
 from fides.api.common_exceptions import (
+    ActionDisabled,
     CollectionDisabled,
     NotSupportedForCollection,
     PrivacyRequestErasureEmailSendRequired,
@@ -89,6 +91,7 @@ def result(*args: Any, **kwargs: Any) -> Any:
             for attempt in range(CONFIG.execution.task_retry_count + 1):
                 try:
                     self.skip_if_disabled()
+                    self.skip_if_action_disabled(action_type)
                     # Create ExecutionLog with status in_processing or retrying
                     if attempt:
                         self.log_retry(action_type)
@@ -115,6 +118,7 @@ def result(*args: Any, **kwargs: Any) -> Any:
                     return 0
                 except (
                     CollectionDisabled,
+                    ActionDisabled,
                     NotSupportedForCollection,
                 ) as exc:
                     traceback.print_exc()
@@ -533,6 +537,23 @@ def skip_if_disabled(self) -> None:
                 f"ConnectionConfig {connection_config.key} is disabled.",
             )
 
+    def skip_if_action_disabled(self, action_type: ActionType) -> None:
+        """Skip execution for the given collection if it is attached to a ConnectionConfig that does not have the given action_type enabled."""
+
+        # the access action is never disabled since it provides data that is needed for erasure requests
+        if action_type == ActionType.access:
+            return
+
+        connection_config: ConnectionConfig = self.connector.configuration
+        if (
+            connection_config.enabled_actions is not None
+            and action_type not in connection_config.enabled_actions
+        ):
+            raise ActionDisabled(
+                f"Skipping collection {self.traversal_node.node.address}. "
+                f"The {action_type} action is disabled for connection config with key '{connection_config.key}'.",
+            )
+
     @retry(action_type=ActionType.access, default_return=[])
     def access_request(self, *inputs: List[Row]) -> List[Row]:
         """Run an access request on a single node."""
@@ -762,7 +783,33 @@ def termination_fn(
         privacy_request.cache_data_use_map(_format_data_use_map_for_caching(env))
 
         v = delayed(get(dsk, TERMINATOR_ADDRESS, num_workers=1))
-        return v.compute()
+        access_results = v.compute()
+        filtered_access_results = filter_by_enabled_actions(
+            access_results, connection_configs
+        )
+        return filtered_access_results
+
+
+def filter_by_enabled_actions(
+    access_results: Dict[str, Any], connection_configs: List[ConnectionConfig]
+) -> Dict[str, Any]:
+    """Removes any access results that are associated with a connection config that doesn't have the access action enabled."""
+
+    # create a map between the dataset and its connection config's enabled actions
+    dataset_enabled_actions = {}
+    for config in connection_configs:
+        for dataset in config.datasets:
+            dataset_enabled_actions[dataset.fides_key] = config.enabled_actions
+
+    # use the enabled actions map to filter out the access results
+    filtered_access_results = {}
+    for key, value in access_results.items():
+        dataset_name = key.split(":")[0]
+        enabled_action = dataset_enabled_actions.get(dataset_name)
+        if enabled_action is None or ActionType.access in enabled_action:
+            filtered_access_results[key] = value
+
+    return filtered_access_results
 
 
 def get_cached_data_for_erasures(
diff --git a/src/fides/api/util/connection_type.py b/src/fides/api/util/connection_type.py
index 9e193726ee..32027a6ac2 100644
--- a/src/fides/api/util/connection_type.py
+++ b/src/fides/api/util/connection_type.py
@@ -2,8 +2,6 @@
 
 from typing import Any, Set
 
-import yaml
-
 from fides.api.common_exceptions import NoSuchConnectionTypeSecretSchemaError
 from fides.api.models.connectionconfig import ConnectionType
 from fides.api.schemas.connection_configuration import (
@@ -94,38 +92,9 @@ def saas_request_type_filter(connection_type: str) -> bool:
         if template is None:  # shouldn't happen, but we can be safe
             return False
 
-        saas_config = SaaSConfig(**yaml.safe_load(template.config).get("saas_config"))
-        has_access = bool(
-            next(
-                (
-                    request.read
-                    for request in [
-                        endpoint.requests for endpoint in saas_config.endpoints
-                    ]
-                ),
-                None,
-            )
-        )
-        has_erasure = (
-            bool(
-                next(
-                    (
-                        request.update or request.delete
-                        for request in [
-                            endpoint.requests for endpoint in saas_config.endpoints
-                        ]
-                    ),
-                    None,
-                )
-            )
-            or saas_config.data_protection_request
-        )
-        has_consent = saas_config.consent_requests
-
-        return bool(
-            (ActionType.consent in action_types and has_consent)
-            or (ActionType.access in action_types and has_access)
-            or (ActionType.erasure in action_types and has_erasure)
+        # Check if the necessary actions are supported
+        return any(
+            action_type in template.supported_actions for action_type in action_types
         )
 
     connection_system_types: list[ConnectionSystemTypeMap] = []
@@ -157,6 +126,7 @@ def saas_request_type_filter(connection_type: str) -> bool:
                     identifier=item,
                     type=SystemType.database,
                     human_readable=ConnectionType(item).human_readable,
+                    supported_actions=[ActionType.access, ActionType.erasure],
                 )
                 for item in database_types
             ]
@@ -181,12 +151,13 @@ def saas_request_type_filter(connection_type: str) -> bool:
                         encoded_icon=connector_template.icon,
                         authorization_required=connector_template.authorization_required,
                         user_guide=connector_template.user_guide,
+                        supported_actions=connector_template.supported_actions,
                     )
                 )
 
-    if (
-        system_type == SystemType.manual or system_type is None
-    ) and ActionType.access in action_types:
+    if (system_type == SystemType.manual or system_type is None) and (
+        ActionType.access in action_types or ActionType.erasure in action_types
+    ):
         manual_types: list[str] = sorted(
             [
                 manual_type.value
@@ -201,6 +172,7 @@ def saas_request_type_filter(connection_type: str) -> bool:
                     identifier=item,
                     type=SystemType.manual,
                     human_readable=ConnectionType(item).human_readable,
+                    supported_actions=[ActionType.access, ActionType.erasure],
                 )
                 for item in manual_types
             ]
@@ -229,11 +201,16 @@ def saas_request_type_filter(connection_type: str) -> bool:
         connection_system_types.extend(
             [
                 ConnectionSystemTypeMap(
-                    identifier=item,
+                    identifier=email_type,
                     type=SystemType.email,
-                    human_readable=ConnectionType(item).human_readable,
+                    human_readable=ConnectionType(email_type).human_readable,
+                    supported_actions=[
+                        ActionType.consent
+                        if ConnectionType(email_type) in CONSENT_EMAIL_CONNECTOR_TYPES
+                        else ActionType.erasure
+                    ],
                 )
-                for item in email_types
+                for email_type in email_types
             ]
         )
     return connection_system_types
diff --git a/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py b/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
index 636dc0acef..110a08f65d 100644
--- a/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_connection_config_endpoints.py
@@ -248,43 +248,50 @@ def test_patch_connection_saas_with_secrets_new(
         assert config.secrets == payload[0]["secrets"]
 
     @pytest.mark.parametrize(
-        "payload",
+        "payload, expected",
         [
-            [
-                {
-                    "name": "My Main Postgres DB",
-                    "key": "postgres_key",
-                    "connection_type": "postgres",
-                    "access": "write",
-                    "secrets": {
-                        "username": "test",
-                        "password": "test",
-                        "dbname": "test",
-                        "db_schema": "test",
+            (
+                [
+                    {
+                        "name": "My Main Postgres DB",
+                        "key": "postgres_key",
+                        "connection_type": "postgres",
+                        "access": "write",
+                        "secrets": {
+                            "username": "test",
+                            "password": "test",
+                            "dbname": "test",
+                            "db_schema": "test",
+                        },
+                        "port": 5432,
                     },
-                    "port": 5432,
-                },
-            ],
-            [
-                {
-                    "instance_key": "mailchimp_instance_1",
-                    "secrets": {
-                        "bad": "test_mailchimp",
+                ],
+                200,
+            ),
+            (
+                [
+                    {
+                        "instance_key": "mailchimp_instance_1",
+                        "secrets": {
+                            "bad": "test_mailchimp",
+                        },
+                        "name": "My Mailchimp Test",
+                        "description": "Mailchimp ConnectionConfig description",
+                        "saas_connector_type": "mailchimp",
+                        "key": "mailchimp_1",
                     },
-                    "name": "My Mailchimp Test",
-                    "description": "Mailchimp ConnectionConfig description",
-                    "saas_connector_type": "mailchimp",
-                    "key": "mailchimp_1",
-                },
-            ],
+                ],
+                422,
+            ),
         ],
     )
     def test_patch_connection_invalid_secrets(
-        self, payload, url, api_client, generate_auth_header
+        self, payload, expected, url, api_client, generate_auth_header
     ):
+        # extra fields are ignored but missing fields are still invalid
         auth_header = generate_auth_header(scopes=[CONNECTION_CREATE_OR_UPDATE])
         response = api_client.patch(url, headers=auth_header, json=payload)
-        assert response.status_code == 422
+        assert response.status_code == expected
 
     def test_patch_connections_bulk_create(
         self, api_client: TestClient, db: Session, generate_auth_header, url, payload
@@ -639,7 +646,6 @@ def test_patch_connections_failed_response(
             "access": "write",
             "disabled": False,
             "description": None,
-            "enabled_actions": None,
         }
         assert response_body["failed"][1]["data"] == {
             "name": "My Mongo DB",
@@ -648,7 +654,6 @@ def test_patch_connections_failed_response(
             "access": "read",
             "disabled": False,
             "description": None,
-            "enabled_actions": None,
         }
 
