From ec35d1d24841fb3e74ac28a1c2d17c124a87124e Mon Sep 17 00:00:00 2001
From: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
Date: Wed, 19 Jun 2024 13:40:56 -0700
Subject: [PATCH 01/13] empty commit to start release 2.39.0


From 151ac6bb90f0d65fcc079936bd37be7cd1170b5f Mon Sep 17 00:00:00 2001
From: Jason Gill <jason.gill@ethyca.com>
Date: Wed, 19 Jun 2024 18:24:49 -0600
Subject: [PATCH 02/13] Disable GPP stub when `initialize=false` is set until
 `Fides.init()` is called (#5010)

---
 CHANGELOG.md                                  |  3 ++
 .../fides-js/docs/interfaces/FidesEvent.md    |  4 ++
 clients/fides-js/src/docs/fides-event.ts      | 15 ++++--
 clients/fides-js/src/fides-ext-gpp.ts         |  6 ++-
 clients/fides-js/src/fides-tcf.ts             | 13 ++++++
 clients/fides-js/src/fides.ts                 | 13 ++++++
 clients/fides-js/src/lib/consent-types.ts     |  3 ++
 clients/fides-js/src/lib/events.ts            | 11 +++--
 .../cypress/e2e/consent-banner-gpp.cy.ts      | 46 +++++++++++++++----
 .../cypress/e2e/consent-banner.cy.ts          |  3 +-
 .../privacy-center/cypress/e2e/fides-js.cy.ts | 14 +++---
 .../cypress/support/commands.ts               |  4 ++
 clients/privacy-center/pages/api/fides-js.ts  | 28 +++++------
 .../public/fides-js-components-demo.html      | 19 ++++----
 14 files changed, 130 insertions(+), 52 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c0964d9d1..fdff7218d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The types of changes are:
 - New privacy request search to replace existing endpoint [#4987](https://github.com/ethyca/fides/pull/4987)
 - Added new Google Cloud SQL for MySQL Connector [#4949](https://github.com/ethyca/fides/pull/4949)
 - Add new options for integrations for discovery & detection [#5000](https://github.com/ethyca/fides/pull/5000)
+- Add new `FidesInitializing` event for when FidesJS begins initialization [#5010](https://github.com/ethyca/fides/pull/5010)
 
 ### Changed
 - Move new data map reporting table out of beta and remove old table from Data Lineage map. [#4963](https://github.com/ethyca/fides/pull/4963)
@@ -44,6 +45,8 @@ The types of changes are:
 - Masked "Keyfile credentials" input on integration config form [#4971](https://github.com/ethyca/fides/pull/4971)
 - Fixed validations for privacy declaration taxonomy labels when creating/updating a System [#4982](https://github.com/ethyca/fides/pull/4982)
 - Allow property-specific messaging to work with non-custom templates [#4986](https://github.com/ethyca/fides/pull/4986)
+- Fixed an issue where config object was being passed twice to `fides.js` output [#5010](https://github.com/ethyca/fides/pull/5010)
+- Disabling Fides initializtion now also disables GPP initialization [#5010](https://github.com/ethyca/fides/pull/5010)
 
 ## [2.38.1](https://github.com/ethyca/fides/compare/2.38.0...2.38.1)
 
diff --git a/clients/fides-js/docs/interfaces/FidesEvent.md b/clients/fides-js/docs/interfaces/FidesEvent.md
index 1dd625bc61..d7df941167 100644
--- a/clients/fides-js/docs/interfaces/FidesEvent.md
+++ b/clients/fides-js/docs/interfaces/FidesEvent.md
@@ -25,6 +25,10 @@ the browser, see the MDN docs:
 
 ### List of FidesEvent Types
 
+- `FidesInitializing`: Dispatched when initialization begins, which happens
+immediately once the FidesJS script is loaded. If `Fides.init()` is called
+multiple times, this event will also be dispatched each time.
+
 - `FidesInitialized`: Dispatched when initialization is complete and the
 current user's consent preferences - either previously saved or applicable
 defaults - have been set on the `Fides` global object.
diff --git a/clients/fides-js/src/docs/fides-event.ts b/clients/fides-js/src/docs/fides-event.ts
index 6be235ca4e..f182c32079 100644
--- a/clients/fides-js/src/docs/fides-event.ts
+++ b/clients/fides-js/src/docs/fides-event.ts
@@ -5,10 +5,11 @@
  * documentation, since it's mostly just noise there - the list of events on
  * {@link FidesEvent} provides a good reference. But when coding, it's still
  * useful to have this union type around!
- * 
+ *
  * @private
  */
 export type FidesEventType =
+  | "FidesInitializing"
   | "FidesInitialized"
   | "FidesUpdating"
   | "FidesUpdated"
@@ -41,10 +42,14 @@ export type FidesEventType =
  *
  * ### List of FidesEvent Types
  *
+ * - `FidesInitializing`: Dispatched when initialization begins, which happens
+ * immediately once the FidesJS script is loaded. If `Fides.init()` is called
+ * multiple times, this event will also be dispatched each time.
+ *
  * - `FidesInitialized`: Dispatched when initialization is complete and the
  * current user's consent preferences - either previously saved or applicable
  * defaults - have been set on the `Fides` global object.
- * 
+ *
  * - `FidesUpdating`: Dispatched when a user action (e.g. accepting all, saving
  * changes, applying GPC) has started updating the user's consent preferences.
  * This event is dispatched immediately once the changes are made, but before
@@ -58,7 +63,7 @@ export type FidesEventType =
  * object, `fides_consent` cookie on the user's device, and the Fides API. To
  * receive an event that fires before these changes are saved, use the
  * `FidesUpdating` event instead.
- * 
+ *
  * - `FidesUIShown`: Dispatched whenever a FidesJS UI component is rendered and
  * shown to the current user (banner, modal, etc.). The specific component shown
  * can be obtained from the `detail.extraDetails.servingComponent` property on
@@ -107,7 +112,7 @@ export interface FidesEvent extends CustomEvent {
       /**
        * Whether the user should be shown the consent experience. Only available on FidesInitialized events.
        */
-     shouldShowExperience?: boolean;
+      shouldShowExperience?: boolean;
 
       /**
        * What consent method (if any) caused this event.
@@ -115,4 +120,4 @@ export interface FidesEvent extends CustomEvent {
       consentMethod?: "accept" | "reject" | "save" | "dismiss" | "gpc";
     };
   };
-};
\ No newline at end of file
+}
diff --git a/clients/fides-js/src/fides-ext-gpp.ts b/clients/fides-js/src/fides-ext-gpp.ts
index d8b09b9c93..c1256a2f85 100644
--- a/clients/fides-js/src/fides-ext-gpp.ts
+++ b/clients/fides-js/src/fides-ext-gpp.ts
@@ -246,4 +246,8 @@ const initializeGppCmpApi = () => {
     cmpApi.setSignalStatus(SignalStatus.READY);
   });
 };
-initializeGppCmpApi();
+window.addEventListener("FidesInitializing", (event) => {
+  if (event.detail.extraDetails?.gppEnabled) {
+    initializeGppCmpApi();
+  }
+});
diff --git a/clients/fides-js/src/fides-tcf.ts b/clients/fides-js/src/fides-tcf.ts
index aa1dc05ab4..eb40d5cff6 100644
--- a/clients/fides-js/src/fides-tcf.ts
+++ b/clients/fides-js/src/fides-tcf.ts
@@ -124,6 +124,18 @@ async function init(this: FidesGlobal, providedConfig?: FidesConfig) {
   this.config = config; // no matter how the config is set, we want to store it on the global object
   updateWindowFides(this);
 
+  dispatchFidesEvent(
+    "FidesInitializing",
+    undefined,
+    this.config.options.debug,
+    {
+      gppEnabled:
+        this.config.options.gppEnabled ||
+        this.config.experience?.gpp_settings?.enabled,
+      tcfEnabled: this.config.options.tcfEnabled,
+    }
+  );
+
   const optionsOverrides: Partial<FidesInitOptionsOverrides> =
     getOverridesByType<Partial<FidesInitOptionsOverrides>>(
       OverrideType.OPTIONS,
@@ -235,6 +247,7 @@ const _Fides: FidesGlobal = {
     fidesApiUrl: "",
     serverSideFidesApiUrl: "",
     tcfEnabled: true,
+    gppEnabled: false,
     fidesEmbed: false,
     fidesDisableSaveApi: false,
     fidesDisableNoticesServedApi: false,
diff --git a/clients/fides-js/src/fides.ts b/clients/fides-js/src/fides.ts
index 795c7225de..c8e13aa216 100644
--- a/clients/fides-js/src/fides.ts
+++ b/clients/fides-js/src/fides.ts
@@ -93,6 +93,18 @@ async function init(this: FidesGlobal, providedConfig?: FidesConfig) {
 
   this.config = config; // no matter how the config is set, we want to store it on the global object
 
+  dispatchFidesEvent(
+    "FidesInitializing",
+    undefined,
+    this.config.options.debug,
+    {
+      gppEnabled:
+        this.config.options.gppEnabled ||
+        this.config.experience?.gpp_settings?.enabled,
+      tcfEnabled: this.config.options.tcfEnabled,
+    }
+  );
+
   const optionsOverrides: Partial<FidesInitOptionsOverrides> =
     getOverridesByType<Partial<FidesInitOptionsOverrides>>(
       OverrideType.OPTIONS,
@@ -173,6 +185,7 @@ const _Fides: FidesGlobal = {
     fidesApiUrl: "",
     serverSideFidesApiUrl: "",
     tcfEnabled: false,
+    gppEnabled: false,
     fidesEmbed: false,
     fidesDisableSaveApi: false,
     fidesDisableNoticesServedApi: false,
diff --git a/clients/fides-js/src/lib/consent-types.ts b/clients/fides-js/src/lib/consent-types.ts
index 2e02d2514a..98e7d0b6a6 100644
--- a/clients/fides-js/src/lib/consent-types.ts
+++ b/clients/fides-js/src/lib/consent-types.ts
@@ -78,6 +78,9 @@ export interface FidesInitOptions {
   // Whether we should show the TCF modal
   tcfEnabled: boolean;
 
+  // Whether to include the GPP extension
+  gppEnabled: boolean;
+
   // Whether we should "embed" the fides.js overlay UI (ie. “Layer 2”) into a web page instead of as a pop-up
   // overlay, and never render the banner (ie. “Layer 1”).
   fidesEmbed: boolean;
diff --git a/clients/fides-js/src/lib/events.ts b/clients/fides-js/src/lib/events.ts
index 8c5daba8f4..9431a5d975 100644
--- a/clients/fides-js/src/lib/events.ts
+++ b/clients/fides-js/src/lib/events.ts
@@ -12,7 +12,10 @@ declare global {
  * events. This is intentionally vague, but constrained to be basic (primitive)
  * values for simplicity.
  */
-export type FidesEventExtraDetails = Record<string, string | number | boolean>;
+export type FidesEventExtraDetails = Record<
+  string,
+  string | number | boolean | undefined
+>;
 
