ethyca-fides 2.66.1rc0__py2.py3-none-any.whl → 2.66.2b0__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-07-25T13:47:47-0500",
+ "date": "2025-07-25T16:16:16-0700",
  "dirty": false,
  "error": null,
- "full-revisionid": "f2d35544d8ee2eef45d8215b5a811a955df34551",
- "version": "2.66.1rc0"
+ "full-revisionid": "3805a2cc72d6f998672d84b64fd0f2c78a64f81d",
+ "version": "2.66.2b0"
 }
 '''  # END VERSION_JSON
 

fides/api/alembic/migrations/versions/7e9a2b52f498_adding_masking_secrets.py

@@ -0,0 +1,60 @@
+"""adding masking secrets
+
+Revision ID: 7e9a2b52f498
+Revises: d0031087eacb
+Create Date: 2024-12-23 23:29:53.557951
+
+"""
+
+import sqlalchemy as sa
+import sqlalchemy_utils
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "7e9a2b52f498"
+down_revision = "d0031087eacb"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "masking_secret",
+        sa.Column("id", sa.String(length=255), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column("privacy_request_id", sa.String(), nullable=False),
+        sa.Column(
+            "secret",
+            sqlalchemy_utils.types.encrypted.encrypted_type.StringEncryptedType(),
+            nullable=False,
+        ),
+        sa.Column("masking_strategy", sa.String(), nullable=False),
+        sa.Column(
+            "secret_type",
+            sa.String(),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["privacy_request_id"], ["privacyrequest.id"], ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(
+        op.f("ix_masking_secret_id"), "masking_secret", ["id"], unique=False
+    )
+
+
+def downgrade():
+    op.drop_index(op.f("ix_masking_secret_id"), table_name="masking_secret")
+    op.drop_table("masking_secret")

fides/api/alembic/migrations/versions/d0031087eacb_create_manualtaskconditionaldependency_.py

@@ -0,0 +1,106 @@
+"""create ManualTaskConditionalDependency table
+
+Revision ID: d0031087eacb
+Revises: 9e3dab26f75f
+Create Date: 2025-07-17 21:28:20.937945
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = "d0031087eacb"
+down_revision = "9e3dab26f75f"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+
+    op.create_table(
+        "manual_task_conditional_dependency",
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column("id", sa.String(length=255), nullable=False),
+        sa.Column("manual_task_id", sa.String(), nullable=False),
+        sa.Column("parent_id", sa.String(), nullable=True),
+        sa.Column(
+            "condition_type",
+            sa.String(),  # Use String instead of Enum to avoid auto-creation
+            nullable=False,
+        ),
+        sa.Column("field_address", sa.String(), nullable=True),
+        sa.Column("operator", sa.String(), nullable=True),
+        sa.Column("value", postgresql.JSONB(astext_type=sa.Text()), nullable=True),
+        sa.Column("logical_operator", sa.String(), nullable=True),
+        sa.Column("sort_order", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manual_task_id"], ["manual_task.id"], ondelete="CASCADE"
+        ),
+        sa.ForeignKeyConstraint(
+            ["parent_id"], ["manual_task_conditional_dependency.id"], ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+
+    op.create_index(
+        "ix_manual_task_conditional_dependency_condition_type",
+        "manual_task_conditional_dependency",
+        ["condition_type"],
+        unique=False,
+    )
+    op.create_index(
+        "ix_manual_task_conditional_dependency_manual_task_id",
+        "manual_task_conditional_dependency",
+        ["manual_task_id"],
+        unique=False,
+    )
+    op.create_index(
+        "ix_manual_task_conditional_dependency_parent_id",
+        "manual_task_conditional_dependency",
+        ["parent_id"],
+        unique=False,
+    )
+    op.create_index(
+        "ix_manual_task_conditional_dependency_sort_order",
+        "manual_task_conditional_dependency",
+        ["sort_order"],
+        unique=False,
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(
+        "ix_manual_task_conditional_dependency_sort_order",
+        table_name="manual_task_conditional_dependency",
+    )
+    op.drop_index(
+        "ix_manual_task_conditional_dependency_parent_id",
+        table_name="manual_task_conditional_dependency",
+    )
+    op.drop_index(
+        "ix_manual_task_conditional_dependency_manual_task_id",
+        table_name="manual_task_conditional_dependency",
+    )
+    op.drop_index(
+        "ix_manual_task_conditional_dependency_condition_type",
+        table_name="manual_task_conditional_dependency",
+    )
+
+    op.drop_table("manual_task_conditional_dependency")
+    # ### end Alembic commands ###

fides/api/api/v1/endpoints/dataset_config_endpoints.py

@@ -1,7 +1,7 @@
 from typing import Annotated, Any, Dict, List, Optional
 
 import yaml
-from fastapi import Depends, HTTPException, Request
+from fastapi import Depends, HTTPException, Query, Request
 from fastapi.encoders import jsonable_encoder
 from fastapi.params import Security
 from fastapi_pagination import Page, Params
@@ -68,10 +68,18 @@ from fides.api.models.sql_models import (  # type: ignore[attr-defined] # isort:
 )
 