     @mock.patch("fides.api.main.prepare_and_log_request")
@@ -738,6 +743,31 @@ def test_patch_connections_no_name(self, api_client, generate_auth_header, url):
         assert response.json()["succeeded"][0]["name"] is None
         assert response.json()["succeeded"][1]["name"] is None
 
+    def test_patch_connections_ignore_enabled_actions(
+        self, db, api_client: TestClient, generate_auth_header, url
+    ) -> None:
+        payload = [
+            {
+                "name": "My Connection",
+                "key": "my_connection",
+                "connection_type": "postgres",
+                "access": "write",
+                "enabled_actions": ["access"],
+            }
+        ]
+
+        auth_header = generate_auth_header(scopes=[CONNECTION_CREATE_OR_UPDATE])
+        response = api_client.patch(url, headers=auth_header, json=payload)
+
+        assert 200 == response.status_code
+        response_body = response.json()
+        assert response_body["succeeded"][0]["enabled_actions"] is None
+
+        connection_config = ConnectionConfig.filter(
+            db=db, conditions=(ConnectionConfig.key == "my_connection")
+        ).first()
+        assert connection_config.enabled_actions is None
+
 
 class TestGetConnections:
     @pytest.fixture(scope="function")
@@ -782,6 +812,7 @@ def test_get_connection_configs(
             "disabled",
             "description",
             "authorized",
+            "enabled_actions",
         }
 
         assert connection["key"] == "my_postgres_db_1"
@@ -1194,6 +1225,7 @@ def test_get_connection_config(
             "saas_config",
             "secrets",
             "authorized",
+            "enabled_actions",
         }
 
         assert response_body["key"] == "my_postgres_db_1"
diff --git a/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py b/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
index bc908f50b2..2c30cfb43f 100644
--- a/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
@@ -67,6 +67,7 @@ def test_get_connection_types(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         } in data
         first_saas_type = ConnectorRegistry.connector_types().pop()
         first_saas_template = ConnectorRegistry.get_connector_template(first_saas_type)
@@ -77,6 +78,9 @@ def test_get_connection_types(
             "encoded_icon": first_saas_template.icon,
             "authorization_required": first_saas_template.authorization_required,
             "user_guide": first_saas_template.user_guide,
+            "supported_actions": [
+                action.value for action in first_saas_template.supported_actions
+            ],
         } in data
 
         assert "saas" not in [item["identifier"] for item in data]
@@ -156,6 +160,9 @@ def test_search_connection_types(
                 "encoded_icon": saas_template[1].icon,
                 "authorization_required": saas_template[1].authorization_required,
                 "user_guide": saas_template[1].user_guide,
+                "supported_actions": [
+                    action.value for action in saas_template[1].supported_actions
+                ],
             }
             for saas_template in expected_saas_templates
         ]
@@ -184,6 +191,9 @@ def test_search_connection_types(
                 "encoded_icon": saas_template[1].icon,
                 "authorization_required": saas_template[1].authorization_required,
                 "user_guide": saas_template[1].user_guide,
+                "supported_actions": [
+                    action.value for action in saas_template[1].supported_actions
+                ],
             }
             for saas_template in expected_saas_templates
         ]
@@ -202,6 +212,7 @@ def test_search_connection_types(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         } in data
         assert {
             "identifier": ConnectionType.redshift.value,
@@ -210,6 +221,7 @@ def test_search_connection_types(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         } in data
         for expected_data in expected_saas_data:
             assert expected_data in data, f"{expected_data} not in"
@@ -236,6 +248,9 @@ def test_search_connection_types_case_insensitive(
                 "encoded_icon": saas_template[1].icon,
                 "authorization_required": saas_template[1].authorization_required,
                 "user_guide": saas_template[1].user_guide,
+                "supported_actions": [
+                    action.value for action in saas_template[1].supported_actions
+                ],
             }
             for saas_template in expected_saas_types
         ]
@@ -253,6 +268,7 @@ def test_search_connection_types_case_insensitive(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         } in data
 
         for expected_data in expected_saas_data:
@@ -275,6 +291,9 @@ def test_search_connection_types_case_insensitive(
                 "encoded_icon": saas_template[1].icon,
                 "authorization_required": saas_template[1].authorization_required,
                 "user_guide": saas_template[1].user_guide,
+                "supported_actions": [
+                    action.value for action in saas_template[1].supported_actions
+                ],
             }
             for saas_template in expected_saas_types
         ]
@@ -291,6 +310,7 @@ def test_search_connection_types_case_insensitive(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access, ActionType.erasure],
         } in data
         assert {
             "identifier": ConnectionType.redshift.value,
@@ -299,6 +319,7 @@ def test_search_connection_types_case_insensitive(
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access, ActionType.erasure],
         } in data
 
         for expected_data in expected_saas_data:
@@ -363,6 +384,10 @@ def test_search_manual_system_type(self, api_client, generate_auth_header, url):
                 "encoded_icon": None,
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [
+                    ActionType.access.value,
+                    ActionType.erasure.value,
+                ],
             }
         ]
 
@@ -381,6 +406,7 @@ def test_search_email_type(self, api_client, generate_auth_header, url):
                 "type": "email",
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.erasure.value],
             },
             {
                 "encoded_icon": None,
@@ -389,6 +415,7 @@ def test_search_email_type(self, api_client, generate_auth_header, url):
                 "type": "email",
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.consent.value],
             },
             {
                 "encoded_icon": None,
@@ -397,6 +424,7 @@ def test_search_email_type(self, api_client, generate_auth_header, url):
                 "type": "email",
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.erasure.value],
             },
             {
                 "encoded_icon": None,
@@ -405,6 +433,7 @@ def test_search_email_type(self, api_client, generate_auth_header, url):
                 "type": "email",
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.consent.value],
             },
         ]
 
@@ -462,6 +491,10 @@ def connection_type_objects(self):
                 "encoded_icon": None,
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [
+                    ActionType.access.value,
+                    ActionType.erasure.value,
+                ],
             },
             ConnectionType.manual_webhook.value: {
                 "identifier": ConnectionType.manual_webhook.value,
@@ -470,6 +503,10 @@ def connection_type_objects(self):
                 "encoded_icon": None,
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [
+                    ActionType.access.value,
+                    ActionType.erasure.value,
+                ],
             },
             GOOGLE_ANALYTICS: {
                 "identifier": GOOGLE_ANALYTICS,
@@ -478,6 +515,10 @@ def connection_type_objects(self):
                 "encoded_icon": google_analytics_template.icon,
                 "authorization_required": True,
                 "user_guide": google_analytics_template.user_guide,
+                "supported_actions": [
+                    action.value
+                    for action in google_analytics_template.supported_actions
+                ],
             },
             MAILCHIMP_TRANSACTIONAL: {
                 "identifier": MAILCHIMP_TRANSACTIONAL,
@@ -486,6 +527,10 @@ def connection_type_objects(self):
                 "encoded_icon": mailchimp_transactional_template.icon,
                 "authorization_required": False,
                 "user_guide": mailchimp_transactional_template.user_guide,
+                "supported_actions": [
+                    action.value
+                    for action in mailchimp_transactional_template.supported_actions
+                ],
             },
             SEGMENT: {
                 "identifier": SEGMENT,
@@ -494,6 +539,9 @@ def connection_type_objects(self):
                 "encoded_icon": segment_template.icon,
                 "authorization_required": False,
                 "user_guide": segment_template.user_guide,
+                "supported_actions": [
+                    action.value for action in segment_template.supported_actions
+                ],
             },
             STRIPE: {
                 "identifier": STRIPE,
@@ -502,6 +550,9 @@ def connection_type_objects(self):
                 "encoded_icon": stripe_template.icon,
                 "authorization_required": False,
                 "user_guide": stripe_template.user_guide,
+                "supported_actions": [
+                    action.value for action in stripe_template.supported_actions
+                ],
             },
             ZENDESK: {
                 "identifier": ZENDESK,
@@ -510,6 +561,9 @@ def connection_type_objects(self):
                 "encoded_icon": zendesk_template.icon,
                 "authorization_required": False,
                 "user_guide": zendesk_template.user_guide,
+                "supported_actions": [
+                    action.value for action in zendesk_template.supported_actions
+                ],
             },
             DOORDASH: {
                 "identifier": DOORDASH,
@@ -518,6 +572,9 @@ def connection_type_objects(self):
                 "encoded_icon": doordash_template.icon,
                 "authorization_required": False,
                 "user_guide": doordash_template.user_guide,
+                "supported_actions": [
+                    action.value for action in doordash_template.supported_actions
+                ],
             },
             ConnectionType.sovrn.value: {
                 "identifier": ConnectionType.sovrn.value,
@@ -526,6 +583,7 @@ def connection_type_objects(self):
                 "encoded_icon": None,
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.consent.value],
             },
             ConnectionType.attentive.value: {
                 "identifier": ConnectionType.attentive.value,
@@ -534,6 +592,7 @@ def connection_type_objects(self):
                 "encoded_icon": None,
                 "authorization_required": False,
                 "user_guide": None,
+                "supported_actions": [ActionType.erasure.value],
             },
         }
 
