ENG-3000: add Privacy requests tab to integrations (alternative to #8121)

[adamsachs]

Ticket ENG-3000

Note

This is a sibling PR to #8121, which proposes the same fix with a more scoped UI: an Enable toggle and a datasets picker as inline fields on the create/edit form. This PR keeps everything #8121 does for the bug fix, but moves the privacy-request controls to a dedicated tab and adds tag/marketing fixes that surfaced along the way. Pick one direction; the other can be closed.

Description Of Changes

Three pieces, layered:

1. Stop using deprecated /system/{key}/connection endpoints (same as #8121, included here so this PR is self-contained against main). ConfigureIntegrationForm was wired to two deprecated, system-scoped endpoints that conflate connection lifecycle with system linking and don't compose with multi-integration systems. Refactored handleSubmit to a uniform two-step flow:

1. Create / update the connection without any system context — new SaaS connections via POST /connection/instantiate/{type}, everything else via PATCH /connection.
2. Reconcile the system link via PUT /connection/{key}/system-links — only when the desired state differs from initialSystemFidesKey.

This fixes the original ENG-3000 bug (SaaS create + system selected fails) and the secondary bug where clearing the System field on edit didn't actually unlink.

2. Add a "Privacy requests" tab on the integration detail page. New IntegrationPrivacyRequests component, placed after Data discovery (discovery surfaces the data, privacy requests act on it). Two stacked sections:

• Status — a Switch toggle backed by ConnectionConfig.disabled. Always visible. Immediate-save on flip via PATCH /connection. No confirmation modal — toast on success/error.
• Datasets — only rendered for SystemType.DATABASE integrations. Lists currently linked datasets (router-link to dataset detail; fides_key shown as a monospaced Tag on the line below the name; ctl_dataset.description as the secondary line). "Link dataset" opens a search modal of unlinked datasets. Both flows write through usePutDatasetConfigsMutation (the PUT endpoint replaces the whole linked-set, so unlink/link are expressed as a PUT of the new desired key list). Bulk responses surface per-entry failed messages via toast — same pattern as patchConnectionConfig in the System → Integrations form.

The tab itself is gated client-side on connection_type, mirroring supportsSystemLinking — shown for everything except WEBSITE (consent only) and DATAHUB (sync only).

3. Add DSR Automation marketing tag to PostgreSQL, RDS MySQL, and Google Cloud SQL for MySQL. They all extend SQLConnector and support privacy requests, but their integration-picker tag arrays were missing the tag (peer connectors like BigQuery / MySQL / RDS Postgres / Google Cloud SQL Postgres already had it). Reordered Postgres tags to (DSR Automation, Discovery, Detection) to match the rest.

4. Documentation comments on ConnectionConfig.disabled (model + 2 schemas) clarifying that it gates DSR execution only — not discovery monitors, not connection tests. No behaviour change.

Known limitations

• enabled_actions is not exposed in this UI yet. The new top-level Integrations form's create payload doesn't include enabled_actions, so connections it creates land with NULL. The DSR runner treats NULL as "all actions enabled" for access/erasure but disables consent (it explicitly requires enabled_actions IS NOT NULL AND contains consent — see graph_task.py:1100-1115). For most integration types this is fine; SaaS consent integrations created through this form need their request types set via the System → Integrations form afterward. Surfacing the field on the Privacy requests tab is a deferred followup (needs a small base-schema addition so POST /connection/instantiate/{type} and PATCH /connection accept enabled_actions instead of silently dropping it).

Code Changes

• clients/admin-ui/src/features/integrations/add-integration/ConfigureIntegrationForm.tsx:
  • Replace the three-way connection-creation branch with a binary one (SaaS-create → unlinked instantiate; everything else → PATCH /connection).
  • Extract a single reconcileSystemLink() helper that fires only when values.system_fides_key !== initialSystemFidesKey, sends [] to unlink.
  • Drop usage of usePatchSystemConnectionConfigsMutation, useCreatePlusSaasConnectionConfigMutation, useCreateSassConnectionConfigMutation.
• clients/admin-ui/src/features/integrations/IntegrationPrivacyRequests.tsx (new): tab component.
• clients/admin-ui/src/features/integrations/hooks/useFeatureBasedTabs.tsx: import the component, accept a supportsPrivacyRequests prop, push the tab after Data discovery.
• clients/admin-ui/src/pages/integrations/[id]/index.tsx: compute supportsPrivacyRequests based on connection_type.
• clients/admin-ui/src/features/integrations/integration-type-info/postgreSQLInfo.tsx, rdsMySQLInfo.tsx, googleCloudSQLMySQLInfo.tsx: add DSR Automation tag.
• src/fides/api/models/connectionconfig.py + src/fides/api/schemas/connection_configuration/connection_config.py: doc comments on disabled.
• clients/admin-ui/cypress/e2e/integration-management.cy.ts: update the "add a new integration associated with a system" test to wait on PATCH /connection + PUT /connection/{key}/system-links instead of the deprecated PATCH /system/{key}/connection.

Steps to Confirm

1. The original ENG-3000 bug. On the new top-level Integrations management UI, create a SaaS integration with a System selected. Confirm the integration is created, the system link is set, the saas_config + dataset exist. Network: POST /api/v1/connection/instantiate/{type} then PUT /api/v1/connection/{key}/system-links. No call to /system/{key}/connection.
2. Edit, clear system. Edit an existing linked integration → clear the System field → save. GET /api/v1/connection/{key}/system-links returns [].
3. Edit, no system change. Edit name/description only — setSystemLinks is not called (no-op skip).
4. Privacy requests tab — toggle. On a database integration's detail page, switch to "Privacy requests". Flip the toggle. Toast appears; GET /api/v1/connection/{key} reflects new disabled value. A privacy request that would have hit this connection now skips it (graph_task.skip_if_disabled).
5. Privacy requests tab — datasets. On a database integration: empty state shows the placeholder text and "Link dataset" button. Clicking opens a search modal of unlinked datasets, each row showing [name] on its own line with a [fides_key] tag below and the description underneath. Linking persists via PUT /api/v1/connection/{key}/datasetconfig. Unlinking shows a confirmation modal.
6. Privacy requests tab — link error surfacing. Try to link a dataset that the backend rejects (e.g. a BigQuery dataset that's missing namespace metadata). Confirm the error toast shows the failure message and no "Dataset linked successfully" toast appears.
7. Privacy requests tab gating. Confirm the tab does NOT appear for a Website or DataHub integration. Confirm it DOES appear for SaaS / database / email / manual_task / jira_ticket.
8. Marketing tag. Open the integration picker, search for "Postgres" / "RDS MySQL" / "Cloud SQL - MySQL" — each card shows a "DSR Automation" tag.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created — Privacy requests tab: surface enabled_actions / Request types
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	May 8, 2026 8:09pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		May 8, 2026 8:09pm

[github-actions]

Title	Lines	Statements	Branches	Functions
admin-ui		6.59% (3042/46126)	5.91% (1572/26575)	4.61% (630/13637)
fides-js		79.56% (2028/2549)	66.4% (1259/1896)	73.31% (349/476)
privacy-center		82.53% (364/441)	79.74% (189/237)	74.07% (60/81)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.23%. Comparing base (aaf933d) to head (fbed4e1).
⚠️ Report is 21 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8126      +/-   ##
==========================================
+ Coverage   85.19%   85.23%   +0.03%     
==========================================
  Files         638      638              
  Lines       42008    42011       +3     
  Branches     4937     4937              
==========================================
+ Hits        35788    35807      +19     
+ Misses       5111     5096      -15     
+ Partials     1109     1108       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.