 /**
  * Defines the properties available on event.detail. Currently the FidesCookie
@@ -49,14 +52,14 @@ export type FidesEvent = CustomEvent<FidesEventDetail>;
  */
 export const dispatchFidesEvent = (
   type: FidesEventType,
-  cookie: FidesCookie,
+  cookie: FidesCookie | undefined,
   debug: boolean,
   extraDetails?: FidesEventExtraDetails
 ) => {
   if (typeof window !== "undefined" && typeof CustomEvent !== "undefined") {
     // Extracts consentMethod directly from the cookie instead of having to pass in duplicate data to this method
     const constructedExtraDetails: FidesEventExtraDetails = {
-      consentMethod: cookie.fides_meta.consentMethod,
+      consentMethod: cookie?.fides_meta.consentMethod,
       ...extraDetails,
     };
     const event = new CustomEvent(type, {
@@ -68,7 +71,7 @@ export const dispatchFidesEvent = (
         constructedExtraDetails?.servingComponent
           ? `from ${constructedExtraDetails.servingComponent} `
           : ""
-      }with cookie ${JSON.stringify(cookie)} ${
+      }${cookie ? `with cookie ${JSON.stringify(cookie)} ` : ""}${
         constructedExtraDetails
           ? `with extra details ${JSON.stringify(constructedExtraDetails)} `
           : ""
diff --git a/clients/privacy-center/cypress/e2e/consent-banner-gpp.cy.ts b/clients/privacy-center/cypress/e2e/consent-banner-gpp.cy.ts
index 621ec0befd..143f148d88 100644
--- a/clients/privacy-center/cypress/e2e/consent-banner-gpp.cy.ts
+++ b/clients/privacy-center/cypress/e2e/consent-banner-gpp.cy.ts
@@ -19,9 +19,12 @@ describe("Fides-js GPP extension", () => {
   /**
    * Visit the fides-js-components-demo page with optional overrides on experience
    */
-  const visitDemoWithGPP = (props: {
-    overrideExperience?: (experience: PrivacyExperience) => PrivacyExperience;
-  }) => {
+  const visitDemoWithGPP = (
+    props: {
+      overrideExperience?: (experience: PrivacyExperience) => PrivacyExperience;
+    },
+    queryParams?: Cypress.VisitOptions["qs"]
+  ) => {
     cy.fixture("consent/experience_gpp.json").then((payload) => {
       let experience = payload.items[0];
       if (props.overrideExperience) {
@@ -31,13 +34,18 @@ describe("Fides-js GPP extension", () => {
           experience
         );
       }
-      stubConfig({
-        options: {
-          isOverlayEnabled: true,
-          tcfEnabled: false,
+      stubConfig(
+        {
+          options: {
+            isOverlayEnabled: true,
+            tcfEnabled: false,
+          },
+          experience,
         },
-        experience,
-      });
+        undefined,
+        undefined,
+        queryParams
+      );
     });
   };
 
@@ -67,6 +75,26 @@ describe("Fides-js GPP extension", () => {
     });
   });
 
+  describe("Fides is not initialized", () => {
+    beforeEach(() => {
+      visitDemoWithGPP({}, { init: false });
+    });
+    it("does not load the GPP extension", () => {
+      cy.get("@FidesInitializing").should("not.have.been.called");
+      cy.window().then((win) => {
+        expect(win.__gpp).to.eql(undefined);
+      });
+    });
+    it("can still load the GPP extension if initialized later", () => {
+      cy.window().then((win) => {
+        win.Fides.init(win.Fides.config);
+        cy.waitUntilFidesInitialized().then(() => {
+          expect(win.__gpp).to.not.eql(undefined);
+        });
+      });
+    });
+  });
+
   describe("with TCF and GPP enabled", () => {
     const tcfGppSettings = { enabled: true, enable_tcfeu_string: true };
     beforeEach(() => {
diff --git a/clients/privacy-center/cypress/e2e/consent-banner.cy.ts b/clients/privacy-center/cypress/e2e/consent-banner.cy.ts
index b03f471c5e..69236431d2 100644
--- a/clients/privacy-center/cypress/e2e/consent-banner.cy.ts
+++ b/clients/privacy-center/cypress/e2e/consent-banner.cy.ts
@@ -1649,11 +1649,12 @@ describe("Consent overlay", () => {
           isOverlayEnabled: true,
         },
       });
+      cy.get("@FidesInitializing").should("have.been.calledOnce");
     });
 
     // NOTE: See definition of cy.visitConsentDemo in commands.ts for where we
     // register listeners for these window events
-    it("emits a FidesInitialized but not any other events when initialized", () => {
+    it("emits a FidesInitialized but not any subsequent events when initialized", () => {
       cy.window()
         .its("Fides")
         .its("consent")
diff --git a/clients/privacy-center/cypress/e2e/fides-js.cy.ts b/clients/privacy-center/cypress/e2e/fides-js.cy.ts
index a2dcc25b51..b82792b34b 100644
--- a/clients/privacy-center/cypress/e2e/fides-js.cy.ts
+++ b/clients/privacy-center/cypress/e2e/fides-js.cy.ts
@@ -15,10 +15,10 @@ describe("fides.js API route", () => {
         .to.match(/^\s+\(function/, "should be an IIFE")
         .to.match(/\}\)\(\);\s+$/, "should be an IIFE");
       expect(response.body)
-        .to.match(/var fidesConfig = \{/, "should bundle Fides.init")
-        .to.match(/Fides.init\(fidesConfig\);/, "should bundle Fides.init");
+        .to.match(/window.Fides.config = \{/, "should bundle Fides.init")
+        .to.match(/Fides.init\(\);/, "should call Fides.init");
       const matches = response.body.match(
-        /var fidesConfig = (?<json>\{.*?\});/
+        /window.Fides.config = (?<json>\{.*?\});/
       );
       expect(matches).to.have.nested.property("groups.json");
       expect(JSON.parse(matches.groups.json))
@@ -44,9 +44,9 @@ describe("fides.js API route", () => {
   describe("when pre-fetching geolocation", () => {
     it("returns geolocation if provided as a '?geolocation' query param", () => {
       cy.request("/fides.js?geolocation=US-CA").then((response) => {
-        expect(response.body).to.match(/var fidesConfig = \{/);
+        expect(response.body).to.match(/window.Fides.config = \{/);
         const matches = response.body.match(
-          /var fidesConfig = (?<json>\{.*?\});/
+          /window.Fides.config = (?<json>\{.*?\});/
         );
         expect(JSON.parse(matches.groups.json))
           .to.have.nested.property("geolocation")
@@ -66,9 +66,9 @@ describe("fides.js API route", () => {
           "CloudFront-Viewer-Country-Region": "IDF",
         },
       }).then((response) => {
-        expect(response.body).to.match(/var fidesConfig = \{/);
+        expect(response.body).to.match(/window.Fides.config = \{/);
         const matches = response.body.match(
-          /var fidesConfig = (?<json>\{.*?\});/
+          /window.Fides.config = (?<json>\{.*?\});/
         );
         expect(JSON.parse(matches.groups.json))
           .to.have.nested.property("geolocation")
diff --git a/clients/privacy-center/cypress/support/commands.ts b/clients/privacy-center/cypress/support/commands.ts
index ce1bc0a647..92d36d329f 100644
--- a/clients/privacy-center/cypress/support/commands.ts
+++ b/clients/privacy-center/cypress/support/commands.ts
@@ -97,6 +97,10 @@ Cypress.Commands.add(
         }
 
         // Add event listeners for Fides.js events
+        win.addEventListener(
+          "FidesInitializing",
+          cy.stub().as("FidesInitializing")
+        );
         win.addEventListener(
           "FidesInitialized",
           cy.stub().as("FidesInitialized")
diff --git a/clients/privacy-center/pages/api/fides-js.ts b/clients/privacy-center/pages/api/fides-js.ts
index a5e639b0ff..b380078859 100644
--- a/clients/privacy-center/pages/api/fides-js.ts
+++ b/clients/privacy-center/pages/api/fides-js.ts
@@ -167,11 +167,9 @@ export default async function handler(
     }
   }
 
-  // These query params are used for testing purposes only, and should not be used
-  // in production. They allow for the config to be injected by the test framework
-  // and delay the initialization of fides.js until the test framework is ready.
-  const { e2e: e2eQuery, tcf: tcfQuery } = req.query;
-  const isTestMode = e2eQuery === "true";
+  // This query param is used for testing purposes only, and should not be used
+  // in production.
+  const { tcf: tcfQuery } = req.query;
 
   // We determine server-side whether or not to send the TCF bundle, which is based
   // on whether or not the experience is marked as TCF. This means for TCF, we *must*
@@ -209,6 +207,7 @@ export default async function handler(
       privacyCenterUrl: environment.settings.PRIVACY_CENTER_URL,
       fidesApiUrl: environment.settings.FIDES_API_URL,
       tcfEnabled,
+      gppEnabled,
       serverSideFidesApiUrl:
         environment.settings.SERVER_SIDE_FIDES_API_URL ||
         environment.settings.FIDES_API_URL,
@@ -289,18 +288,13 @@ export default async function handler(
     document.head.append(style);
     `
       : ""
-  }${
-    isTestMode // let end-to-end tests set the config and initialize as needed
-      ? ""
-      : `
-    var fidesConfig = ${fidesConfigJSON};
-    window.Fides.config = ${fidesConfigJSON};
-    ${skipInitialization ? "" : `window.Fides.init(fidesConfig);`}
-    ${
-      environment.settings.DEBUG && skipInitialization
-        ? `console.log("fides.js initialization skipped. Call window.Fides.init() manually.");`
-        : ""
-    }`
+  }
+  window.Fides.config = ${fidesConfigJSON};
+  ${skipInitialization ? "" : `window.Fides.init();`}
+  ${
+    environment.settings.DEBUG && skipInitialization
+      ? `console.log("Fides initialization skipped. Call window.Fides.init() manually.");`
+      : ""
   }
   })();
   `;
diff --git a/clients/privacy-center/public/fides-js-components-demo.html b/clients/privacy-center/public/fides-js-components-demo.html
index 4a6632e84a..e81e5a59d0 100644
--- a/clients/privacy-center/public/fides-js-components-demo.html
+++ b/clients/privacy-center/public/fides-js-components-demo.html
@@ -10,20 +10,20 @@
       will pass a geolocation query param to fides.js
     -->
     <script>
+      const params = new URLSearchParams(window.location.search);
       (function () {
         const tcfEnabled = window.fidesConfig?.options?.tcfEnabled;
-        const params = new URLSearchParams(window.location.search);
+        const gppEnabled =
+          window.fidesConfig?.experience?.gpp_settings?.enabled;
         const geolocation = params.get("geolocation");
-        const src = `/fides.js?e2e=true${tcfEnabled ? "&tcf=true" : ""}${
+        const src = `/fides.js?initialize=false${
+          tcfEnabled ? "&tcf=true" : ""
+        }${gppEnabled ? "&gpp=true" : ""}${
           !!params.size ? `&${params.toString()}` : ""
         }`;
 
         document.write('<script src="' + src + '"><\/script>');
       })();
-      (function () {
-        if (window.fidesConfig?.experience?.gpp_settings?.enabled)
-          document.write('<script src="./lib/fides-ext-gpp.js"><\/script>');
-      })();
       var deleteCookie = function () {
         document.cookie =
           "fides_consent=;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
@@ -33,6 +33,7 @@
     <script>
       // Our cypress test suite requires injecting consent options through an obj on window
       // we default to the below for dev purposes
+      const init = params.get("init");
       var fidesConfig = window.fidesConfig || {
         consent: {
           options: [
@@ -201,8 +202,10 @@
           fidesPrimaryColor: "#008000",
         },
       };
-      window.Fides.init(fidesConfig);
-      Fides.gtm();
+      if (init !== "false") {
+        window.Fides.init(fidesConfig);
+        Fides.gtm();
+      }
     </script>
 