 X_YAML = "application/x-yaml"
+MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM = 1000
 
 router = APIRouter(tags=["Dataset Configs"], prefix=V1_URL_PREFIX)
 
 
+# Custom Params class with higher limit for dataset configs
+class DatasetConfigParams(Params):
+    size: int = Query(
+        50, ge=1, le=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM, description="Page size"
+    )
+
+
 # Helper method to inject the parent ConnectionConfig into these child routes
 def _get_connection_config(
     connection_key: FidesKey, db: Session = Depends(deps.get_db)
@@ -131,7 +139,7 @@ def validate_dataset(
     response_model=BulkPutDataset,
 )
 def put_dataset_configs(
-    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=50)],  # type: ignore
+    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM)],  # type: ignore
     db: Session = Depends(deps.get_db),
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
@@ -181,7 +189,7 @@ def put_dataset_configs(
     response_model=BulkPutDataset,
 )
 def patch_dataset_configs(
-    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=50)],  # type: ignore
+    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM)],  # type: ignore
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> BulkPutDataset:
@@ -217,7 +225,7 @@ def patch_dataset_configs(
     response_model=BulkPutDataset,
 )
 def patch_datasets(
-    datasets: Annotated[List[FideslangDataset], Field(max_length=50)],  # type: ignore
+    datasets: Annotated[List[FideslangDataset], Field(max_length=1000)],  # type: ignore
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> BulkPutDataset:
@@ -367,7 +375,7 @@ def get_dataset(
 )
 def get_dataset_configs(
     db: Session = Depends(deps.get_db),
-    params: Params = Depends(),
+    params: DatasetConfigParams = Depends(),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> AbstractPage[DatasetConfig]:
     """Returns all Dataset Configs attached to current Connection Config."""

fides/api/api/v1/endpoints/drp_endpoints.py

@@ -125,7 +125,13 @@ async def create_drp_privacy_request(
             "Decrypting identity for DRP privacy request {}", privacy_request.id
         )
 
-        cache_data(privacy_request, policy, mapped_identity, None, data)
+        cache_data(privacy_request, mapped_identity, None, data)
+
+        if masking_secrets := policy.generate_masking_secrets():
+            logger.info(
+                "Caching masking secrets for privacy request {}", privacy_request.id
+            )
+            privacy_request.persist_masking_secrets(masking_secrets)
 
         queue_privacy_request(privacy_request.id)
 

fides/api/api/v1/endpoints/user_endpoints.py

@@ -6,6 +6,7 @@ from typing import List, Optional
 
 import jose.exceptions
 from fastapi import Depends, HTTPException, Security
+from fastapi.security import SecurityScopes
 from fastapi_pagination import Page, Params
 from fastapi_pagination.bases import AbstractPage
 from fastapi_pagination.ext.sqlalchemy import paginate
@@ -39,7 +40,9 @@ from fides.api.oauth.roles import APPROVER, VIEWER
 from fides.api.oauth.utils import (
     create_temporary_user_for_login_flow,
     extract_payload,
+    extract_token_and_load_client,
     get_current_user,
+    has_permissions,
     oauth2_scheme,
     verify_oauth_client,
 )
@@ -65,6 +68,7 @@ from fides.common.api.scope_registry import (
     USER_DELETE,
     USER_PASSWORD_RESET,
     USER_READ,
+    USER_READ_OWN,
     USER_UPDATE,
 )
 from fides.common.api.v1 import urn_registry as urls
@@ -107,6 +111,37 @@ def _validate_current_user(user_id: str, user_from_token: FidesUser) -> None:
         )
 