@@ -594,11 +653,11 @@ def connection_type_objects(self):
                     STRIPE,
                     ZENDESK,
                     ConnectionType.attentive.value,
+                    ConnectionType.manual_webhook.value,
                 ],
                 [
                     GOOGLE_ANALYTICS,
                     MAILCHIMP_TRANSACTIONAL,
-                    ConnectionType.manual_webhook.value,  # manual webhook is not erasure
                     DOORDASH,  # doordash does not have erasures
                     ConnectionType.sovrn.value,
                 ],
@@ -631,9 +690,9 @@ def connection_type_objects(self):
                     STRIPE,
                     ZENDESK,
                     ConnectionType.attentive.value,
+                    ConnectionType.manual_webhook.value,
                 ],
                 [
-                    ConnectionType.manual_webhook.value,  # manual webhook is not erasure
                     DOORDASH,  # doordash does not have erasures
                 ],
             ),
@@ -1005,7 +1064,7 @@ def test_get_connection_secret_schema_mysql(
                     "type": "string",
                 },
                 "ssh_required": {
-                    "title": "SSH Required",
+                    "title": "SSH required",
                     "description": "Indicates whether an SSH tunnel is required for the connection. Enable this option if your MySQL server is behind a firewall and requires SSH tunneling for remote connections.",
                     "default": False,
                     "type": "boolean",
@@ -1059,7 +1118,7 @@ def test_get_connection_secret_schema_postgres(
                     "type": "string",
                 },
                 "ssh_required": {
-                    "title": "SSH Required",
+                    "title": "SSH required",
                     "description": "Indicates whether an SSH tunnel is required for the connection. Enable this option if your PostgreSQL server is behind a firewall and requires SSH tunneling for remote connections.",
                     "default": False,
                     "type": "boolean",
@@ -1113,7 +1172,7 @@ def test_get_connection_secret_schema_redshift(
                     "type": "string",
                 },
                 "ssh_required": {
-                    "title": "SSH Required",
+                    "title": "SSH required",
                     "description": "Indicates whether an SSH tunnel is required for the connection. Enable this option if your Redshift database is behind a firewall and requires SSH tunneling for remote connections.",
                     "default": False,
                     "type": "boolean",
diff --git a/tests/ops/api/v1/endpoints/test_policy_webhook_endpoints.py b/tests/ops/api/v1/endpoints/test_policy_webhook_endpoints.py
index 1b37a31c21..7150594927 100644
--- a/tests/ops/api/v1/endpoints/test_policy_webhook_endpoints.py
+++ b/tests/ops/api/v1/endpoints/test_policy_webhook_endpoints.py
@@ -38,6 +38,7 @@ def embedded_http_connection_config(connection_config: ConnectionConfig) -> Dict
         "saas_config": None,
         "secrets": None,
         "authorized": False,
+        "enabled_actions": None,
     }
 
 
diff --git a/tests/ops/api/v1/endpoints/test_system.py b/tests/ops/api/v1/endpoints/test_system.py
index 1ac3a7f5f3..1519d92738 100644
--- a/tests/ops/api/v1/endpoints/test_system.py
+++ b/tests/ops/api/v1/endpoints/test_system.py
@@ -23,6 +23,7 @@
 from fides.api.models.manual_webhook import AccessManualWebhook
 from fides.api.models.privacy_request import PrivacyRequestStatus
 from fides.api.models.sql_models import Dataset, System
+from fides.api.schemas.policy import ActionType
 from fides.common.api.scope_registry import (
     CONNECTION_CREATE_OR_UPDATE,
     CONNECTION_DELETE,
@@ -65,7 +66,6 @@ def payload():
                 "username": "test",
                 "password": "test",
             },
-            "enabled_actions": ["access", "erasure"],
         }
     ]
 
@@ -295,6 +295,7 @@ def test_get_connection_configs(
             "disabled",
             "description",
             "authorized",
+            "enabled_actions",
         }
         connection_keys = [connection["key"] for connection in connections]
         assert response_body["items"][0]["key"] in connection_keys
@@ -966,3 +967,77 @@ def test_instantiate_connection_from_template(
         dataset_config.delete(db)
         connection_config.delete(db)
         dataset_config.ctl_dataset.delete(db=db)
+
+    def test_instantiate_connection_from_template_ignore_enabled_actions(
+        self, db, generate_auth_header, api_client, base_url
+    ):
+        connection_config = ConnectionConfig.filter(
+            db=db, conditions=(ConnectionConfig.key == "mailchimp_connection_config")
+        ).first()
+        assert connection_config is None
+
+        dataset_config = DatasetConfig.filter(
+            db=db,
+            conditions=(DatasetConfig.fides_key == "secondary_mailchimp_instance"),
+        ).first()
+        assert dataset_config is None
+
+        auth_header = generate_auth_header(scopes=[SAAS_CONNECTION_INSTANTIATE])
+        request_body = {
+            "instance_key": "secondary_mailchimp_instance",
+            "secrets": {
+                "domain": "test_mailchimp_domain",
+                "username": "test_mailchimp_username",
+                "api_key": "test_mailchimp_api_key",
+            },
+            "name": "Mailchimp Connector",
+            "description": "Mailchimp ConnectionConfig description",
+            "key": "mailchimp_connection_config",
+            "enabled_actions": [ActionType.access.value],
+        }
+        resp = api_client.post(
+            base_url.format(saas_connector_type="mailchimp"),
+            headers=auth_header,
+            json=request_body,
+        )
+
+        assert resp.status_code == 200
+        assert set(resp.json().keys()) == {"connection", "dataset"}
+        connection_data = resp.json()["connection"]
+        assert connection_data["key"] == "mailchimp_connection_config"
+        assert connection_data["name"] == "Mailchimp Connector"
+        assert connection_data["secrets"]["api_key"] == "**********"
+        assert connection_data["enabled_actions"] is None
+
+        dataset_data = resp.json()["dataset"]
+        assert dataset_data["fides_key"] == "secondary_mailchimp_instance"
+
+        connection_config = ConnectionConfig.filter(
+            db=db, conditions=(ConnectionConfig.key == "mailchimp_connection_config")
+        ).first()
+        dataset_config = DatasetConfig.filter(
+            db=db,
+            conditions=(DatasetConfig.fides_key == "secondary_mailchimp_instance"),
+        ).first()
+
+        assert connection_config is not None
+        assert dataset_config is not None
+        assert connection_config.name == "Mailchimp Connector"
+        assert connection_config.description == "Mailchimp ConnectionConfig description"
+
+        assert connection_config.access == AccessLevel.write
+        assert connection_config.connection_type == ConnectionType.saas
+        assert connection_config.saas_config is not None
+        assert connection_config.disabled is False
+        assert connection_config.disabled_at is None
+        assert connection_config.last_test_timestamp is None
+        assert connection_config.last_test_succeeded is None
+        assert connection_config.system_id is not None
+        assert connection_config.enabled_actions is None
+
+        assert dataset_config.connection_config_id == connection_config.id
+        assert dataset_config.ctl_dataset_id is not None
+
+        dataset_config.delete(db)
+        connection_config.delete(db)
+        dataset_config.ctl_dataset.delete(db=db)
diff --git a/tests/ops/graph/test_graph.py b/tests/ops/graph/test_graph.py
index a83d53627c..ed9cca2b10 100644
--- a/tests/ops/graph/test_graph.py
+++ b/tests/ops/graph/test_graph.py
@@ -95,6 +95,9 @@ def log_retry(self, _: ActionType):
         def skip_if_disabled(self) -> bool:
             return False
 
+        def skip_if_action_disabled(self, action_type: ActionType):
+            return False
+
         @retry(action_type=ActionType.access, default_return=[])
         def test_function(self):
             self.call_count += 1
diff --git a/tests/ops/integration_tests/saas/connector_runner.py b/tests/ops/integration_tests/saas/connector_runner.py
index a0cd60a0f8..6b378907fc 100644
--- a/tests/ops/integration_tests/saas/connector_runner.py
+++ b/tests/ops/integration_tests/saas/connector_runner.py
@@ -66,7 +66,7 @@ def __init__(
 