     <style>

From 57172b945c29939662e63f66a6595e5629f710f6 Mon Sep 17 00:00:00 2001
From: Jason Gill <jason.gill@ethyca.com>
Date: Thu, 20 Jun 2024 09:44:03 -0600
Subject: [PATCH 03/13] consistent casing (#5012)

---
 .../src/features/privacy-requests/RequestTableColumns.tsx   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clients/admin-ui/src/features/privacy-requests/RequestTableColumns.tsx b/clients/admin-ui/src/features/privacy-requests/RequestTableColumns.tsx
index 727e586abc..6cdde7a11b 100644
--- a/clients/admin-ui/src/features/privacy-requests/RequestTableColumns.tsx
+++ b/clients/admin-ui/src/features/privacy-requests/RequestTableColumns.tsx
@@ -57,7 +57,7 @@ export const getRequestTableColumns = (revealPII = false) => [
         <DefaultCell value={getPII(getValue(), revealPII)} />
       ),
       header: (props) => (
-        <DefaultHeaderCell value="Subject Identity" {...props} />
+        <DefaultHeaderCell value="Subject identity" {...props} />
       ),
       enableSorting: false,
     }
@@ -65,14 +65,14 @@ export const getRequestTableColumns = (revealPII = false) => [
   columnHelper.accessor((row) => row.created_at, {
     id: COLUMN_IDS.TIME_RECIEVED,
     cell: ({ getValue }) => <DefaultCell value={formatDate(getValue())} />,
-    header: (props) => <DefaultHeaderCell value="Time Received" {...props} />,
+    header: (props) => <DefaultHeaderCell value="Time received" {...props} />,
   }),
   columnHelper.accessor((row) => row.reviewer?.username || "", {
     id: COLUMN_IDS.REVIEWER,
     cell: ({ getValue }) => (
       <DefaultCell value={getPII(getValue(), revealPII)} /> // NOTE: this field does not get set when reviewed as root user
     ),
-    header: (props) => <DefaultHeaderCell value="Reviewed By" {...props} />,
+    header: (props) => <DefaultHeaderCell value="Reviewed by" {...props} />,
     enableSorting: false,
   }),
   columnHelper.accessor((row) => row.id, {

From 5236f71c9495373d62cf6aa2ebb71fe3328b69a3 Mon Sep 17 00:00:00 2001
From: Catherine Smith <eastandwestwind@gmail.com>
Date: Thu, 20 Jun 2024 18:50:21 +0200
Subject: [PATCH 04/13] PROD-2230: Fix table cell formatting for vendors
 (#5013)

---
 CHANGELOG.md                                  |  3 +-
 .../src/features/common/table/v2/cells.tsx    | 32 +++++++++++++++++
 .../src/features/common/table/v2/index.ts     |  1 +
 .../ConsentManagementTable.tsx                | 34 +++++++++++++++----
 .../datamap/reporting/DatamapReportTable.tsx  |  2 +-
 5 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fdff7218d0..4abdbd00f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,7 +46,8 @@ The types of changes are:
 - Fixed validations for privacy declaration taxonomy labels when creating/updating a System [#4982](https://github.com/ethyca/fides/pull/4982)
 - Allow property-specific messaging to work with non-custom templates [#4986](https://github.com/ethyca/fides/pull/4986)
 - Fixed an issue where config object was being passed twice to `fides.js` output [#5010](https://github.com/ethyca/fides/pull/5010)
-- Disabling Fides initializtion now also disables GPP initialization [#5010](https://github.com/ethyca/fides/pull/5010)
+- Disabling Fides initialization now also disables GPP initialization [#5010](https://github.com/ethyca/fides/pull/5010)
+- Fixes Vendor table formatting [#5013](https://github.com/ethyca/fides/pull/5013)
 
 ## [2.38.1](https://github.com/ethyca/fides/compare/2.38.0...2.38.1)
 
diff --git a/clients/admin-ui/src/features/common/table/v2/cells.tsx b/clients/admin-ui/src/features/common/table/v2/cells.tsx
index 293fe7fde3..a591195657 100644
--- a/clients/admin-ui/src/features/common/table/v2/cells.tsx
+++ b/clients/admin-ui/src/features/common/table/v2/cells.tsx
@@ -94,6 +94,38 @@ export const BadgeCell = ({
   </BadgeCellContainer>
 );
 
+export const BadgeCellCount = ({
+  count,
+  singSuffix,
+  plSuffix,
+  ...badgeProps
+}: {
+  count: number;
+  singSuffix?: string;
+  plSuffix?: string;
+} & BadgeProps) => {
+  // If count is 1, display count with singular suffix
+  let badge = null;
+  if (count === 1) {
+    badge = (
+      <FidesBadge {...badgeProps}>
+        {count}
+        {singSuffix ? ` ${singSuffix}` : null}
+      </FidesBadge>
+    );
+  }
+  // If count is 0 or > 1, display count with plural suffix
+  else {
+    badge = (
+      <FidesBadge {...badgeProps}>
+        {count}
+        {plSuffix ? ` ${plSuffix}` : null}
+      </FidesBadge>
+    );
+  }
+  return <BadgeCellContainer>{badge}</BadgeCellContainer>;
+};
+
 export const GroupCountBadgeCell = ({
   value,
   suffix,
diff --git a/clients/admin-ui/src/features/common/table/v2/index.ts b/clients/admin-ui/src/features/common/table/v2/index.ts
index 883a8b6864..7b6bd7bf65 100644
--- a/clients/admin-ui/src/features/common/table/v2/index.ts
+++ b/clients/admin-ui/src/features/common/table/v2/index.ts
@@ -1,5 +1,6 @@
 export {
   BadgeCell,
+  BadgeCellCount,
   DefaultCell,
   DefaultHeaderCell,
   GroupCountBadgeCell,
diff --git a/clients/admin-ui/src/features/configure-consent/ConsentManagementTable.tsx b/clients/admin-ui/src/features/configure-consent/ConsentManagementTable.tsx
index 0029897c5f..f4d0e9c3dd 100644
--- a/clients/admin-ui/src/features/configure-consent/ConsentManagementTable.tsx
+++ b/clients/admin-ui/src/features/configure-consent/ConsentManagementTable.tsx
@@ -6,7 +6,7 @@ import {
 } from "@tanstack/react-table";
 import { useFeatures } from "common/features";
 import {
-  BadgeCell,
+  BadgeCellCount,
   DefaultCell,
   DefaultHeaderCell,
   FidesTableV2,
@@ -163,33 +163,55 @@ export const ConsentManagementTable = () => {
       columnHelper.accessor((row) => row.data_uses, {
         id: "tcf_purpose",
         cell: (props) => (
-          <BadgeCell suffix="purposes" value={props.getValue()} />
+          <BadgeCellCount
+            plSuffix="purposes"
+            singSuffix="purpose"
+            count={props.getValue()}
+          />
         ),
         header: (props) => <DefaultHeaderCell value="TCF purpose" {...props} />,
       }),
       columnHelper.accessor((row) => row.data_uses, {
         id: "data_uses",
         cell: (props) => (
-          <BadgeCell suffix="data uses" value={props.getValue()} />
+          <BadgeCellCount
+            plSuffix="data uses"
+            singSuffix="data use"
+            count={props.getValue()}
+          />
         ),
         header: (props) => <DefaultHeaderCell value="Data use" {...props} />,
       }),
       columnHelper.accessor((row) => row.legal_bases, {
         id: "legal_bases",
-        cell: (props) => <BadgeCell suffix="bases" value={props.getValue()} />,
+        cell: (props) => (
+          <BadgeCellCount
+            plSuffix="bases"
+            singSuffix="basis"
+            count={props.getValue()}
+          />
+        ),
         header: (props) => <DefaultHeaderCell value="Legal basis" {...props} />,
       }),
       columnHelper.accessor((row) => row.consent_categories, {
         id: "consent_categories",
         cell: (props) => (
-          <BadgeCell suffix="Categories" value={props.getValue()} />
+          <BadgeCellCount
+            plSuffix="categories"
+            singSuffix="category"
+            count={props.getValue()}
+          />
         ),
         header: (props) => <DefaultHeaderCell value="Categories" {...props} />,
       }),
       columnHelper.accessor((row) => row.cookies, {
         id: "cookies",
         cell: (props) => (
-          <BadgeCell suffix="Cookies" value={props.getValue()} />
+          <BadgeCellCount
+            plSuffix="cookies"
+            singSuffix="cookie"
+            count={props.getValue()}
+          />
         ),
         header: (props) => <DefaultHeaderCell value="Cookies" {...props} />,
       }),
diff --git a/clients/admin-ui/src/features/datamap/reporting/DatamapReportTable.tsx b/clients/admin-ui/src/features/datamap/reporting/DatamapReportTable.tsx
index c8e997baba..06ca3db368 100644
--- a/clients/admin-ui/src/features/datamap/reporting/DatamapReportTable.tsx
+++ b/clients/admin-ui/src/features/datamap/reporting/DatamapReportTable.tsx
@@ -786,7 +786,7 @@ export const DatamapReportTable = () => {
         id: COLUMN_IDS.RESPONSIBILITY,
         cell: (props) => (
           <GroupCountBadgeCell
-            suffix="responsibilitlies"
+            suffix="responsibilities"
             value={props.getValue()}
             {...props}
           />

From fc3f8db252f14ecd68ef15b559c677c6f88727e6 Mon Sep 17 00:00:00 2001
From: jpople <jeremy@ethyca.com>
Date: Thu, 20 Jun 2024 16:02:49 -0400
Subject: [PATCH 05/13] Update copy on new integrations UI (#5007)