 
+def verify_user_read_scopes(
+    authorization: str = Security(oauth2_scheme),
+    db: Session = Depends(get_db),
+) -> ClientDetail:
+    """
+    Custom dependency that verifies the user has either USER_READ or USER_READ_OWN scope.
+    Returns the client if authorized.
+    """
+    token_data, client = extract_token_and_load_client(authorization, db)
+
+    # Try USER_READ first
+    if has_permissions(
+        token_data=token_data,
+        client=client,
+        endpoint_scopes=SecurityScopes([USER_READ]),
+    ):
+        return client
+
+    if has_permissions(
+        token_data=token_data,
+        client=client,
+        endpoint_scopes=SecurityScopes([USER_READ_OWN]),
+    ):
+        return client
+
+    raise HTTPException(
+        status_code=HTTP_403_FORBIDDEN,
+        detail="Not authorized.",
+    )
+
+
 @router.put(
     urls.USER_DETAIL,
     dependencies=[Security(verify_oauth_client)],
@@ -498,14 +533,38 @@ def delete_user(
 
 @router.get(
     urls.USER_DETAIL,
-    dependencies=[Security(verify_oauth_client, scopes=[USER_READ])],
+    dependencies=[Security(verify_user_read_scopes)],
     response_model=UserResponse,
 )
-def get_user(*, db: Session = Depends(get_db), user_id: str) -> FidesUser:
-    """Returns a User based on an Id"""
+def get_user(
+    *,
+    db: Session = Depends(get_db),
+    user_id: str,
+    client: ClientDetail = Security(verify_user_read_scopes),
+    authorization: str = Security(oauth2_scheme),
+) -> FidesUser:
+    """Returns a User based on an Id. Users with USER_READ_OWN scope can only access their own data."""
     user: Optional[FidesUser] = FidesUser.get_by_key_or_id(db, data={"id": user_id})
     if user is None:
         raise HTTPException(status_code=HTTP_404_NOT_FOUND, detail="User not found")
+    token_data, _ = extract_token_and_load_client(authorization, db)
+    # Check if user has USER_READ_OWN scope and is trying to access someone else's data
+    # The verify_user_read_scopes dependency already verified the user has either USER_READ or USER_READ_OWN
+    # We need to check if they have USER_READ_OWN and are accessing their own data
+    if has_permissions(
+        token_data=token_data,
+        client=client,
+        endpoint_scopes=SecurityScopes([USER_READ]),
+    ):
+        logger.debug("Returning user with id: '{}'.", user_id)
+        return user
+
+    # User has USER_READ_OWN scope, check if they're accessing their own data
+    if user.id != client.user_id:
+        raise HTTPException(
+            status_code=HTTP_403_FORBIDDEN,
+            detail="You can only access your own user data with USER_READ_OWN scope.",
+        )
 
     logger.debug("Returning user with id: '{}'.", user_id)
     return user
@@ -513,7 +572,7 @@ def get_user(*, db: Session = Depends(get_db), user_id: str) -> FidesUser:
 
 @router.get(
     urls.USERS,
-    dependencies=[Security(verify_oauth_client, scopes=[USER_READ])],
+    dependencies=[Security(verify_user_read_scopes)],
     response_model=Page[UserResponse],
 )
 def get_users(
@@ -521,11 +580,28 @@ def get_users(
     db: Session = Depends(get_db),
     params: Params = Depends(),
     username: Optional[str] = None,
+    client: ClientDetail = Security(verify_user_read_scopes),
+    authorization: str = Security(oauth2_scheme),
 ) -> AbstractPage[FidesUser]:
-    """Returns a paginated list of all users"""
+    """Returns a paginated list of users. Users with USER_READ_OWN scope only see their own data."""
     query = FidesUser.query(db)
-    if username:
-        query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
+
+    # Check if user has USER_READ_OWN scope and filter accordingly
+    # The verify_user_read_scopes dependency already verified the user has either USER_READ or USER_READ_OWN
+    token_data, _ = extract_token_and_load_client(authorization, db)
+    if has_permissions(
+        token_data=token_data,
+        client=client,
+        endpoint_scopes=SecurityScopes([USER_READ]),
+    ):
+        # User has USER_READ scope, can see all users
+        if username:
+            query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
+    else:
+        # User has USER_READ_OWN scope, only show their own data
+        query = query.filter(FidesUser.id == client.user_id)
+        if username:
+            query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
 
     logger.debug("Returning a paginated list of users.")
 

fides/api/app_setup.py

@@ -171,8 +171,9 @@ async def run_database_startup(app: FastAPI) -> None:
     if CONFIG.database.automigrate:
         try:
             configure_db(CONFIG.database.sync_database_uri)
-            with get_autoclose_db_session() as session:
-                seed_db(session)
+            if not CONFIG.test_mode:
+                with get_autoclose_db_session() as session:
+                    seed_db(session)
             if CONFIG.database.load_samples:
                 async with get_async_autoclose_db_session() as async_session:
                     await seed.load_samples(async_session)

fides/api/common_exceptions.py

@@ -283,6 +283,10 @@ class MalisciousUrlException(Exception):
     """Fides has detected a potentially maliscious URL."""
 