         # create and save the connection config and dataset config to the database
         self.connection_config = _connection_config(db, self.config, secrets)
-        self.dataset_config = _dataset_config(db, self.connection_config, self.dataset)
+        self.dataset_config = dataset_config(db, self.connection_config, self.dataset)
 
     def test_connection(self):
         """Connection test using the connectors test_request"""
@@ -257,11 +257,13 @@ def _external_connection_config(db: Session, fides_key) -> ConnectionConfig:
     return connection_config
 
 
-def _dataset_config(
+def dataset_config(
     db: Session,
     connection_config: ConnectionConfig,
     dataset: Dict[str, Any],
 ) -> DatasetConfig:
+    """Helper function to persist a dataset config and link it to a connection config."""
+
     fides_key = dataset["fides_key"]
     connection_config.name = fides_key
     connection_config.key = fides_key
@@ -331,7 +333,7 @@ def _process_external_references(
             db, f"{connector_type}_external_dataset"
         )
         graph_list.append(
-            _dataset_config(
+            dataset_config(
                 db,
                 external_connection_config,
                 _external_dataset(
diff --git a/tests/ops/integration_tests/test_enabled_actions.py b/tests/ops/integration_tests/test_enabled_actions.py
new file mode 100644
index 0000000000..c249ba012c
--- /dev/null
+++ b/tests/ops/integration_tests/test_enabled_actions.py
@@ -0,0 +1,187 @@
+import pytest
+from fideslang.models import Dataset
+
+from fides.api.graph.graph import DatasetGraph
+from fides.api.models.connectionconfig import ActionType
+from fides.api.models.datasetconfig import convert_dataset_to_graph
+from fides.api.models.privacy_request import PrivacyRequest, PrivacyRequestStatus
+from fides.api.task import graph_task
+from fides.api.task.graph_task import get_cached_data_for_erasures
+from tests.ops.integration_tests.saas.connector_runner import dataset_config
+from tests.ops.service.privacy_request.test_request_runner_service import (
+    get_privacy_request_results,
+)
+
+
+@pytest.mark.integration
+class TestEnabledActions:
+    @pytest.fixture(scope="function")
+    def dataset_graph(
+        self,
+        db,
+        example_datasets,
+        integration_postgres_config,
+    ) -> DatasetGraph:
+        dataset_postgres = Dataset(**example_datasets[0])
+        dataset_config(db, integration_postgres_config, dataset_postgres.dict())
+        graph = convert_dataset_to_graph(
+            dataset_postgres, integration_postgres_config.key
+        )
+        return DatasetGraph(graph)
+
+    @pytest.mark.asyncio
+    async def test_access_disabled(
+        self,
+        db,
+        policy,
+        integration_postgres_config,
+        dataset_graph,
+    ) -> None:
+        """Disable the access request for one connection config and verify the access results"""
+
+        # disable the access action type for Postgres
+        integration_postgres_config.enabled_actions = [ActionType.erasure]
+        integration_postgres_config.save(db)
+        privacy_request = PrivacyRequest(id="test_disable_postgres_access")
+
+        access_results = await graph_task.run_access_request(
+            privacy_request,
+            policy,
+            dataset_graph,
+            [integration_postgres_config],
+            {"email": "customer-1@example.com"},
+            db,
+        )
+
+        assert access_results == {}
+
+    @pytest.mark.asyncio
+    async def test_erasure_disabled(
+        self,
+        db,
+        policy,
+        erasure_policy,
+        integration_postgres_config,
+        dataset_graph,
+    ) -> None:
+        """Disable the erasure request for one connection config and verify the erasure results"""
+
+        # disable the erasure action type for Postgres
+        integration_postgres_config.enabled_actions = [ActionType.access]
+        integration_postgres_config.save(db)
+        privacy_request = PrivacyRequest(id="test_disable_postgres_erasure")
+
+        access_results = await graph_task.run_access_request(
+            privacy_request,
+            policy,
+            dataset_graph,
+            [integration_postgres_config],
+            {"email": "customer-1@example.com"},
+            db,
+        )
+
+        # the access results should contain results from postgres
+        postgres_dataset = integration_postgres_config.datasets[0].fides_key
+        assert {key.split(":")[0] for key in access_results} == {
+            postgres_dataset,
+        }
+
+        erasure_results = await graph_task.run_erasure(
+            privacy_request,
+            erasure_policy,
+            dataset_graph,
+            [integration_postgres_config],
+            {"email": "customer-1@example.com"},
+            get_cached_data_for_erasures(privacy_request.id),
+            db,
+        )
+
+        # the erasure results should be empty
+        assert erasure_results == {}
+
+    @pytest.mark.asyncio
+    async def test_access_disabled_for_manual_webhook_integrations(
+        self,
+        db,
+        policy,
+        integration_postgres_config,
+        integration_manual_webhook_config,
+        access_manual_webhook,
+        run_privacy_request_task,
+    ) -> None:
+        pr = get_privacy_request_results(
+            db,
+            policy,
+            run_privacy_request_task,
+            {
+                "requested_at": "2021-08-30T16:09:37.359Z",
+                "policy_key": policy.key,
+                "identity": {"email": "customer-1@example.com"},
+            },
+        )
+        db.refresh(pr)
+
+        # verify the request is paused if the manual webhook has the access action enabled
+        assert pr.status == PrivacyRequestStatus.requires_input
+
+        integration_manual_webhook_config.enabled_actions = [ActionType.erasure]
+        integration_manual_webhook_config.save(db)
+
+        pr = get_privacy_request_results(
+            db,
+            policy,
+            run_privacy_request_task,
+            {
+                "requested_at": "2021-08-30T16:09:37.359Z",
+                "policy_key": policy.key,
+                "identity": {"email": "customer-1@example.com"},
+            },
+        )
+        db.refresh(pr)
+
+        # verify the request completes if the manual webhook has the access action disabled
+        assert pr.status == PrivacyRequestStatus.complete
+
+    @pytest.mark.asyncio
+    async def test_erasure_disabled_for_manual_webhook_integrations(
+        self,
+        db,
+        policy,
+        erasure_policy,
+        integration_postgres_config,
+        integration_manual_webhook_config,
+        access_manual_webhook,
+        run_privacy_request_task,
+    ) -> None:
+        pr = get_privacy_request_results(
+            db,
+            erasure_policy,
+            run_privacy_request_task,
+            {
+                "requested_at": "2021-08-30T16:09:37.359Z",
+                "policy_key": policy.key,
+                "identity": {"email": "customer-1@example.com"},
+            },
+        )
+        db.refresh(pr)
+
+        # verify the request is paused if the manual webhook has the erasure action enabled
+        assert pr.status == PrivacyRequestStatus.requires_input
+
+        integration_manual_webhook_config.enabled_actions = [ActionType.access]
+        integration_manual_webhook_config.save(db)
+
+        pr = get_privacy_request_results(
+            db,
+            erasure_policy,
+            run_privacy_request_task,
+            {
+                "requested_at": "2021-08-30T16:09:37.359Z",
+                "policy_key": policy.key,
+                "identity": {"email": "customer-1@example.com"},
+            },
+        )
+        db.refresh(pr)
+
+        # verify the request completes if the manual webhook has the erasure action disabled
+        assert pr.status == PrivacyRequestStatus.complete
diff --git a/tests/ops/models/test_manual_webhook.py b/tests/ops/models/test_manual_webhook.py
index d2361f8e9c..6b2f94b306 100644
--- a/tests/ops/models/test_manual_webhook.py
+++ b/tests/ops/models/test_manual_webhook.py
@@ -1,6 +1,7 @@
 import pytest
 
 from fides.api.models.manual_webhook import AccessManualWebhook
+from fides.api.schemas.policy import ActionType
 
 
 class TestManualWebhook:
@@ -21,6 +22,32 @@ def test_get_enabled_no_enabled_webhooks(self, db):
     def test_get_enabled_webhooks(self, db, access_manual_webhook):
         assert AccessManualWebhook.get_enabled(db) == [access_manual_webhook]
 
+    def test_get_enabled_access_webhooks(
+        self, db, integration_manual_webhook_config, access_manual_webhook
+    ):
+        assert AccessManualWebhook.get_enabled(db, ActionType.access) == [
+            access_manual_webhook
+        ]
+
+        integration_manual_webhook_config.enabled_actions = [ActionType.erasure]
+        integration_manual_webhook_config.save(db)
+
+        # don't return webhook if the access action is disabled
+        assert AccessManualWebhook.get_enabled(db, ActionType.access) == []
+
+    def test_get_enabled_erasure_webhooks(
+        self, db, integration_manual_webhook_config, access_manual_webhook
+    ):
+        assert AccessManualWebhook.get_enabled(db, ActionType.erasure) == [
+            access_manual_webhook
+        ]
+
+        integration_manual_webhook_config.enabled_actions = [ActionType.access]
+        integration_manual_webhook_config.save(db)
+
+        # don't return webhook if the erasure action is disabled
+        assert AccessManualWebhook.get_enabled(db, ActionType.erasure) == []
+
     @pytest.mark.usefixtures("access_manual_webhook")
     def test_get_enabled_webhooks_connection_config_disabled(
         self, db, integration_manual_webhook_config
diff --git a/tests/ops/service/connectors/test_connector_registry_service.py b/tests/ops/service/connectors/test_connector_registry_service.py
index 5818163f0b..bf55406805 100644
--- a/tests/ops/service/connectors/test_connector_registry_service.py
+++ b/tests/ops/service/connectors/test_connector_registry_service.py
@@ -2,11 +2,9 @@
 from unittest import mock
 from unittest.mock import Mock
 