---
 CHANGELOG.md                                  |   1 +
 .../src/features/common/copy/components.tsx   |  54 ++++++-
 .../ConfigureMonitorDatabasesForm.tsx         |  12 +-
 .../configure-monitor/MonitorConfigTab.tsx    |   8 +-
 .../integration-type-info/bigqueryInfo.tsx    | 146 +++++++-----------
 .../integration-type-info/dynamoInfo.tsx      | 114 ++++++++++----
 .../integration-type-info/s3Info.tsx          | 131 +++++++++++++---
 .../integration-type-info/scyllaInfo.tsx      |  15 +-
 8 files changed, 323 insertions(+), 158 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4abdbd00f3..e052e4a66f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ The types of changes are:
 - Move new data map reporting table out of beta and remove old table from Data Lineage map. [#4963](https://github.com/ethyca/fides/pull/4963)
 - Disable the 'connect to a database' button if the `dataDiscoveryAndDetection` feature flag is enabled [#1455](https://github.com/ethyca/fidesplus/pull/1455)
 - Upgrade Privacy Request table to use FidesTable V2 [#4990](https://github.com/ethyca/fides/pull/4990)
+- Add copy to project selection modal and tweak copy on discovery monitors table [#5007](https://github.com/ethyca/fides/pull/5007)
 
 ### Fixed
 - Fixed an issue where the GPP signal status was prematurely set to `ready` in some scenarios [#4957](https://github.com/ethyca/fides/pull/4957)
diff --git a/clients/admin-ui/src/features/common/copy/components.tsx b/clients/admin-ui/src/features/common/copy/components.tsx
index b028b57174..d017d086a1 100644
--- a/clients/admin-ui/src/features/common/copy/components.tsx
+++ b/clients/admin-ui/src/features/common/copy/components.tsx
@@ -1,4 +1,18 @@
-import { Heading, Link, OrderedList, Text, UnorderedList } from "fidesui";
+import {
+  Code,
+  Heading,
+  Link,
+  OrderedList,
+  Table,
+  Tag,
+  Tbody,
+  Td,
+  Text,
+  Th,
+  Thead,
+  Tr,
+  UnorderedList,
+} from "fidesui";
 import { ReactNode } from "react";
 
 export const InfoHeading = ({ text }: { text: string }) => (
@@ -32,7 +46,43 @@ export const InfoUnorderedList = ({ children }: { children: ReactNode }) => (
 );
 
 export const InfoOrderedList = ({ children }: { children: ReactNode }) => (
-  <OrderedList fontSize="14px" mb={4}>
+  <OrderedList fontSize="14px" mb={4} ml={6}>
     {children}
   </OrderedList>
 );
+
+export const InfoCodeBlock = ({ children }: { children: ReactNode }) => (
+  <Code display="block" whiteSpace="pre" p={4} mb={4} overflowX="scroll">
+    {children}
+  </Code>
+);
+
+export interface PermissionsTableItem {
+  permission: string;
+  description: string;
+}
+
+export const InfoPermissionsTable = ({
+  data,
+}: {
+  data: PermissionsTableItem[];
+}) => (
+  <Table fontSize="14px">
+    <Thead>
+      <Tr>
+        <Th>Permission</Th>
+        <Th>Description</Th>
+      </Tr>
+    </Thead>
+    <Tbody>
+      {data.map((item) => (
+        <Tr key={item.permission}>
+          <Td>
+            <Tag>{item.permission}</Tag>
+          </Td>
+          <Td>{item.description}</Td>
+        </Tr>
+      ))}
+    </Tbody>
+  </Table>
+);
diff --git a/clients/admin-ui/src/features/integrations/configure-monitor/ConfigureMonitorDatabasesForm.tsx b/clients/admin-ui/src/features/integrations/configure-monitor/ConfigureMonitorDatabasesForm.tsx
index ba1c5e0ed4..1da698485f 100644
--- a/clients/admin-ui/src/features/integrations/configure-monitor/ConfigureMonitorDatabasesForm.tsx
+++ b/clients/admin-ui/src/features/integrations/configure-monitor/ConfigureMonitorDatabasesForm.tsx
@@ -1,8 +1,9 @@
-import { Button, ButtonGroup, Flex, Spinner } from "fidesui";
+import { Button, ButtonGroup, Flex, Spinner, Text } from "fidesui";
 import { useEffect, useState } from "react";
 
 import useQueryResultToast from "~/features/common/form/useQueryResultToast";
 import { PickerCheckboxList } from "~/features/common/PickerCard";
+import QuestionTooltip from "~/features/common/QuestionTooltip";
 import {
   PaginationBar,
   useServerSidePagination,
@@ -22,6 +23,9 @@ const EMPTY_RESPONSE = {
   pages: 0,
 };
 
+const TOOLTIP_COPY =
+  "Select projects to restrict which datasets this monitor can access. If no projects are selected, the monitor will observe all current and future projects.";
+
 const ConfigureMonitorDatabasesForm = ({
   monitor,
   onClose,
@@ -86,7 +90,11 @@ const ConfigureMonitorDatabasesForm = ({
 
   return (
     <>
-      <Flex p={4}>
+      <Flex p={4} direction="column">
+        <Flex direction="row" mb={4} gap={1} align="center">
+          <Text fontSize="sm">Select projects to monitor</Text>
+          <QuestionTooltip label={TOOLTIP_COPY} />
+        </Flex>
         <PickerCheckboxList
           title="Select all projects"
           items={databases.map((d) => ({ id: d, name: d }))}
diff --git a/clients/admin-ui/src/features/integrations/configure-monitor/MonitorConfigTab.tsx b/clients/admin-ui/src/features/integrations/configure-monitor/MonitorConfigTab.tsx
index 9f459f7f31..e8e34ac691 100644
--- a/clients/admin-ui/src/features/integrations/configure-monitor/MonitorConfigTab.tsx
+++ b/clients/admin-ui/src/features/integrations/configure-monitor/MonitorConfigTab.tsx
@@ -187,10 +187,10 @@ const MonitorConfigTab = ({
   return (
     <>
       <Text maxW="720px" mb={6} fontSize="sm">
-        Data discovery monitors observe configured systems for data model
-        changes to proactively discover and classify data risks. You can create
-        multiple monitors to observe part or all of a project, dataset, table or
-        API for changes and assign these to different data stewards.
+        A data discovery monitor observes configured systems for data model
+        changes to proactively discover and classify data risks. Monitors can
+        observe part or all of a project, dataset, table, or API for changes and
+        each can be assigned to a different data steward.
       </Text>
       <TableActionBar>
         <Spacer />
diff --git a/clients/admin-ui/src/features/integrations/integration-type-info/bigqueryInfo.tsx b/clients/admin-ui/src/features/integrations/integration-type-info/bigqueryInfo.tsx
index 307a80b447..6bee487a33 100644
--- a/clients/admin-ui/src/features/integrations/integration-type-info/bigqueryInfo.tsx
+++ b/clients/admin-ui/src/features/integrations/integration-type-info/bigqueryInfo.tsx
@@ -1,14 +1,15 @@
-import { Code, ListItem, Table, Tbody, Td, Th, Thead, Tr } from "fidesui";
+import { ListItem } from "fidesui";
 
 import {
+  InfoCodeBlock,
   InfoHeading,
   InfoLink,
   InfoOrderedList,
+  InfoPermissionsTable,
   InfoText,
   InfoUnorderedList,
 } from "~/features/common/copy/components";
 import ShowMoreContent from "~/features/common/copy/ShowMoreContent";
-import Tag from "~/features/common/Tag";
 import { ConnectionCategory } from "~/features/integrations/ConnectionCategory";
 import { AccessLevel, ConnectionType } from "~/types/api";
 
@@ -102,6 +103,52 @@ export const BigQueryOverview = () => (
   </>
 );
 
+const FIDES_PERMISSIONS = [
+  {
+    permission: "bigquery.jobs.create",
+    description:
+      "Run jobs (e.g. queries) within the project. This is only needed for the Fides Project where the Fides service account is located.",
+  },
+  {
+    permission: "bigquery.jobs.list",
+    description:
+      "Manage the queries that the service account performs. This is only needed for the Fides Project where the Fides service account is located.",
+  },
+  {
+    permission: "bigquery.routines.get",
+    description:
+      "Allow the service account to retrieve custom routines (e.g. queries) on associated datasets and tables.",
+  },
+  {
+    permission: "bigquery.routines.list",
+    description:
+      "Allow the service account to manage the custom routines (e.g. queries) that run on associated datasets and tables.",
+  },
+];
+
+const MONITORED_PROJECT_PERMISSIONS = [
+  {
+    permission: "bigquery.datasets.get",
+    description: "Retrieve metadata and list tables for the specified project.",
+  },
+  {
+    permission: "bigquery.tables.get",
+    description: "Retrieve metadata for the specified table.",
+  },
+  {
+    permission: "bigquery.tables.getData",
+    description: "Read data in the specified table.",
+  },
+  {
+    permission: "bigquery.tables.list",
+    description: "List all tables in the specified dataset.",
+  },
+  {
+    permission: "bigquery.projects.get",
+    description: "Retrieve metadata for the specified project.",
+  },
+];
+
 export const BigQueryInstructions = () => (
   <>
     <InfoHeading text="Configuring a Fides -> BigQuery Integration" />
@@ -130,100 +177,13 @@ export const BigQueryInstructions = () => (
         Assign the following permissions to the Fides Project that will be used
         by your Fides service account to run queries:
       </InfoText>
-      <Table fontSize="14px">
-        <Thead>
-          <Tr>
-            <Th>Permission</Th>
-            <Th>Description</Th>
-          </Tr>
-        </Thead>
-        <Tbody>
-          <Tr>
-            <Td>
-              <Tag>bigquery.jobs.create</Tag>
-            </Td>
-            <Td>
-              Run jobs (e.g. queries) within the project. This is only needed
-              for the Fides Project where the Fides service account is located.
-            </Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.jobs.list</Tag>
-            </Td>
-            <Td>
-              Manage the queries that the service account performs. This is only
-              needed for the Fides Project where the Fides service account is
-              located.
-            </Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.routines.get</Tag>
-            </Td>
-            <Td>
-              Allow the service account to retrieve custom routines (e.g.
-              queries) on associated datasets and tables.
-            </Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.routines.list</Tag>
-            </Td>
-            <Td>
-              Allow the service account to manage the custom routines (e.g.
-              queries) that run on associated datasets and tables.
-            </Td>
-          </Tr>
-        </Tbody>
-      </Table>
+      <InfoPermissionsTable data={FIDES_PERMISSIONS} />
       <InfoHeading text="Step 4: Assign permissions to any project you’d like Fides to monitor" />
       <InfoText>
         Grant the following permissions to the Fides service account in every
         project where you would like Fides detection and discovery monitoring.
       </InfoText>
-      <Table fontSize="14px">
-        <Thead>
-          <Tr>
-            <Th>Permission</Th>
-            <Th>Description</Th>
-          </Tr>
-        </Thead>
-        <Tbody>
-          <Tr>
-            <Td>
-              <Tag>bigquery.datasets.get</Tag>
-            </Td>
-            <Td>
-              Retrieve metadata and list tables for the specified project.
-            </Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.tables.get</Tag>
-            </Td>
-            <Td>Retrieve metadata for the specified table.</Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.tables.getData</Tag>
-            </Td>
-            <Td>Read data in the specified table.</Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.tables.list</Tag>
-            </Td>
-            <Td>List all tables in the specified dataset.</Td>
-          </Tr>
-          <Tr>
-            <Td>
-              <Tag>bigquery.projects.get</Tag>
-            </Td>
-            <Td>Retrieve metadata for the specified project.</Td>
-          </Tr>
-        </Tbody>
-      </Table>
+      <InfoPermissionsTable data={MONITORED_PROJECT_PERMISSIONS} />
       <InfoHeading text="Step 5: Create a Fides service account in the Fides Project" />
       <InfoOrderedList>
         <ListItem>
@@ -244,9 +204,7 @@ export const BigQueryInstructions = () => (
           An example of this is below:
         </ListItem>
       </InfoOrderedList>
-      <Code display="block" whiteSpace="pre" p={4} mb={4} overflowX="scroll">
-        {SAMPLE_JSON}
-      </Code>
+      <InfoCodeBlock>{SAMPLE_JSON}</InfoCodeBlock>
       <InfoHeading text="Step 6: Use the JSON key to authenticate your integration" />
       <InfoText>
         Provide the JSON key to your Fides instance to securely connect Fides.
diff --git a/clients/admin-ui/src/features/integrations/integration-type-info/dynamoInfo.tsx b/clients/admin-ui/src/features/integrations/integration-type-info/dynamoInfo.tsx
index c39f1d5b78..306f3579bd 100644
--- a/clients/admin-ui/src/features/integrations/integration-type-info/dynamoInfo.tsx
+++ b/clients/admin-ui/src/features/integrations/integration-type-info/dynamoInfo.tsx
@@ -1,7 +1,10 @@
-import { ListItem } from "fidesui";
+import { Code, ListItem } from "fidesui";
 