 
+class MaskingSecretsExpired(BaseException):
+    """The cached masking secrets have expired for the given privacy request."""
+
+
 class AuthenticationError(HTTPException):
     """To be raised when attempting to fetch an access token using
     invalid credentials.

fides/api/db/base.py

@@ -33,6 +33,7 @@ from fides.api.models.identity_salt import IdentitySalt
 from fides.api.models.location_regulation_selections import LocationRegulationSelections
 from fides.api.models.manual_task import (
     ManualTask,
+    ManualTaskConditionalDependency,
     ManualTaskConfig,
     ManualTaskConfigField,
     ManualTaskInstance,

fides/api/db/database.py

@@ -123,7 +123,7 @@ def get_db_health(
 
 
 def seed_db(session: Session) -> None:
-    """Load default resources into the database, and optionally load samples."""
+    """Load default resources into the database"""
     load_default_resources(session)
 
 

fides/api/graph/execution.py

@@ -1,6 +1,7 @@
 from typing import Any, Callable, Dict, List, Optional, Set, Tuple
 
 from fideslang.validation import FidesKey
+from loguru import logger
 
 from fides.api.graph.config import (
     Collection,
@@ -117,6 +118,8 @@ class ExecutionNode(Contextualizable):  # pylint: disable=too-many-instance-attr
         The values are cast based on field types, if those types are specified.
         """
         out = {}
+        failed_conversions: Dict[str, Dict[str, Any]] = {}
+
         for key, values in input_data.items():
             path: FieldPath = FieldPath.parse(key)
             field: Optional[Field] = self.collection.field(path)
@@ -126,4 +129,31 @@ class ExecutionNode(Contextualizable):  # pylint: disable=too-many-instance-attr
                 filtered = list(filter(lambda x: x is not None, cast_values))
                 if filtered:
                     out[key] = filtered
+                elif values:  # Had input values but all failed conversion
+                    # Track conversion failures for logging
+                    failed_conversions[key] = {"field": field, "input_values": values}
+
+        # Log conversion failures if any occurred
+        if failed_conversions:
+            field_details = []
+            for field_name, failure_info in failed_conversions.items():
+                field = failure_info["field"]
+                values = failure_info["input_values"]
+
+                expected_type = field.data_type() if field else "unknown"
+                actual_types = {type(v).__name__ for v in values if v is not None}
+                actual_type_str = (
+                    ", ".join(sorted(actual_types)) if actual_types else "NoneType"
+                )
+
+                field_details.append(
+                    f"{field_name} (expected: {expected_type}, got: {actual_type_str})"
+                )
+
+            logger.warning(
+                "Type conversion failures for {}: {}",
+                self.address,
+                "; ".join(field_details),
+            )
+
         return out

fides/api/models/manual_task/__init__.py

@@ -0,0 +1,2 @@
+from .conditional_dependency import *
+from .manual_task import *