-import yaml
 from fideslang.models import DatasetCollection
 
 from fides.api.models.datasetconfig import DatasetConfig
-from fides.api.schemas.saas.connector_template import ConnectorTemplate
 from fides.api.service.connectors.saas.connector_registry_service import (
     ConnectorRegistry,
     update_saas_configs,
@@ -19,7 +17,6 @@
     replace_config_placeholders,
     replace_dataset_placeholders,
 )
-from fides.config.helpers import load_file
 
 NEW_CONFIG_DESCRIPTION = "new test config description"
 NEW_DATASET_DESCRIPTION = "new test dataset description"
diff --git a/tests/ops/service/connectors/test_connector_template_loaders.py b/tests/ops/service/connectors/test_connector_template_loaders.py
index 43f087a600..e38b15ce89 100644
--- a/tests/ops/service/connectors/test_connector_template_loaders.py
+++ b/tests/ops/service/connectors/test_connector_template_loaders.py
@@ -1,4 +1,3 @@
-import os
 from io import BytesIO
 from unittest import mock
 from unittest.mock import MagicMock
@@ -8,6 +7,7 @@
 
 from fides.api.common_exceptions import NoSuchSaaSRequestOverrideException
 from fides.api.models.custom_connector_template import CustomConnectorTemplate
+from fides.api.schemas.policy import ActionType
 from fides.api.schemas.saas.connector_template import ConnectorTemplate
 from fides.api.service.authentication.authentication_strategy import (
     AuthenticationStrategy,
@@ -27,7 +27,6 @@
     load_yaml_as_string,
     replace_version,
 )
-from fides.config import CONFIG
 from tests.ops.test_helpers.saas_test_utils import create_zip_file
 
 
@@ -189,6 +188,7 @@ def test_custom_connector_template_loader(
                 human_readable="Planet Express",
                 authorization_required=False,
                 user_guide=None,
+                supported_actions=[ActionType.access],
             )
         }
 
@@ -382,6 +382,7 @@ def test_custom_connector_replacement_replaceable_with_update_not_available(
                 human_readable="Planet Express",
                 authorization_required=False,
                 user_guide=None,
+                supported_actions=[ActionType.access],
             )
         }
         mock_delete.assert_not_called()
@@ -427,6 +428,7 @@ def test_custom_connector_replacement_not_replaceable(
                 human_readable="Zendesk",
                 authorization_required=False,
                 user_guide="https://docs.ethyca.com/user-guides/integrations/saas-integrations/zendesk",
+                supported_actions=[ActionType.access, ActionType.erasure],
             )
         }
         mock_delete.assert_not_called()
diff --git a/tests/ops/task/test_graph_task.py b/tests/ops/task/test_graph_task.py
index a4e14b5789..0aada504de 100644
--- a/tests/ops/task/test_graph_task.py
+++ b/tests/ops/task/test_graph_task.py
@@ -35,6 +35,7 @@
     _format_data_use_map_for_caching,
     build_affected_field_logs,
     collect_queries,
+    filter_by_enabled_actions,
     start_function,
     update_erasure_mapping_from_cache,
 )
@@ -1007,3 +1008,93 @@ def test_errored_consent_task_for_connector_no_relevant_preferences(
             .order_by(ExecutionLog.created_at.desc())
         )
         assert logs.first().status == ExecutionLogStatus.error
+
+
+class TestFilterByEnabledActions:
+    def test_filter_by_enabled_actions_enabled_actions_none(self):
+        access_results = {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+        connection_configs = [
+            ConnectionConfig(
+                datasets=[
+                    DatasetConfig(fides_key="dataset1"),
+                ],
+                enabled_actions=None,
+            ),
+            ConnectionConfig(
+                datasets=[DatasetConfig(fides_key="dataset2")],
+                enabled_actions=None,
+            ),
+        ]
+
+        assert filter_by_enabled_actions(access_results, connection_configs) == {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+
+    def test_filter_by_enabled_actions_access_enabled(self):
+        access_results = {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+        connection_configs = [
+            ConnectionConfig(
+                datasets=[
+                    DatasetConfig(fides_key="dataset1"),
+                ],
+                enabled_actions=[ActionType.access],
+            ),
+            ConnectionConfig(
+                datasets=[DatasetConfig(fides_key="dataset2")],
+                enabled_actions=[ActionType.access],
+            ),
+        ]
+
+        assert filter_by_enabled_actions(access_results, connection_configs) == {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+
+    def test_filter_by_enabled_actions_only_erasure(self):
+        access_results = {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+        connection_configs = [
+            ConnectionConfig(
+                datasets=[
+                    DatasetConfig(fides_key="dataset1"),
+                ],
+                enabled_actions=[ActionType.erasure],
+            ),
+            ConnectionConfig(
+                datasets=[DatasetConfig(fides_key="dataset2")],
+                enabled_actions=[ActionType.erasure],
+            ),
+        ]
+
+        assert filter_by_enabled_actions(access_results, connection_configs) == {}
+
+    def test_filter_by_enabled_actions_mixed_actions(self):
+        access_results = {
+            "dataset1:collection": "data",
+            "dataset2:collection": "data",
+        }
+        connection_configs = [
+            ConnectionConfig(
+                datasets=[
+                    DatasetConfig(fides_key="dataset1"),
+                ],
+                enabled_actions=[ActionType.access],
+            ),
+            ConnectionConfig(
+                datasets=[DatasetConfig(fides_key="dataset2")],
+                enabled_actions=[ActionType.erasure],
+            ),
+        ]
+
+        assert filter_by_enabled_actions(access_results, connection_configs) == {
+            "dataset1:collection": "data",
+        }
diff --git a/tests/ops/util/test_connection_type.py b/tests/ops/util/test_connection_type.py
index e61dfb2f06..cd1d1776c8 100644
--- a/tests/ops/util/test_connection_type.py
+++ b/tests/ops/util/test_connection_type.py
@@ -22,6 +22,7 @@ def test_get_connection_types():
         "encoded_icon": None,
         "authorization_required": False,
         "user_guide": None,
+        "supported_actions": [ActionType.access.value, ActionType.erasure.value],
     } in data
     first_saas_type = ConnectorRegistry.connector_types().pop()
     first_saas_template = ConnectorRegistry.get_connector_template(first_saas_type)
@@ -32,6 +33,9 @@ def test_get_connection_types():
         "encoded_icon": first_saas_template.icon,
         "authorization_required": first_saas_template.authorization_required,
         "user_guide": first_saas_template.user_guide,
+        "supported_actions": [
+            action.value for action in first_saas_template.supported_actions
+        ],
     } in data
 
     assert "saas" not in [item.identifier for item in data]
@@ -46,6 +50,7 @@ def test_get_connection_types():
         "encoded_icon": None,
         "authorization_required": False,
         "user_guide": None,
+        "supported_actions": [ActionType.consent.value],
     } in data
 
 
@@ -78,6 +83,7 @@ def connection_type_objects():
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         },
         ConnectionType.manual_webhook.value: {
             "identifier": ConnectionType.manual_webhook.value,
@@ -86,6 +92,7 @@ def connection_type_objects():
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.access.value, ActionType.erasure.value],
         },
         GOOGLE_ANALYTICS: {
             "identifier": GOOGLE_ANALYTICS,
@@ -94,6 +101,9 @@ def connection_type_objects():
             "encoded_icon": google_analytics_template.icon,
             "authorization_required": google_analytics_template.authorization_required,
             "user_guide": google_analytics_template.user_guide,
+            "supported_actions": [
+                action.value for action in google_analytics_template.supported_actions
+            ],
         },
         MAILCHIMP_TRANSACTIONAL: {
             "identifier": MAILCHIMP_TRANSACTIONAL,
@@ -102,6 +112,10 @@ def connection_type_objects():
             "encoded_icon": mailchimp_transactional_template.icon,
             "authorization_required": mailchimp_transactional_template.authorization_required,
             "user_guide": mailchimp_transactional_template.user_guide,
+            "supported_actions": [
+                action.value
+                for action in mailchimp_transactional_template.supported_actions
+            ],
         },
         SEGMENT: {
             "identifier": SEGMENT,
@@ -110,6 +124,9 @@ def connection_type_objects():
             "encoded_icon": segment_template.icon,
             "authorization_required": segment_template.authorization_required,
             "user_guide": segment_template.user_guide,
+            "supported_actions": [
+                action.value for action in segment_template.supported_actions
+            ],
         },
         STRIPE: {
             "identifier": STRIPE,
@@ -118,6 +135,9 @@ def connection_type_objects():
             "encoded_icon": stripe_template.icon,
             "authorization_required": stripe_template.authorization_required,
             "user_guide": stripe_template.user_guide,
+            "supported_actions": [
+                action.value for action in stripe_template.supported_actions
+            ],
         },
         ZENDESK: {
             "identifier": ZENDESK,
@@ -126,6 +146,9 @@ def connection_type_objects():
             "encoded_icon": zendesk_template.icon,
             "authorization_required": zendesk_template.authorization_required,
             "user_guide": zendesk_template.user_guide,
+            "supported_actions": [
+                action.value for action in zendesk_template.supported_actions
+            ],
         },
         DOORDASH: {
             "identifier": DOORDASH,
@@ -134,6 +157,9 @@ def connection_type_objects():
             "encoded_icon": doordash_template.icon,
             "authorization_required": doordash_template.authorization_required,
             "user_guide": doordash_template.user_guide,
+            "supported_actions": [
+                action.value for action in doordash_template.supported_actions
+            ],
         },
         ConnectionType.sovrn.value: {
             "identifier": ConnectionType.sovrn.value,
@@ -142,6 +168,7 @@ def connection_type_objects():
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.consent.value],
         },
         ConnectionType.attentive.value: {
             "identifier": ConnectionType.attentive.value,
@@ -150,6 +177,7 @@ def connection_type_objects():
             "encoded_icon": None,
             "authorization_required": False,
             "user_guide": None,
+            "supported_actions": [ActionType.erasure.value],
         },
     }
 
@@ -195,11 +223,11 @@ def connection_type_objects():
                 STRIPE,
                 ZENDESK,
                 ConnectionType.attentive.value,
+                ConnectionType.manual_webhook.value,
             ],
             [
                 GOOGLE_ANALYTICS,
                 MAILCHIMP_TRANSACTIONAL,
-                ConnectionType.manual_webhook.value,  # manual webhook is not erasure
                 DOORDASH,  # doordash does not have erasures
                 ConnectionType.sovrn.value,
             ],
@@ -232,9 +260,9 @@ def connection_type_objects():
                 STRIPE,
                 ZENDESK,
                 ConnectionType.attentive.value,
+                ConnectionType.manual_webhook.value,
             ],
             [
-                ConnectionType.manual_webhook.value,  # manual webhook is not erasure
                 DOORDASH,  # doordash does not have erasures
             ],
         ),

From 709336b16adcedad61429ae274ad81fe2602346a Mon Sep 17 00:00:00 2001
From: Jeremy Pople <jeremy@ethyca.com>
Date: Fri, 10 Nov 2023 15:13:30 -0500
Subject: [PATCH 4/7] fixes for vendor selector behavior

---
 .../features/system/SystemInformationForm.tsx |  47 +++++--
 .../src/features/system/VendorSelector.tsx    |  52 ++++++-
 .../dictionary-data-uses/EmptyTableState.tsx  | 126 +++++------------
 .../dictionary-form/DictSuggestionInputs.tsx  | 133 +++++++++++++++++-
 .../PrivacyDeclarationFormTab.tsx             |   3 -
 5 files changed, 248 insertions(+), 113 deletions(-)

diff --git a/clients/admin-ui/src/features/system/SystemInformationForm.tsx b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
index 7aa8262f3f..a7c465aa5b 100644
--- a/clients/admin-ui/src/features/system/SystemInformationForm.tsx
+++ b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
@@ -20,7 +20,6 @@ import {
 } from "~/features/common/custom-fields";
 import { useFeatures } from "~/features/common/features/features.slice";
 import {
-  CustomCreatableSelect,
   CustomSelect,
   CustomSwitch,
   CustomTextInput,
@@ -43,6 +42,7 @@ import {
   setSuggestions,
 } from "~/features/system/dictionary-form/dict-suggestion.slice";
 import {
+  DictSuggestionCreatableSelect,
   DictSuggestionNumberInput,
   DictSuggestionSelect,
   DictSuggestionSwitch,
@@ -72,11 +72,6 @@ import {
   responsibilityOptions,
 } from "./SystemInformationFormSelectOptions";
 
-const ValidationSchema = Yup.object().shape({
-  name: Yup.string().required().label("System name"),
-  privacy_policy: Yup.string().min(1).url().nullable(),
-});
-
 const SystemHeading = ({ system }: { system?: SystemResponse }) => {
   const isManual = !system;
   const headingName = isManual
@@ -103,6 +98,8 @@ const SystemInformationForm = ({
   withHeader,
   children,
 }: Props) => {
+  const systems = useAppSelector(selectAllSystems);
+
   const dispatch = useAppDispatch();
   const customFields = useCustomFields({
     resourceType: ResourceTypes.SYSTEM,
@@ -125,6 +122,23 @@ const SystemInformationForm = ({
     [passedInSystem, customFields.customFieldValues]
   );
 
+  const ValidationSchema = useMemo(
+    () =>
+      Yup.object().shape({
+        name: Yup.string()
+          .required()
+          .label("System name")
+          .notOneOf(
+            systems
+              .filter((s) => s.name !== initialValues.name)
+              .map((s) => s.name),
+            "System must have a unique name"
+          ),
+        privacy_policy: Yup.string().min(1).url().nullable(),
+      }),
+    [systems, initialValues.name]
+  );
+
   const features = useFeatures();
 
   const [createSystemMutationTrigger, createSystemMutationResult] =
@@ -139,7 +153,6 @@ const SystemInformationForm = ({
   const dictionaryOptions = useAppSelector(selectAllDictEntries);
   const lockedForGVL = useAppSelector(selectLockedForGVL);
 
-  const systems = useAppSelector(selectAllSystems);
   const isEditing = useMemo(
     () =>
       Boolean(
@@ -167,14 +180,14 @@ const SystemInformationForm = ({
     formikHelpers: FormikHelpers<FormValues>
   ) => {
     let dictionaryDeclarations;
-    if (lockedForGVL && values.privacy_declarations.length === 0) {
+    if (values.vendor_id && values.privacy_declarations.length === 0) {
       const dataUseQueryResult = await getDictionaryDataUseTrigger({
         vendor_id: values.vendor_id!,
       });
       if (dataUseQueryResult.isError) {
         const dataUseErrorMsg = getErrorMessage(
           dataUseQueryResult.error,
-          `A problem occurred while fetching data uses from the GVL for your system.  Please try again.`
+          `A problem occurred while fetching data uses from Fides Compass for your system.  Please try again.`
         );
         toast({ status: "error", description: dataUseErrorMsg });
       } else if (
@@ -232,13 +245,17 @@ const SystemInformationForm = ({
     handleResult(result);
   };
 
-  const handleVendorSelected = (newVendorId: string) => {
-    console.log("hello from handleVendorSelected");
+  const handleVendorSelected = (newVendorId: string | undefined) => {
+    if (!newVendorId) {
+      dispatch(setSuggestions("hiding"));
+      dispatch(setLockedForGVL(false));
+      return;
+    }
+    dispatch(setSuggestions("showing"));
     if (
       features.tcf &&
       extractVendorSource(newVendorId) === VendorSources.GVL
     ) {
-      dispatch(setSuggestions("showing"));
       dispatch(setLockedForGVL(true));
     } else {
       dispatch(setLockedForGVL(false));
@@ -276,6 +293,7 @@ const SystemInformationForm = ({
                 <VendorSelector
                   options={dictionaryOptions}
                   onVendorSelected={handleVendorSelected}
+                  disabled={!!passedInSystem && lockedForGVL}
                 />
               ) : null}
               <DictSuggestionTextInput
@@ -304,11 +322,10 @@ const SystemInformationForm = ({
                 tooltip="What services does this system perform?"
                 disabled={lockedForGVL}
               />
-              <CustomCreatableSelect
+              <DictSuggestionCreatableSelect
                 id="tags"
                 name="tags"
                 label="System Tags"
-                variant="stacked"
                 options={
                   initialValues.tags
                     ? initialValues.tags.map((s) => ({
@@ -319,7 +336,7 @@ const SystemInformationForm = ({
                 }
                 tooltip="Are there any tags to associate with this system?"
                 isMulti
-                isDisabled={lockedForGVL}
+                disabled={lockedForGVL}
               />
             </SystemFormInputGroup>
             <SystemFormInputGroup heading="Dataset reference">
diff --git a/clients/admin-ui/src/features/system/VendorSelector.tsx b/clients/admin-ui/src/features/system/VendorSelector.tsx
index 090686631b..23ed068e2b 100644
--- a/clients/admin-ui/src/features/system/VendorSelector.tsx
+++ b/clients/admin-ui/src/features/system/VendorSelector.tsx
@@ -1,19 +1,48 @@
 import { Flex, FormControl, HStack, Text, VStack } from "@fidesui/react";
-import { Select, SingleValue } from "chakra-react-select";
+import {
+  ActionMeta,
+  chakraComponents,
+  GroupBase,
+  OptionProps,
+  Select,
+  SingleValue,
+} from "chakra-react-select";
 import { useField, useFormikContext } from "formik";
 import { useState } from "react";
 
 import { ErrorMessage, Label, Option } from "~/features/common/form/inputs";
 import QuestionTooltip from "~/features/common/QuestionTooltip";
 import { DictOption } from "~/features/plus/plus.slice";
-import { DictSuggestionToggle } from "~/features/system/dictionary-form/ToggleDictSuggestions";
 
 interface Props {
   disabled?: boolean;
   options: DictOption[];
-  onVendorSelected: (vendorId: string) => void;
+  onVendorSelected: (vendorId: string | undefined) => void;
 }
 