 import {
   InfoHeading,
+  InfoLink,
+  InfoOrderedList,
+  InfoPermissionsTable,
   InfoText,
   InfoUnorderedList,
 } from "~/features/common/copy/components";
@@ -17,51 +20,108 @@ export const DYNAMO_PLACEHOLDER = {
   created_at: "",
 };
 
-export const DYNAMO_TAGS = ["Database", "DynamoDB", "Tag 3", "Tag 4"];
+export const DYNAMO_TAGS = ["Database", "DynamoDB", "Discovery", "Inventory"];
 
 export const DynamoOverview = () => (
   <>
     <InfoHeading text="Overview" />
     <InfoText>
-      Here&apos;s some example copy talking about DynamoDB. Lorem ipsum dolor
-      sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
-      labore et dolore magna aliqua. Faucibus a pellentesque sit amet porttitor.
-      Risus nullam eget felis eget. Neque aliquam vestibulum morbi blandit. In
-      ante metus dictum at tempor commodo ullamcorper a lacus. Placerat in
-      egestas erat imperdiet. Elit duis tristique sollicitudin nibh sit.
+      Continuously monitor DynamoDB to detect and track schema-level changes,
+      automatically discover and label data categories as well as automatically
+      process DSR (privacy requests) and consent enforcement to proactively
+      manage data governance risks.
     </InfoText>
     <ShowMoreContent>
-      <InfoHeading text="Some List" />
+      <InfoHeading text="Categories" />
       <InfoUnorderedList>
-        <ListItem>Item 1</ListItem>
-        <ListItem>Item 2</ListItem>
-        <ListItem>Item 3</ListItem>
-        <ListItem>Item 4</ListItem>
+        <ListItem>NoSQL database</ListItem>
+        <ListItem>Storage system</ListItem>
+        <ListItem>Cloud provider</ListItem>
+        <ListItem>Data detection</ListItem>
+        <ListItem>Data discovery</ListItem>
+      </InfoUnorderedList>
+      <InfoHeading text="Permissions and Policies" />
+      <InfoText>
+        For detection and discovery, Fides requires an IAM user with read-only
+        DynamoDB permissions in order to detect, discover, and classify
+        sensitive data. The AWS-managed{" "}
+        <Code>AmazonDynamoDBReadOnlyAccess</Code> policy can be used to assign
+        these permissions. If you intend to automate governance for DSR or
+        Consent, Fides requires an IAM user with read-and-write DynamoDB
+        permissions. The AWS-managed
+        <Code>AmazonDynamoDBFullAccess</Code> policy can be used to assign these
+        permissions. An IAM administrator can create the necessary principal for
+        Fides using the AWS IAM guides, and assign the appropriate permissions
+        policy to the IAM user.
+      </InfoText>
+      <InfoText>
+        The permissions allow Fides to read the schema of, and data stored in,
+        DynamoDB tables. This data is inspected only for the purpose of
+        detecting sensitive data risks and no data is stored by Fides. As part
+        of DSR or Consent orchestration, Fides will only write restricted
+        updates to the tables specified by your Fides policy configuration.
+      </InfoText>
+      <InfoHeading text="Policy List" />
+      <InfoText>
+        The following AWS-managed policies provide the necessary permissions for
+        Fides:
+      </InfoText>
+      <InfoUnorderedList>
+        <ListItem>AmazonDynamoDBReadOnlyAccess</ListItem>
+        <ListItem>
+          AmazonDynamoDBFullAccess (only needed if automating governance for DSR
+          or Consent)
+        </ListItem>
       </InfoUnorderedList>
     </ShowMoreContent>
   </>
 );
 
+const IAM_GUIDE_URL =
+  "https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html#getting-started-iam-user";
+
+const DYNAMO_PERMISSIONS = [
+  {
+    permission: "AmazonDynamoDBReadOnlyAccess",
+    description:
+      "Provides read-only access to Amazon DynamoDB via the AWS Management Console.",
+  },
+  {
+    permission: "AmazonDynamoDBFullAccess",
+    description:
+      "Provides full access to Amazon DynamoDB via the AWS Management Console. Only needed if automating governance for DSR or Consent.",
+  },
+];
+
 export const DynamoInstructions = () => (
   <>
     <InfoHeading text="Configuring a Fides -> DynamoDB Integration" />
+    <InfoHeading text="Step 1: Create an IAM user in AWS" />
     <InfoText>
-      Here&apos;s some example copy explaining how to set up DynamoDB. Lorem
-      ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-      incididunt ut labore et dolore magna aliqua. Faucibus a pellentesque sit
-      amet porttitor. Risus nullam eget felis eget. Neque aliquam vestibulum
-      morbi blandit. In ante metus dictum at tempor commodo ullamcorper a lacus.
-      Placerat in egestas erat imperdiet. Elit duis tristique sollicitudin nibh
-      sit.
+      Create an IAM user for Fides&apos; DynamoDB access following the{" "}
+      <InfoLink href={IAM_GUIDE_URL}>AWS IAM user guide</InfoLink>.
     </InfoText>
     <ShowMoreContent>
-      <InfoHeading text="Some Other List" />
-      <InfoUnorderedList>
-        <ListItem>Item 5</ListItem>
-        <ListItem>Item 6</ListItem>
-        <ListItem>Item 7</ListItem>
-        <ListItem>Item 8</ListItem>
-      </InfoUnorderedList>
+      <InfoHeading text="Step 2: Assign policies to the IAM user" />
+      <InfoText>
+        Grant the necessary permissions to the IAM user by attaching directly
+        the appropriate AWS-managed policy for your use case:
+      </InfoText>
+      <InfoPermissionsTable data={DYNAMO_PERMISSIONS} />
+      <InfoHeading text="Step 3: Create an access key for the IAM user" />
+      <InfoOrderedList>
+        <ListItem>
+          Create an access key for the IAM user under{" "}
+          <strong>Security credentials</strong>
+        </ListItem>
+        <ListItem>Select the Other use case</ListItem>
+        <ListItem>Copy the Access Key ID and Secret Access Key</ListItem>
+      </InfoOrderedList>
+      <InfoHeading text="Use the Credentials to Authenticate Your Integration" />
+      <InfoText>
+        Provide the credentials to your Fides instance to securely connect
+        Fides.
+      </InfoText>
     </ShowMoreContent>
   </>
 );
diff --git a/clients/admin-ui/src/features/integrations/integration-type-info/s3Info.tsx b/clients/admin-ui/src/features/integrations/integration-type-info/s3Info.tsx
index a03e5d9022..f064d5fc76 100644
--- a/clients/admin-ui/src/features/integrations/integration-type-info/s3Info.tsx
+++ b/clients/admin-ui/src/features/integrations/integration-type-info/s3Info.tsx
@@ -1,7 +1,11 @@
 import { ListItem } from "fidesui";
 
 import {
+  InfoCodeBlock,
   InfoHeading,
+  InfoLink,
+  InfoOrderedList,
+  InfoPermissionsTable,
   InfoText,
   InfoUnorderedList,
 } from "~/features/common/copy/components";
@@ -17,50 +21,127 @@ export const S3_PLACEHOLDER = {
   created_at: "",
 };
 
-export const S3_TAGS = ["Data Warehouse", "S3", "Tag 3", "Tag 4"];
+export const S3_TAGS = ["Data Warehouse", "S3", "Detection", "Discovery"];
 
 export const S3Overview = () => (
   <>
     <InfoHeading text="Overview" />
     <InfoText>
-      Here&apos;s some example copy talking about Amazon S3. Lorem ipsum dolor
-      sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
-      labore et dolore magna aliqua. Faucibus a pellentesque sit amet porttitor.
-      Risus nullam eget felis eget. Neque aliquam vestibulum morbi blandit. In
-      ante metus dictum at tempor commodo ullamcorper a lacus. Placerat in
-      egestas erat imperdiet. Elit duis tristique sollicitudin nibh sit.
+      Continuously monitor S3 to detect and track schema-level changes,
+      automatically discover and label data categories as well as automatically
+      process DSR (privacy requests) and consent enforcement to proactively
+      manage data governance risks.
     </InfoText>
     <ShowMoreContent>
+      <InfoHeading text="Categories" />
       <InfoUnorderedList>
-        <ListItem>Item 1</ListItem>
-        <ListItem>Item 2</ListItem>
-        <ListItem>Item 3</ListItem>
-        <ListItem>Item 4</ListItem>
+        <ListItem>Object storage</ListItem>
+        <ListItem>Storage system</ListItem>
+        <ListItem>Cloud provider</ListItem>
+        <ListItem>Data detection</ListItem>
+        <ListItem>Data discovery</ListItem>
+      </InfoUnorderedList>
+      <InfoHeading text="Permissions" />
+      <InfoText>
+        Fides requires an IAM principal with read-only S3 permissions in order
+        to detect, discover, and classify sensitive data. The AWS-managed
+        AmazonS3ReadOnlyAccess policy can be used to assign these permissions.
+        An IAM administrator can create the necessary principal for Fides using
+        the AWS IAM guides, and assign the appropriate permissions policy to the
+        IAM principal.
+      </InfoText>
+      <InfoText>
+        The permissions allow Fides to list buckets and read object data data
+        stored in those buckets. This data is inspected only for the purpose of
+        detecting sensitive data risks and no data is stored by Fides.
+      </InfoText>
+      <InfoText>
+        Ethyca recommends creating an IAM role with the appropriate permissions,
+        which will be assumed by Fides at runtime, with ephemeral credentials.
+        There must also be an IAM user with fixed credentials that Fides uses
+        strictly for assuming the IAM role with the appropriate permissions. If
+        desired, Fides also supports authenticating directly as an IAM user with
+        the appropriate permissions, but this is considered a less secure
+        option.
+      </InfoText>
+      <InfoHeading text="Permissions list" />
+      <InfoUnorderedList>
+        <ListItem>AmazonS3ReadOnlyAccess</ListItem>
       </InfoUnorderedList>
     </ShowMoreContent>
   </>
 );
 