fides/api/models/manual_task/conditional_dependency.py

@@ -0,0 +1,144 @@
+from enum import Enum
+from typing import TYPE_CHECKING, Optional, Union
+
+from sqlalchemy import Column, ForeignKey, Index, Integer, String
+from sqlalchemy.dialects.postgresql import JSONB
+from sqlalchemy.ext.declarative import declared_attr
+from sqlalchemy.orm import Session, relationship
+
+from fides.api.db.base_class import Base, FidesBase
+from fides.api.db.util import EnumColumn
+from fides.api.task.conditional_dependencies.schemas import (
+    ConditionGroup,
+    ConditionLeaf,
+)
+
+if TYPE_CHECKING:
+    from fides.api.models.manual_task.manual_task import ManualTask
+
+
+class ManualTaskConditionalDependencyType(str, Enum):
+    """Enum for manual task conditional dependency types.
+
+    This enum defines the two types of nodes in a conditional dependency tree:
+
+    - leaf: A terminal node that represents a single condition (e.g., "user.age >= 18")
+    - group: A non-terminal node that groups multiple conditions with logical operators (AND/OR)
+
+    Examples:
+        leaf: Used for simple field comparisons like:
+            - "user.name exists"
+            - "user.age >= 18"
+            - "billing.subscription.status == 'active'"
+
+        group: Used to combine multiple conditions with logical operators:
+            - AND group: "user.age >= 18 AND user.active == true"
+            - OR group: "user.role == 'admin' OR user.verified == true"
+            - Nested groups: "(user.age >= 18 AND (user.role == 'admin' OR user.verified == true))"
+    """
+
+    leaf = "leaf"
+    group = "group"
+
+
+class ManualTaskConditionalDependency(Base):
+    """Model for storing conditional dependencies."""
+
+    @declared_attr
+    def __tablename__(cls) -> str:
+        """Overriding base class method to set the table name."""
+        return "manual_task_conditional_dependency"
+
+    # We need to redefine it here so that self-referential relationships
+    # can properly reference the `id` column instead of the built-in Python function.
+    id = Column(String(255), primary_key=True, default=FidesBase.generate_uuid)
+
+    # Foreign key relationships
+    manual_task_id = Column(
+        String, ForeignKey("manual_task.id", ondelete="CASCADE"), nullable=False
+    )
+    parent_id = Column(
+        String,
+        ForeignKey("manual_task_conditional_dependency.id", ondelete="CASCADE"),
+        nullable=True,
+    )
+
+    # Condition metadata
+    condition_type = Column(
+        EnumColumn(ManualTaskConditionalDependencyType), nullable=False
+    )  # leaf or group
+    field_address = Column(String, nullable=True)  # For leaf conditions
+    operator = Column(String, nullable=True)  # For leaf conditions
+    value = Column(JSONB, nullable=True)  # For leaf conditions
+    logical_operator = Column(String, nullable=True)  # 'and' or 'or' for groups
+
+    # Ordering
+    sort_order = Column(Integer, nullable=False, default=0)
+
+    __table_args__ = (
+        Index("ix_manual_task_conditional_dependency_manual_task_id", "manual_task_id"),
+        Index("ix_manual_task_conditional_dependency_parent_id", "parent_id"),
+        Index("ix_manual_task_conditional_dependency_condition_type", "condition_type"),
+        Index("ix_manual_task_conditional_dependency_sort_order", "sort_order"),
+    )
+
+    # Relationships
+    task = relationship("ManualTask", back_populates="conditional_dependencies")
+    parent = relationship(
+        "ManualTaskConditionalDependency",
+        remote_side=[id],
+        back_populates="children",
+        foreign_keys=[parent_id],
+    )
+    children = relationship(
+        "ManualTaskConditionalDependency",
+        back_populates="parent",
+        cascade="all, delete-orphan",
+        foreign_keys=[parent_id],
+    )
+
+    def to_condition_leaf(self) -> ConditionLeaf:
+        """Convert to ConditionLeaf if this is a leaf condition"""
+        if self.condition_type != "leaf":
+            raise ValueError("Cannot convert group condition to leaf")
+
+        return ConditionLeaf(
+            field_address=self.field_address, operator=self.operator, value=self.value
+        )
+
+    def to_condition_group(self) -> ConditionGroup:
+        """Convert to ConditionGroup if this is a group condition"""
+        if self.condition_type != "group":
+            raise ValueError("Cannot convert leaf condition to group")
+
+        # Recursively build children
+        child_conditions = []
+        children_list = [child for child in self.children]  # type: ignore[attr-defined]
+        for child in sorted(children_list, key=lambda x: x.sort_order):
+            if child.condition_type == "leaf":
+                child_conditions.append(child.to_condition_leaf())
+            else:
+                child_conditions.append(child.to_condition_group())
+
+        return ConditionGroup(
+            logical_operator=self.logical_operator, conditions=child_conditions
+        )
+
+    @classmethod
+    def get_root_condition(
+        cls, db: Session, manual_task_id: str
+    ) -> Optional[Union[ConditionLeaf, ConditionGroup]]:
+        """Get the root condition for a config"""
+        root = (
+            db.query(cls)
+            .filter(cls.manual_task_id == manual_task_id, cls.parent_id.is_(None))
+            .first()
+        )
+
+        if not root:
+            return None
+
+        if root.condition_type == "leaf":
+            return root.to_condition_leaf()
+
+        return root.to_condition_group()

fides/api/models/{manual_task.py → manual_task/manual_task.py}

@@ -26,6 +26,9 @@ from fides.api.schemas.base_class import FidesSchema
 if TYPE_CHECKING:
     from fides.api.models.attachment import Attachment
     from fides.api.models.fides_user import FidesUser
+    from fides.api.models.manual_task.conditional_dependency import (
+        ManualTaskConditionalDependency,
+    )
 
 # ------------------------------------------------------------
 # Enums
@@ -242,6 +245,13 @@ class ManualTask(Base):
         viewonly=True,  # No cascade delete - submissions are historical data
     )
 
+    conditional_dependencies = relationship(
+        "ManualTaskConditionalDependency",
+        back_populates="task",
+        uselist=True,
+        cascade="all, delete-orphan",
+    )
+
     # Properties
     @property
     def assigned_users(self) -> list[str]: