Workspace setup (IT & platform admins)


Audience	IT teams, system admins, platform owners
Prerequisites	Composable CDP overview AI Decisioning overview

Configure your Hightouch workspace to ensure secure access, clear permissions, and consistent governance across teams.

Setup steps

1. Invite your team

Set up user access and authentication for your organization.

Add users manually or configure SSO/SCIM for centralized identity management.
Map IdP groups (e.g., Okta, Microsoft Entra ID) to Hightouch user groups to automate access control.
Review and test login and group mapping before provisioning at scale.

→ SSO setup

2. Configure workspaces

Workspaces define where data, syncs, and users live within your organization.

Organization: The top-level entity representing your company, used for user and role management.
Workspaces: Independent environments under an organization. Use these to separate configurations or compliance zones.
Environments: Create staging and production environments within a workspace to safely test changes before deployment.

Best practice:
Keep the number of workspaces minimal. Use environments instead of multiple workspaces unless you must separate brands, regions, or legal entities.

→ Workspace management
→ Environments

Use one workspace per brand or region, with environments for staging and production separation.

3. Manage users, groups, and roles

Define who can access what, and at what level.

User groups: Collections of users that share the same permissions across one or more workspaces.
- Organization admins — full access
- Organization viewers — read-only access
  → User groups overview
Roles: Sets of permissions that determine which actions user groups can perform within a workspace.
- Admin — full control (typical for IT and data teams)
- Editor — can modify syncs and models
- Viewer — read-only
- Draft editor — can propose changes pending approval
- Create custom roles for granular control as your setup grows.
  → Roles overview

Groups can represent different teams, regions, brands, or any structure that impacts access permissions.

Start with pre-built roles during onboarding. Move to custom roles once your org structure or compliance needs require it.

User groups manage access across workspaces, with roles assigned at the group level.

4. Secure your setup

Protect your workspace and data using Hightouch’s enterprise-grade security features.

Review the Security overview for encryption, compliance, and hosting details.
Configure network access via tunnel, PrivateLink, or IP allowlisting.
→ Network access
Set up self-hosted storage to write query results to your own cloud bucket (AWS, GCP, Azure).
→ Self-hosted storage
(Optional) Integrate consent management to enforce opt-in policies for marketing use cases.
→ Consent management (OneTrust)
Monitor with sync logs and alerting for visibility into data flows.

5. Change management

Establish governance controls for reviewing, approving, and tracking changes across your workspace.

Approval flows: Require admin or peer review before syncs or models go live.
- Assign the Workspace Draft Contributor role to users who can submit changes for approval.
  → Approval flows
Audit logs: Capture all in-app user actions for 90 days to support compliance and troubleshooting.
→ Audit logs
Environments: Use staging environments to validate syncs and models before production deployment.
→ Environments
Alerting: Notify admins of sync failures or anomalies via Slack, email, PagerDuty, or Datadog.
→ Alerting

6. Organize resources (optional)

Keep large workspaces manageable and transparent.

Folders: Group syncs, models, and audiences for easier navigation.
Filters: Refine views by status, ownership, or query type.
Labels: Tag resources with key-value pairs (e.g., brand, region, campaign type) to track usage or ownership.

→ Folders, filters, and labels