+const IAM_GUIDE_URL =
+  "https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html#getting-started-iam-user";
+
+const SAMPLE_JSON = `{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "VisualEditor0",
+			"Effect": "Allow",
+			"Action": "sts:AssumeRole",
+			"Resource": "arn:aws:iam::[AWS ACCOUNT NUMBER]:role/[Fides S3 Access Role ARN]"
+		}
+	]
+}`;
+
 export const S3Instructions = () => (
   <>
     <InfoHeading text="Configuring a Fides -> Amazon S3 Integration" />
+    <InfoHeading text="Step 1: Create an IAM role in AWS" />
     <InfoText>
-      Here&apos;s some example copy explaining how to set up Amazon S3. Lorem
-      ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-      incididunt ut labore et dolore magna aliqua. Faucibus a pellentesque sit
-      amet porttitor. Risus nullam eget felis eget. Neque aliquam vestibulum
-      morbi blandit. In ante metus dictum at tempor commodo ullamcorper a lacus.
-      Placerat in egestas erat imperdiet. Elit duis tristique sollicitudin nibh
-      sit.
+      Create an IAM role for Fides&apos; S3 access following the AWS IAM roles
+      guide. This role will be referred to below as the Fides S3 Access Role.
     </InfoText>
+
     <ShowMoreContent>
-      <InfoHeading text="Some Other List" />
-      <InfoUnorderedList>
-        <ListItem>Item 5</ListItem>
-        <ListItem>Item 6</ListItem>
-        <ListItem>Item 7</ListItem>
-        <ListItem>Item 8</ListItem>
-      </InfoUnorderedList>
+      <InfoHeading text="Step 2: Assign policies to the IAM role" />
+      <InfoText>
+        Grant the necessary permissions to the IAM role by attaching the
+        following AWS-managed policy:
+      </InfoText>
+      <InfoPermissionsTable
+        data={[
+          {
+            permission: "AmazonS3ReadOnlyAccess",
+            description:
+              "Provides read-only access to all buckets via the AWS Management Console.",
+          },
+        ]}
+      />
+      <InfoHeading text="Step 3: Create an IAM user for assuming a role" />
+      <InfoText>
+        Follow the <InfoLink href={IAM_GUIDE_URL}>AWS guide</InfoLink> for
+        creating an IAM user to create an IAM user that Fides will authenticate
+        as in order to assume the Fides S3 Access Role created above, and
+        retrieve ephemeral credentials.
+      </InfoText>
+      <InfoHeading text="Step 4: Grant the IAM user permission to assume the Fides S3 Access Role" />
+      <InfoText>
+        Navigate to the IAM user’s Permissions page and add a permission by
+        creating an inline policy. This permission should grant the IAM user
+        permission to assume the Fides S3 Access Role created above (you’ll need
+        to retrieve the role ARN). The inline policy should look similar to
+        this:
+      </InfoText>
+      <InfoCodeBlock>{SAMPLE_JSON}</InfoCodeBlock>
+      <InfoHeading text="Step 5: Create an access key for the IAM user" />
+      <InfoOrderedList>
+        <ListItem>
+          Create an access key for the IAM user under{" "}
+          <strong>Security credentials</strong>.
+        </ListItem>
+        <ListItem>Select the Other use case</ListItem>
+        <ListItem>Copy the Access Key ID and Secret Access Key</ListItem>
+      </InfoOrderedList>
+      <InfoHeading text="Step 6: Use the credentials to authenticate your integration" />
+      <InfoText>
+        Provide the credentials to your Fides instance to securely connect
+        Fides. For the Assume Role ARN, provide the ARN for the Fides S3 Access
+        Role created in step 1.{" "}
+      </InfoText>
     </ShowMoreContent>
   </>
 );
diff --git a/clients/admin-ui/src/features/integrations/integration-type-info/scyllaInfo.tsx b/clients/admin-ui/src/features/integrations/integration-type-info/scyllaInfo.tsx
index 6265591fd7..3b0ec7dcb1 100644
--- a/clients/admin-ui/src/features/integrations/integration-type-info/scyllaInfo.tsx
+++ b/clients/admin-ui/src/features/integrations/integration-type-info/scyllaInfo.tsx
@@ -19,10 +19,8 @@ export const SCYLLA_PLACEHOLDER = {
 
 export const SCYLLA_TAGS = [
   "Database",
-  "NoSQL database",
-  "Storage system",
-  "Data detection",
-  "Data discovery",
+  "Detection",
+  "Discovery",
   "DSR automation",
 ];
 
@@ -36,6 +34,15 @@ export const ScyllaOverview = () => (
       label data categories to proactively manage data governance risks.
     </InfoText>
     <ShowMoreContent>
+      <InfoHeading text="Categories" />
+      <InfoUnorderedList>
+        <ListItem>Database</ListItem>
+        <ListItem>NoSQL database</ListItem>
+        <ListItem>Storage system</ListItem>
+        <ListItem>Data detection</ListItem>
+        <ListItem>Data discovery</ListItem>
+        <ListItem>DSR automation</ListItem>
+      </InfoUnorderedList>
       <InfoHeading text="Permissions" />
       <InfoText>
         For detection and discovery, Fides requires a user with the SELECT

From fc43941c32d6b5b16cc62fbaf6a13a08bc6bde3a Mon Sep 17 00:00:00 2001
From: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
Date: Fri, 28 Jun 2024 11:54:53 -0700
Subject: [PATCH 06/13] update changelog for 2.39.1 release (#5038)

---
 CHANGELOG.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e052e4a66f..c8b01c2101 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,7 +15,14 @@ The types of changes are:
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
-## [Unreleased](https://github.com/ethyca/fides/compare/2.39.0...main)
+## [2.39.1](https://github.com/ethyca/fides/compare/2.39.0...2.39.1)
+
+### Fixed
+- Fixed a bug where system information form was not loading for Viewer users [#5034](https://github.com/ethyca/fides/pull/5034)
+- Fixed viewers being given the option to delete systems [#5035](https://github.com/ethyca/fides/pull/5035)
+
+### Removed
+- Removed the `fetch` polyfill from FidesJS [#5026](https://github.com/ethyca/fides/pull/5026)
 
 ## [2.39.0](https://github.com/ethyca/fides/compare/2.38.1...2.39.0)
 

From 82606703f358ebcb3cae824853f2923be84bb9d9 Mon Sep 17 00:00:00 2001
From: jpople <jeremy@ethyca.com>
Date: Thu, 27 Jun 2024 17:17:47 -0400
Subject: [PATCH 07/13] Fix system information form getting stuck on loading
 spinner  (#5034)

---
 clients/admin-ui/cypress/e2e/systems-plus.cy.ts       |  9 +++++++++
 clients/admin-ui/src/pages/systems/configure/[id].tsx | 11 +++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
index 4090c1eeb9..2dcc2b770a 100644
--- a/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
+++ b/clients/admin-ui/cypress/e2e/systems-plus.cy.ts
@@ -14,6 +14,7 @@ import {
   INDEX_ROUTE,
   SYSTEM_ROUTE,
 } from "~/features/common/nav/v2/routes";
+import { RoleRegistryEnum } from "~/types/api";
 
 describe("System management with Plus features", () => {
   beforeEach(() => {
@@ -29,6 +30,14 @@ describe("System management with Plus features", () => {
     );
   });
 
+  describe("permissions", () => {
+    it("can view a system page as a viewer", () => {
+      cy.assumeRole(RoleRegistryEnum.VIEWER);
+      cy.visit(`${SYSTEM_ROUTE}/configure/demo_analytics_system`);
+      cy.getByTestId("input-name").should("exist");
+    });
+  });
+
   describe("vendor list", () => {
     beforeEach(() => {
       stubVendorList();
diff --git a/clients/admin-ui/src/pages/systems/configure/[id].tsx b/clients/admin-ui/src/pages/systems/configure/[id].tsx
index 78d650994f..77403e6b42 100644
--- a/clients/admin-ui/src/pages/systems/configure/[id].tsx
+++ b/clients/admin-ui/src/pages/systems/configure/[id].tsx
@@ -1,4 +1,4 @@
-import { Box, Button, Spinner, Text, useToast, VStack } from "fidesui";
+import { Box, Button, Text, useToast, VStack } from "fidesui";
 import type { NextPage } from "next";
 import { useRouter } from "next/router";
 import { useEffect, useState } from "react";
@@ -7,6 +7,7 @@ import { useAppDispatch, useAppSelector } from "~/app/hooks";
 import DataTabsContent from "~/features/common/DataTabsContent";
 import DataTabsHeader from "~/features/common/DataTabsHeader";
 import { useFeatures, useFlags } from "~/features/common/features";
+import FidesSpinner from "~/features/common/FidesSpinner";
 import { extractVendorSource, VendorSources } from "~/features/common/helpers";
 import { GearLightIcon } from "~/features/common/Icon";
 import Layout from "~/features/common/Layout";
@@ -47,7 +48,9 @@ const ConfigureSystem: NextPage = () => {
     skip: !systemId,
   });
 
-  const { isLoading: isDictionaryLoading } = useGetAllDictionaryEntriesQuery();
+  const { error: dictionaryError, isLoading: isDictionaryLoading } =
+    useGetAllDictionaryEntriesQuery();
+
   const { tcf: isTCFEnabled } = useFeatures();
   const { flags } = useFlags();
   const discoveryDetectionEnabled = flags.dataDiscoveryAndDetection;
@@ -96,10 +99,10 @@ const ConfigureSystem: NextPage = () => {
     initialTabIndex,
   });
 
-  if (isLoading || isDictionaryLoading) {
+  if ((isLoading || isDictionaryLoading) && !dictionaryError) {
     return (
       <Layout title="Systems">
-        <Spinner />
+        <FidesSpinner />
       </Layout>
     );
   }