+const CustomDictOption: React.FC<
+  OptionProps<Option, false, GroupBase<Option>>
+> = ({ children, ...props }) => (
+  <chakraComponents.Option {...props} type="option">
+    <Flex flexDirection="column" padding={2}>
+      <Text color="gray.700" fontSize="14px" lineHeight={5} fontWeight="medium">
+        {props.data.label}
+      </Text>
+
+      {props.data.description ? (
+        <Text
+          color="gray.500"
+          fontSize="12px"
+          lineHeight={4}
+          fontWeight="normal"
+        >
+          {props.data.description}
+        </Text>
+      ) : null}
+    </Flex>
+  </chakraComponents.Option>
+);
+
 const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
   const [initialField, meta, { setValue }] = useField({ name: "vendor_id" });
   const isInvalid = !!(meta.touched && meta.error);
@@ -26,6 +55,8 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
     opt.label.toLowerCase().startsWith(searchParam.toLowerCase())
   );
 
+  const selected = options.find((o) => o.value === field.value);
+
   const handleTabPressed = () => {
     if (suggestions.length > 0 && searchParam !== suggestions[0].label) {
       setSearchParam(suggestions[0].label);
@@ -33,10 +64,16 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
     }
   };
 
-  const handleChange = (newValue: SingleValue<Option>) => {
+  const handleChange = (
+    newValue: SingleValue<Option>,
+    actionMeta: ActionMeta<Option>
+  ) => {
     if (newValue) {
       setValue(newValue.value);
       onVendorSelected(newValue.value);
+    } else if (actionMeta.action === "clear") {
+      setValue("");
+      onVendorSelected(undefined);
     }
   };
 
@@ -45,7 +82,7 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
       <FormControl isInvalid={isInvalid}>
         <VStack alignItems="start" position="relative">
           <Flex alignItems="center">
-            <Label htmlFor="vendor" fontSize="xs" my={0} mr={1}>
+            <Label htmlFor="vendor_id" fontSize="xs" my={0} mr={1}>
               Vendor
             </Label>
             <QuestionTooltip label="Enter the vendor to associate with the system" />
@@ -57,8 +94,9 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
           >
             <Select
               options={suggestions}
+              value={selected}
               onBlur={(e) => {
-                setTouched({ ...touched, test_vendor: true });
+                setTouched({ ...touched, vendor_id: true });
                 field.onBlur(e);
               }}
               onChange={handleChange}
@@ -102,6 +140,7 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
                   display: "none",
                 }),
               }}
+              components={{ Option: CustomDictOption }}
             />
             <Text
               aria-hidden
@@ -131,7 +170,6 @@ const VendorSelector = ({ disabled, options, onVendorSelected }: Props) => {
           />
         </VStack>
       </FormControl>
-      <DictSuggestionToggle />
     </HStack>
   );
 };
diff --git a/clients/admin-ui/src/features/system/dictionary-data-uses/EmptyTableState.tsx b/clients/admin-ui/src/features/system/dictionary-data-uses/EmptyTableState.tsx
index a48ab76df6..9fa3274dc7 100644
--- a/clients/admin-ui/src/features/system/dictionary-data-uses/EmptyTableState.tsx
+++ b/clients/admin-ui/src/features/system/dictionary-data-uses/EmptyTableState.tsx
@@ -1,99 +1,51 @@
 import { AddIcon, WarningTwoIcon } from "@chakra-ui/icons";
-import { Box, Button, HStack, Stack, Text, Tooltip } from "@fidesui/react";
-import { ReactNode, useMemo } from "react";
-
-import { SparkleIcon } from "../../common/Icon/SparkleIcon";
+import { Box, Button, HStack, Stack, Text } from "@fidesui/react";
+import { ReactNode } from "react";
 
 type Props = {
   title: string;
   description: string | ReactNode;
-  dictAvailable: boolean;
   handleAdd: () => void;
-  handleDictSuggestion: () => void;
-  vendorSelected: boolean;
 };
 
-const EmptyTableState = ({
-  title,
-  description,
-  dictAvailable = false,
-  handleAdd,
-  handleDictSuggestion,
-  vendorSelected,
-}: Props) => {
-  const dictDisabledTooltip = useMemo(
-    () =>
-      "You will need to select a vendor for this system before you can use the Fides dictionary. You can do this on System Information tab above.",
-    []
-  );
-
-  return (
-    <Stack
-      backgroundColor="gray.50"
-      border="1px solid"
-      borderColor={dictAvailable ? "purple.400" : "blue.500"}
-      borderRadius="md"
-      justifyContent="space-between"
-      py={4}
-      px={6}
-      data-testid="empty-state"
-    >
-      <HStack>
-        {dictAvailable ? (
-          <SparkleIcon alignSelf="start" color="purple.400" mt={0.5} />
-        ) : (
-          <WarningTwoIcon alignSelf="start" color="blue.400" mt={0.5} />
-        )}
+const EmptyTableState = ({ title, description, handleAdd }: Props) => (
+  <Stack
+    backgroundColor="gray.50"
+    border="1px solid"
+    borderColor="blue.500"
+    borderRadius="md"
+    justifyContent="space-between"
+    py={4}
+    px={6}
+    data-testid="empty-state"
+  >
+    <HStack>
+      <WarningTwoIcon alignSelf="start" color="blue.400" mt={0.5} />
 
-        <Box>
-          <Text fontWeight="bold" fontSize="sm" mb={1}>
-            {title}
-          </Text>
+      <Box>
+        <Text fontWeight="bold" fontSize="sm" mb={1}>
+          {title}
+        </Text>
 
-          <Text fontSize="sm" color="gray.600" lineHeight="5">
-            {description}
-          </Text>
-          <HStack mt={4}>
-            {dictAvailable ? (
-              <>
-                <Tooltip
-                  hasArrow
-                  placement="top"
-                  label={dictDisabledTooltip}
-                  isDisabled={vendorSelected}
-                  shouldWrapChildren
-                >
-                  <Button
-                    size="xs"
-                    colorScheme="purple"
-                    fontWeight="semibold"
-                    data-testid="dict-btn"
-                    onClick={handleDictSuggestion}
-                    rightIcon={<SparkleIcon />}
-                    disabled={!vendorSelected}
-                  >
-                    Generate data uses automatically
-                  </Button>
-                </Tooltip>
-                <Text size="sm">or</Text>
-              </>
-            ) : null}
-            <Button
-              size="xs"
-              colorScheme="black"
-              backgroundColor="primary.800"
-              fontWeight="semibold"
-              data-testid="add-btn"
-              onClick={handleAdd}
-              rightIcon={<AddIcon boxSize={2} />}
-            >
-              Add data use
-            </Button>
-          </HStack>
-        </Box>
-      </HStack>
-    </Stack>
-  );
-};
+        <Text fontSize="sm" color="gray.600" lineHeight="5">
+          {description}
+        </Text>
+        <HStack mt={4}>
+          <Button
+            size="xs"
+            colorScheme="black"
+            backgroundColor="primary.800"
+            fontWeight="semibold"
+            data-testid="add-btn"
+            onClick={handleAdd}
+            rightIcon={<AddIcon boxSize={2} />}
+          >
+            Add data use
+          </Button>
+        </HStack>
+      </Box>
+    </HStack>
+  </Stack>
+);
 
 export default EmptyTableState;
diff --git a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
index 96e7b7f8ba..8f663745f3 100644
--- a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
+++ b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
@@ -12,7 +12,12 @@ import {
   Textarea,
   VStack,
 } from "@fidesui/react";
-import { MultiValue, Select, SingleValue } from "chakra-react-select";
+import {
+  CreatableSelect,
+  MultiValue,
+  Select,
+  SingleValue,
+} from "chakra-react-select";
 import { useField, useFormikContext } from "formik";
 import React, { useEffect, useRef, useState } from "react";
 
@@ -373,6 +378,132 @@ export const DictSuggestionSelect = ({
   );
 };
 