From 9cac14b9fc00857154d182edf33bcc0c93dcc7a6 Mon Sep 17 00:00:00 2001
From: jpople <jeremy@ethyca.com>
Date: Fri, 28 Jun 2024 10:56:21 -0400
Subject: [PATCH 08/13] Fix viewers being able to delete systems (#5035)

---
 clients/admin-ui/cypress/e2e/systems.cy.ts          | 10 ++++++++++
 clients/admin-ui/src/features/system/SystemCard.tsx | 11 +++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/clients/admin-ui/cypress/e2e/systems.cy.ts b/clients/admin-ui/cypress/e2e/systems.cy.ts
index 5c918fba2b..29020604ff 100644
--- a/clients/admin-ui/cypress/e2e/systems.cy.ts
+++ b/clients/admin-ui/cypress/e2e/systems.cy.ts
@@ -11,6 +11,7 @@ import {
   INTEGRATION_MANAGEMENT_ROUTE,
   SYSTEM_ROUTE,
 } from "~/features/common/nav/v2/routes";
+import { RoleRegistryEnum } from "~/types/api";
 
 describe("System management page", () => {
   beforeEach(() => {
@@ -235,6 +236,15 @@ describe("System management page", () => {
       cy.getByTestId("toast-success-msg");
     });
 
+    it("Can't delete a system as a viewer", () => {
+      cy.assumeRole(RoleRegistryEnum.VIEWER);
+      cy.visit(SYSTEM_ROUTE);
+      cy.getByTestId("system-fidesctl_system").within(() => {
+        cy.getByTestId("more-btn").click();
+        cy.getByTestId("delete-btn").should("not.exist");
+      });
+    });
+
     it("Can render an error on delete", () => {
       cy.intercept("DELETE", "/api/v1/system/*", {
         statusCode: 404,
diff --git a/clients/admin-ui/src/features/system/SystemCard.tsx b/clients/admin-ui/src/features/system/SystemCard.tsx
index 71b9d362f7..7cd3d576f1 100644
--- a/clients/admin-ui/src/features/system/SystemCard.tsx
+++ b/clients/admin-ui/src/features/system/SystemCard.tsx
@@ -17,7 +17,8 @@ import { useRouter } from "next/router";
 import { useAppDispatch } from "~/app/hooks";
 import ConfirmationModal from "~/features/common/modals/ConfirmationModal";
 import { SYSTEM_ROUTE } from "~/features/common/nav/v2/routes";
-import { System } from "~/types/api";
+import Restrict from "~/features/common/Restrict";
+import { ScopeRegistryEnum, System } from "~/types/api";
 
 import { getErrorMessage, isErrorResult } from "../common/helpers";
 import { errorToastParams, successToastParams } from "../common/toast";
@@ -87,9 +88,11 @@ const SystemCard = ({ system }: SystemCardProps) => {
           <MenuItem onClick={handleEdit} data-testid="edit-btn">
             Edit
           </MenuItem>
-          <MenuItem onClick={onDeleteOpen} data-testid="delete-btn">
-            Delete
-          </MenuItem>
+          <Restrict scopes={[ScopeRegistryEnum.SYSTEM_DELETE]}>
+            <MenuItem onClick={onDeleteOpen} data-testid="delete-btn">
+              Delete
+            </MenuItem>
+          </Restrict>
         </MenuList>
       </Menu>
       <ConfirmationModal

From ceb1c60501eb12d1a1ca0a3c046834cd99420804 Mon Sep 17 00:00:00 2001
From: Jason Gill <jason.gill@ethyca.com>
Date: Wed, 26 Jun 2024 18:00:58 -0600
Subject: [PATCH 09/13] Remove fetch polyfill from FidesJS (#5026)

---
 CHANGELOG.md                                 | 3 +++
 clients/privacy-center/pages/api/fides-js.ts | 7 -------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8b01c2101..3bd93fd60f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,9 @@ The types of changes are:
 
 ## [2.39.1](https://github.com/ethyca/fides/compare/2.39.0...2.39.1)
 
+### Removed
+- Removed the `fetch` polyfill from FidesJS (#5026)[https://github.com/ethyca/fides/pull/5026]
+
 ### Fixed
 - Fixed a bug where system information form was not loading for Viewer users [#5034](https://github.com/ethyca/fides/pull/5034)
 - Fixed viewers being given the option to delete systems [#5035](https://github.com/ethyca/fides/pull/5035)
diff --git a/clients/privacy-center/pages/api/fides-js.ts b/clients/privacy-center/pages/api/fides-js.ts
index b380078859..0513d4a3f1 100644
--- a/clients/privacy-center/pages/api/fides-js.ts
+++ b/clients/privacy-center/pages/api/fides-js.ts
@@ -271,13 +271,6 @@ export default async function handler(
 
   const script = `
   (function () {
-    // This polyfill service adds a fetch polyfill only when needed, depending on browser making the request
-    if (!window.fetch) {
-      var script = document.createElement('script');
-      script.src = 'https://polyfill.io/v3/polyfill.min.js?features=fetch';
-      document.head.appendChild(script);
-    }
-
     // Include generic fides.js script and GPP extension (if enabled)
     ${fidesJS}${fidesGPP}${
     customFidesCss

From c62b1f10cb72bcd2e6517ce4dd0bf3f15310d9de Mon Sep 17 00:00:00 2001
From: Dave Quinlan <83430497+daveqnet@users.noreply.github.com>
Date: Mon, 1 Jul 2024 18:03:21 +0100
Subject: [PATCH 10/13] Update 2.39.1 changelog to include CVE-2024-38537
 (#5041)

Co-authored-by: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3bd93fd60f..4f4c46fb78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,9 @@ The types of changes are:
 ### Removed
 - Removed the `fetch` polyfill from FidesJS [#5026](https://github.com/ethyca/fides/pull/5026)
 
+### Security
+- Removed FidesJS's exposure to `polyfill.io` supply chain attack [CVE-2024-38537](https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m)
+
 ## [2.39.0](https://github.com/ethyca/fides/compare/2.38.1...2.39.0)
 
 ### Added

From a79ceff2dab082c383eff78bea201a0fe234df79 Mon Sep 17 00:00:00 2001
From: Catherine Smith <eastandwestwind@gmail.com>
Date: Mon, 1 Jul 2024 15:46:05 +0200
Subject: [PATCH 11/13] PROD-2254: User must have delete scope to delete
 systems (#5037)

Co-authored-by: Dawn Pattison <pattisdr@users.noreply.github.com>
---
 CHANGELOG.md                                    |  1 +
 src/fides/api/api/v1/endpoints/system.py        | 17 +++++++++++------
 tests/ctl/core/test_api.py                      |  4 +---
 .../ops/service/connectors/test_queryconfig.py  |  1 +
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f4c46fb78..c32dca9ac3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The types of changes are:
 ### Fixed
 - Fixed a bug where system information form was not loading for Viewer users [#5034](https://github.com/ethyca/fides/pull/5034)
 - Fixed viewers being given the option to delete systems [#5035](https://github.com/ethyca/fides/pull/5035)
+- Restrict Delete Systems API endpoint such that user must have "SYSTEM_DELETE" scope [#5037](https://github.com/ethyca/fides/pull/5037)
 
 ### Removed
 - Removed the `fetch` polyfill from FidesJS [#5026](https://github.com/ethyca/fides/pull/5026)
diff --git a/src/fides/api/api/v1/endpoints/system.py b/src/fides/api/api/v1/endpoints/system.py
index 59fa3be6a7..59c63008d1 100644
--- a/src/fides/api/api/v1/endpoints/system.py
+++ b/src/fides/api/api/v1/endpoints/system.py
@@ -33,10 +33,12 @@
 from fides.api.models.sql_models import System  # type:ignore[attr-defined]
 from fides.api.oauth.system_manager_oauth_util import (
     verify_oauth_client_for_system_from_fides_key,
-    verify_oauth_client_for_system_from_fides_key_cli,
     verify_oauth_client_for_system_from_request_body_cli,
 )
-from fides.api.oauth.utils import get_current_user, verify_oauth_client_prod
+from fides.api.oauth.utils import (
+    get_current_user,
+    verify_oauth_client_prod,
+)
 from fides.api.schemas.connection_configuration import connection_secrets_schemas
 from fides.api.schemas.connection_configuration.connection_config import (
     BulkPutConnectionConfiguration,
@@ -294,6 +296,12 @@ async def upsert(
 
 @SYSTEM_ROUTER.delete(
     "/{fides_key}",
+    dependencies=[
+        Security(
+            verify_oauth_client_prod,
+            scopes=[SYSTEM_DELETE],
+        )
+    ],
     responses={
         status.HTTP_403_FORBIDDEN: {
             "content": {
@@ -311,10 +319,7 @@ async def upsert(
     },
 )
 async def delete(
-    fides_key: str = Security(
-        verify_oauth_client_for_system_from_fides_key_cli,
-        scopes=[SYSTEM_DELETE],
-    ),  # Security dependency defined here instead of the path operation decorator so we have access to the fides_key
+    fides_key: str,
     # to retrieve the System and also return a value
     db: AsyncSession = Depends(get_async_db),
 ) -> Dict:
diff --git a/tests/ctl/core/test_api.py b/tests/ctl/core/test_api.py
index 1bc9b83101..bf90581940 100644
--- a/tests/ctl/core/test_api.py
+++ b/tests/ctl/core/test_api.py
@@ -2542,9 +2542,7 @@ def test_system_delete_as_system_manager(
             resource_id=system.fides_key,
             headers=auth_header,
         )
-        assert result.status_code == HTTP_200_OK
-        assert result.json()["message"] == "resource deleted"
-        assert result.json()["resource"]["fides_key"] == system.fides_key
+        assert result.status_code == HTTP_403_FORBIDDEN
 
     def test_delete_system_deletes_connection_config_and_dataset(
         self,
diff --git a/tests/ops/service/connectors/test_queryconfig.py b/tests/ops/service/connectors/test_queryconfig.py
index 8ff2fd99ae..4e9c132fd0 100644
--- a/tests/ops/service/connectors/test_queryconfig.py
+++ b/tests/ops/service/connectors/test_queryconfig.py
@@ -475,6 +475,7 @@ def test_generate_query(
                 "birthday": 1,
                 "comments": 1,
                 "customer_id": 1,
+                "customer_uuid": 1,
                 "emergency_contacts": 1,
                 "children": 1,
                 "gender": 1,

From 0555080541f18a5aacff452c590ac9a1b56d7097 Mon Sep 17 00:00:00 2001
From: Lucano Vera <lucanovera@live.com.ar>
Date: Tue, 2 Jul 2024 21:17:54 -0300
Subject: [PATCH 12/13] Merge pull request from GHSA-53q7-4874-24qg

* Prevent exposing of SERVER_SIDE_FIDES_API_URL env variable to the client response

* Update changelog

* Remove exposure of serverSideFidesApiUrl as part of FidesConfig

* Update CHANGELOG.md

Co-authored-by: Dave Quinlan <83430497+daveqnet@users.noreply.github.com>

---------

Co-authored-by: Lucano Vera <lucanovera@ethyca.com>
Co-authored-by: Dave Quinlan <83430497+daveqnet@users.noreply.github.com>
---
 CHANGELOG.md                                  |  4 +++
 .../privacy-experience/preview/helpers.ts     |  1 -
 clients/fides-js/src/fides-tcf.ts             |  1 -
 clients/fides-js/src/fides.ts                 |  1 -
 clients/fides-js/src/lib/consent-types.ts     |  3 ---
 .../privacy-center/app/server-environment.ts  | 25 ++++++++++++++++---
 .../app/server-utils/getPropertyFromUrl.ts    |  1 +
 clients/privacy-center/pages/api/fides-js.ts  | 16 +++++++-----
 8 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c32dca9ac3..3c8245ea45 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,10 @@ The types of changes are:
 ### Security
 - Removed FidesJS's exposure to `polyfill.io` supply chain attack [CVE-2024-38537](https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m)
 
+### Security
+- Remove the SERVER_SIDE_FIDES_API_URL env variable from the client clientSettings [CVE-2024-31223](https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg)
+
+
 ## [2.39.0](https://github.com/ethyca/fides/compare/2.38.1...2.39.0)
 
 ### Added
diff --git a/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts b/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts
index 95e74bd523..3caa3997d1 100644
--- a/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts
+++ b/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts
@@ -47,7 +47,6 @@ export const buildBaseConfig = (
     fidesApiUrl: "http://localhost:8080/api/v1",
     preventDismissal: experienceConfig.dismissable ?? false,
     allowHTMLDescription: true,
-    serverSideFidesApiUrl: "",
     fidesString: null,
     fidesJsBaseUrl: "",
     base64Cookie: false,
diff --git a/clients/fides-js/src/fides-tcf.ts b/clients/fides-js/src/fides-tcf.ts
index eb40d5cff6..c96700994a 100644
--- a/clients/fides-js/src/fides-tcf.ts
+++ b/clients/fides-js/src/fides-tcf.ts
@@ -245,7 +245,6 @@ const _Fides: FidesGlobal = {
     modalLinkId: null,
     privacyCenterUrl: "",
     fidesApiUrl: "",
-    serverSideFidesApiUrl: "",
     tcfEnabled: true,
     gppEnabled: false,
     fidesEmbed: false,
diff --git a/clients/fides-js/src/fides.ts b/clients/fides-js/src/fides.ts
index c8e13aa216..cf4834dd94 100644
--- a/clients/fides-js/src/fides.ts
+++ b/clients/fides-js/src/fides.ts
@@ -183,7 +183,6 @@ const _Fides: FidesGlobal = {
     modalLinkId: null,
     privacyCenterUrl: "",
     fidesApiUrl: "",
-    serverSideFidesApiUrl: "",
     tcfEnabled: false,
     gppEnabled: false,
     fidesEmbed: false,
diff --git a/clients/fides-js/src/lib/consent-types.ts b/clients/fides-js/src/lib/consent-types.ts
index 98e7d0b6a6..8f80abb2a9 100644
--- a/clients/fides-js/src/lib/consent-types.ts
+++ b/clients/fides-js/src/lib/consent-types.ts
@@ -72,9 +72,6 @@ export interface FidesInitOptions {
   // URL for the Fides API, used to fetch and save consent preferences. Required.
   fidesApiUrl: string;
 
-  // URL for Server-side Fides API, used to fetch geolocation and consent preference. Optional.
-  serverSideFidesApiUrl: string;
-
   // Whether we should show the TCF modal
   tcfEnabled: boolean;
 
diff --git a/clients/privacy-center/app/server-environment.ts b/clients/privacy-center/app/server-environment.ts
index e6d2e99d56..490582e2ec 100644
--- a/clients/privacy-center/app/server-environment.ts
+++ b/clients/privacy-center/app/server-environment.ts
@@ -26,9 +26,15 @@ import {
 } from "~/types/config";
 
 /**
- * SERVER-SIDE functions
+ * Subset of PrivacyCenterSettings that are for use only on server-side and
+ * should never be exposed to the client.
  */
 
+export type PrivacyCenterServerSettings = Pick<
+  PrivacyCenterSettings,
+  "SERVER_SIDE_FIDES_API_URL"
+>;
+
 /**
  * Subset of PrivacyCenterSettings that are forwarded to the client.
  *
@@ -37,7 +43,6 @@ import {
 export type PrivacyCenterClientSettings = Pick<
   PrivacyCenterSettings,
   | "FIDES_API_URL"
-  | "SERVER_SIDE_FIDES_API_URL"
   | "DEBUG"
   | "GEOLOCATION_API_URL"
   | "IS_GEOLOCATION_ENABLED"
@@ -261,6 +266,20 @@ export const loadStylesFromFile = async (
   return file;
 };
 
+/**
+ * Load server settings from global environment variables
+ * The returned Server settings should never be exposed to the client
+ */
+export const loadServerSettings = (): PrivacyCenterServerSettings => {
+  const settings = loadEnvironmentVariables();
+  const serverSideSettings: PrivacyCenterServerSettings = {
+    SERVER_SIDE_FIDES_API_URL:
+      settings.SERVER_SIDE_FIDES_API_URL || settings.FIDES_API_URL,
+  };
+
+  return serverSideSettings;
+};
+
 /**
  * Loads all the ENV variable settings, configuration files, etc. to initialize the environment
  */
@@ -305,8 +324,6 @@ export const loadPrivacyCenterEnvironment = async ({
   // Load client settings (ensuring we only pass-along settings that are safe for the client)
   const clientSettings: PrivacyCenterClientSettings = {
     FIDES_API_URL: settings.FIDES_API_URL,
-    SERVER_SIDE_FIDES_API_URL:
-      settings.SERVER_SIDE_FIDES_API_URL || settings.FIDES_API_URL,
     DEBUG: settings.DEBUG,
     IS_OVERLAY_ENABLED: settings.IS_OVERLAY_ENABLED,
     IS_PREFETCH_ENABLED: settings.IS_PREFETCH_ENABLED,
diff --git a/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts b/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts
index 664b1b8aea..44b780ad55 100644
--- a/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts
+++ b/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts
@@ -26,6 +26,7 @@ const getPropertyFromUrl = async ({
       result = await response.json();
     }
   } catch (e) {
+    // eslint-disable-next-line no-console
     console.log("Request to find property failed", e);
   }
 
diff --git a/clients/privacy-center/pages/api/fides-js.ts b/clients/privacy-center/pages/api/fides-js.ts
index 0513d4a3f1..f5985330bd 100644
--- a/clients/privacy-center/pages/api/fides-js.ts
+++ b/clients/privacy-center/pages/api/fides-js.ts
@@ -10,7 +10,10 @@ import {
   ComponentType,
   debugLog,
 } from "fides-js";
-import { loadPrivacyCenterEnvironment } from "~/app/server-environment";
+import {
+  loadPrivacyCenterEnvironment,
+  loadServerSettings,
+} from "~/app/server-environment";
 import { LOCATION_HEADERS, lookupGeolocation } from "~/common/geolocation";
 import { safeLookupPropertyId } from "~/common/property-id";
 
@@ -103,6 +106,8 @@ export default async function handler(
 ) {
   // Load the configured consent options (data uses, defaults, etc.) from environment
   const environment = await loadPrivacyCenterEnvironment();
+  const serverSettings = await loadServerSettings();
+
   let options: ConsentOption[] = [];
   if (environment.config?.consent?.page.consentOptions) {
     const configuredOptions = environment.config.consent.page.consentOptions;
@@ -158,7 +163,7 @@ export default async function handler(
       );
       experience = await fetchExperience(
         fidesRegionString,
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
+        serverSettings.SERVER_SIDE_FIDES_API_URL ||
           environment.settings.FIDES_API_URL,
         environment.settings.DEBUG,
         null,
@@ -208,9 +213,6 @@ export default async function handler(
       fidesApiUrl: environment.settings.FIDES_API_URL,
       tcfEnabled,
       gppEnabled,
-      serverSideFidesApiUrl:
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
-        environment.settings.FIDES_API_URL,
       fidesEmbed: environment.settings.FIDES_EMBED,
       fidesDisableSaveApi: environment.settings.FIDES_DISABLE_SAVE_API,
       fidesDisableNoticesServedApi:
@@ -325,8 +327,10 @@ async function fetchCustomFidesCss(
   if (shouldRefresh) {
     try {
       const environment = await loadPrivacyCenterEnvironment();
+      const serverSettings = await loadServerSettings();
+
       const fidesUrl =
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
+        serverSettings.SERVER_SIDE_FIDES_API_URL ||
         environment.settings.FIDES_API_URL;
       const response = await fetch(
         `${fidesUrl}/plus/custom-asset/custom-fides.css`

From 1aae5ab515c03ab3dba9fdc541ffc9c858b87139 Mon Sep 17 00:00:00 2001
From: Kelsey Thomas <101993653+Kelsey-Ethyca@users.noreply.github.com>
Date: Tue, 2 Jul 2024 18:10:29 -0700
Subject: [PATCH 13/13] update changelog for release 2.39.2 (#5055)

---
 CHANGELOG.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c8245ea45..952c6a7b42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,10 +15,15 @@ The types of changes are:
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
-## [2.39.1](https://github.com/ethyca/fides/compare/2.39.0...2.39.1)
+## [2.39.2](https://github.com/ethyca/fides/compare/2.39.1...2.39.2)
 
-### Removed
-- Removed the `fetch` polyfill from FidesJS (#5026)[https://github.com/ethyca/fides/pull/5026]
+### Fixed
+- Restrict Delete Systems API endpoint such that user must have "SYSTEM_DELETE" scope [#5037](https://github.com/ethyca/fides/pull/5037)
+
+### Security
+- Remove the SERVER_SIDE_FIDES_API_URL env variable from the client clientSettings [CVE-2024-31223](https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg)
+
+## [2.39.1](https://github.com/ethyca/fides/compare/2.39.0...2.39.1)
 
 ### Fixed
 - Fixed a bug where system information form was not loading for Viewer users [#5034](https://github.com/ethyca/fides/pull/5034)
@@ -31,10 +36,6 @@ The types of changes are:
 ### Security
 - Removed FidesJS's exposure to `polyfill.io` supply chain attack [CVE-2024-38537](https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m)
 
-### Security
-- Remove the SERVER_SIDE_FIDES_API_URL env variable from the client clientSettings [CVE-2024-31223](https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg)
-
-
 ## [2.39.0](https://github.com/ethyca/fides/compare/2.38.1...2.39.0)
 
 ### Added