+export const DictSuggestionCreatableSelect = ({
+  label,
+  tooltip,
+  disabled,
+  isRequired = false,
+  dictField,
+  name,
+  placeholder,
+  id,
+  options,
+  isMulti = false,
+}: SelectProps) => {
+  const { field, isInvalid, isShowingSuggestions, error } = useDictSuggestion(
+    name,
+    dictField
+  );
+
+  const selected = field.value.map(
+    (fieldValue: string) =>
+      options.find((o) => o.value === fieldValue) ?? {
+        value: fieldValue,
+        label: fieldValue,
+      }
+  );
+
+  const { setFieldValue } = useFormikContext();
+
+  const handleChangeMulti = (newValue: MultiValue<SelectOption>) => {
+    setFieldValue(
+      field.name,
+      newValue.map((v) => v.value)
+    );
+  };
+
+  const handleChangeSingle = (newValue: SingleValue<SelectOption>) => {
+    setFieldValue(field.name, newValue);
+  };
+
+  const handleChange = (
+    newValue: MultiValue<SelectOption> | SingleValue<SelectOption>
+  ) =>
+    isMulti
+      ? handleChangeMulti(newValue as MultiValue<SelectOption>)
+      : handleChangeSingle(newValue as SingleValue<SelectOption>);
+
+  return (
+    <FormControl isInvalid={isInvalid} isRequired={isRequired}>
+      <VStack alignItems="start">
+        <Flex alignItems="center">
+          <Label htmlFor={id || name} fontSize="xs" my={0} mr={1}>
+            {label}
+          </Label>
+          {tooltip ? <QuestionTooltip label={tooltip} /> : null}
+        </Flex>
+        <Flex width="100%">
+          <CreatableSelect
+            {...field}
+            size="sm"
+            value={selected}
+            isDisabled={disabled}
+            isMulti={isMulti}
+            onChange={handleChange}
+            data-testid={`input-${field.name}`}
+            placeholder={placeholder}
+            options={options}
+            chakraStyles={{
+              input: (provided) => ({
+                ...provided,
+                color:
+                  isShowingSuggestions === "showing"
+                    ? "complimentary.500"
+                    : "gray.800",
+              }),
+              container: (provided) => ({
+                ...provided,
+                flexGrow: 1,
+                backgroundColor: "white",
+              }),
+              dropdownIndicator: (provided) => ({
+                ...provided,
+                bg: "transparent",
+                px: 2,
+                cursor: "inherit",
+              }),
+              indicatorSeparator: (provided) => ({
+                ...provided,
+                display: "none",
+              }),
+              multiValueLabel: (provided) => ({
+                ...provided,
+                display: "flex",
+                height: "16px",
+                alignItems: "center",
+              }),
+              multiValue: (provided) => ({
+                ...provided,
+                fontWeight: "400",
+                background: "gray.200",
+                color:
+                  isShowingSuggestions === "showing"
+                    ? "complimentary.500"
+                    : "gray.800",
+                borderRadius: "2px",
+                py: 1,
+                px: 2,
+              }),
+              multiValueRemove: (provided) => ({
+                ...provided,
+                ml: 1,
+                size: "lg",
+                width: 3,
+                height: 3,
+              }),
+            }}
+          />
+        </Flex>
+        <ErrorMessage
+          isInvalid={isInvalid}
+          message={error}
+          fieldName={field.name}
+        />
+      </VStack>
+    </FormControl>
+  );
+};
+
 export const DictSuggestionNumberInput = ({
   label,
   tooltip,
diff --git a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationFormTab.tsx b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationFormTab.tsx
index 48a6b2ee81..cf1a303705 100644
--- a/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationFormTab.tsx
+++ b/clients/admin-ui/src/features/system/system-form-declaration-tab/PrivacyDeclarationFormTab.tsx
@@ -232,10 +232,7 @@ const PrivacyDeclarationFormTab = ({
         <EmptyTableState
           title="You don't have a data use set up for this system yet."
           description='A Data Use is the purpose for which data is used in a system. In Fides, a system may have more than one Data Use. For example, a CRM system may be used both for "Customer Support" and also for "Email Marketing", each of these is a Data Use.'
-          dictAvailable={features.dictionaryService}
           handleAdd={handleOpenNewForm}
-          handleDictSuggestion={handleOpenDictModal}
-          vendorSelected={!!system.vendor_id}
         />
       ) : (
         <PrivacyDeclarationDisplayGroup

From 000cf26c7451b80d63e4cf443f52788d07cc83a1 Mon Sep 17 00:00:00 2001
From: Jeremy Pople <jeremy@ethyca.com>
Date: Fri, 10 Nov 2023 15:24:04 -0500
Subject: [PATCH 5/7] fix bug when no tags are in dictionary

---
 .../dictionary-form/DictSuggestionInputs.tsx    | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
index 8f663745f3..2166a51762 100644
--- a/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
+++ b/clients/admin-ui/src/features/system/dictionary-form/DictSuggestionInputs.tsx
@@ -395,13 +395,16 @@ export const DictSuggestionCreatableSelect = ({
     dictField
   );
 
-  const selected = field.value.map(
-    (fieldValue: string) =>
-      options.find((o) => o.value === fieldValue) ?? {
-        value: fieldValue,
-        label: fieldValue,
-      }
-  );
+  const selected =
+    field.value.length > 0
+      ? field.value.map(
+          (fieldValue: string) =>
+            options.find((o) => o.value === fieldValue) ?? {
+              value: fieldValue,
+              label: fieldValue,
+            }
+        )
+      : [];
 
   const { setFieldValue } = useFormikContext();
 

From 16ab5cabcd8ef5b1a9f14f6c4b514d05f6d86478 Mon Sep 17 00:00:00 2001
From: Jeremy Pople <jeremy@ethyca.com>
Date: Fri, 10 Nov 2023 15:51:46 -0500
Subject: [PATCH 6/7] remove obsolete Cypress tests

---
 clients/admin-ui/cypress/e2e/systems-plus.cy.ts | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
index 1f36b6a41d..67e25321ec 100644
--- a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
+++ b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
@@ -45,16 +45,6 @@ describe("System management with Plus features", () => {
       );
     });
 
-    it("can switch entries", () => {
-      cy.getSelectValueContainer("input-vendor_id").type("Aniview{enter}");
-      cy.getSelectValueContainer("input-vendor_id").contains("Aniview LTD");
-
-      cy.getSelectValueContainer("input-vendor_id").type("Anzu{enter}");
-      cy.getSelectValueContainer("input-vendor_id").contains(
-        "Anzu Virtual Reality LTD"
-      );
-    });
-
     it("locks editing for a GVL vendor when TCF is enabled", () => {
       cy.getSelectValueContainer("input-vendor_id").type("Aniview{enter}");
       cy.getByTestId("locked-for-GVL-notice");
@@ -66,8 +56,6 @@ describe("System management with Plus features", () => {
     it("can switch between tabs after populating from dictionary", () => {
       cy.wait("@getSystems");
       cy.getSelectValueContainer("input-vendor_id").type("Anzu{enter}");
-      cy.getByTestId("dict-suggestions-btn").click();
-      cy.getByTestId("toggle-dict-suggestions").click();
       // the form fetches the system again after saving, so update the intercept with dictionary values
       cy.fixture("systems/dictionary-system.json").then((dictSystem) => {
         cy.fixture("systems/system.json").then((origSystem) => {

From cd890e5dd03b753386ca9297d06343493e965efa Mon Sep 17 00:00:00 2001
From: Jeremy Pople <jeremy@ethyca.com>
Date: Mon, 13 Nov 2023 11:49:13 -0500
Subject: [PATCH 7/7] fix bug where error toast was showing on fetching data
 uses for systems with no data uses

---
 .../features/system/SystemInformationForm.tsx    | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/clients/admin-ui/src/features/system/SystemInformationForm.tsx b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
index a7c465aa5b..b2486b8cf4 100644
--- a/clients/admin-ui/src/features/system/SystemInformationForm.tsx
+++ b/clients/admin-ui/src/features/system/SystemInformationForm.tsx
@@ -28,6 +28,7 @@ import {
   extractVendorSource,
   getErrorMessage,
   isErrorResult,
+  isFetchBaseQueryError,
   VendorSources,
 } from "~/features/common/helpers";
 import { FormGuard } from "~/features/common/hooks/useIsAnyFormDirty";
@@ -185,11 +186,16 @@ const SystemInformationForm = ({
         vendor_id: values.vendor_id!,
       });
       if (dataUseQueryResult.isError) {
-        const dataUseErrorMsg = getErrorMessage(
-          dataUseQueryResult.error,
-          `A problem occurred while fetching data uses from Fides Compass for your system.  Please try again.`
-        );
-        toast({ status: "error", description: dataUseErrorMsg });
+        const isNotFoundError =
+          isFetchBaseQueryError(dataUseQueryResult.error) &&
+          dataUseQueryResult.error.status === 404;
+        if (!isNotFoundError) {
+          const dataUseErrorMsg = getErrorMessage(
+            dataUseQueryResult.error,
+            `A problem occurred while fetching data uses from Fides Compass for your system.  Please try again.`
+          );
+          toast({ status: "error", description: dataUseErrorMsg });
+        }
       } else if (
         dataUseQueryResult.data &&
         dataUseQueryResult.data.items.length > 0