Since Hightouch manages the flow of your business-critical data, we provide a full suite of platform governance features to ensure security and compliance. These features fall into two categories: access management and change management.
Before going in-depth on these features, it's helpful to understand the core concepts Hightouch uses to structure workspace management features.
- Organization: a container for a set of workspaces, used for billing purposes.
- Workspace: a Hightouch account representing a set of resources and users. All settings apply at the workspace level, except for SSO, which applies at the organization level.
- User: an individual with access to a workspace. A user can be associated with one or more workspaces.
- Role: a set of policies governing a user's access to resources. Users can only be assigned one role.
- Policy: a set of actions users can take on resources given certain conditions.
- Resource: any of the building blocks of a workspace: for example, sources, destinations, models, syncs, and audiences.
When you have many resources in the same workspace, it can be helpful to organize and navigate them using folders and filters.
Hightouch's access management features let you govern who can access your workspaces and what actions they can take.
Access management features include:
- SAML single sign-on (SSO) to support organizational access and user creation
- Role-based access controls (RBAC) to govern and customize what actions users can take
- SSO groups to support workspace and role assignment at scale
- Label-based access controls (LBAC) to provide deeper access granularity
Invite team members
You can choose to invite team members to your workspace manually or enable access for your entire organization using SAML SSO. Before inviting team members, you may want to change the default role for a workspace or set up SSO groups to map groups in your identity provider to Hightouch roles.
To manually invite a team member, go to the Members tab on the Settings page and click Invite new people.
In the modal that appears, enter your team member's Email, select the appropriate Role, and click Send invitation.
The Members tab displays pending invitations and team members. You can choose to resend or cancel any pending invitations. Outstanding invitations are active for 30 days.
Check out the SSO documentation to learn how to configure SAML SSO to provide access for your entire organization through an identity provider like Okta or Azure Active Directory.
Remove team members
To remove team members, go to the Members tab on the Settings page and check the boxes next to the members or members you would like to remove. Then click Delete selected members at the top of the page and confirm your choice in the popup window.
If you remove a workspace member, all resources they created, such as models and syncs, will continue to exist. You don't need to be migrate them to a different member.
However, it's best to reauthorize any source or destination configurations that use a removed member's credentials. By reauthorizing them with a current member's credentials, you can avoid a credential's expiration interrupting your syncs.
If possible, use service accounts to authorize connections with resources rather than individuals' user accounts.
Default role settings
Unless you've setup SSO group mappings to Hightouch roles, Hightouch assigns new members the default workspace role.
You can change the default role for a workspace from the Workspace tab on the Settings page. Select the appropriate role for users from the dropdown under the Default role header.
Be careful when downgrading the default role, for example from Admin to Viewer. You may be unintentionally stripping users of permissions. Review role definitions before setting the default role to select the appropriate role for your workspace.
From the Workspace tab, you can also toggle off using the default role for SSO users.
Your organization may want to do this to restrict unintended access to your workspace. By toggling this setting off, users won't have access to workspaces that have enabled SAML SSO unless they belong to an identity provider group that has been mapped to a Hightouch role.
Change user roles
Unless you've setup SSO group mappings to Hightouch roles, you can change an individual user's role from the Members tab on the Settings page. This page displays a table of all users in your workspace.
Each user row has a Role dropdown where you can select that user's role. You can create custom roles for assignment using role-based access controls.
Changing individual user roles isn't allowed for workspaces using SSO since we don't want to enable users to circumvent permissions set in their organization's identity provider.
Check out the SSO groups documentation to learn how to automatically assign roles to team members based on their group in your identity provider.
Hightouch's change management features let you enforce reviews of changes and allow you to view historical in-app changes.
Change management features include:
- Approval flows to stage changes before pushing them into production
- Audit logs to provide records of what changes were made, by whom, and when
Use approval flows
Approval flows make it so that any changes made by users with the Workspace Draft Contributor role require approval from a privileged user. Check out the approval flows documentation to learn more about the feature and how to enable it.
View audit logs
Hightouch provides audit logs to track, trace, and search through historical actions taken in the Hightouch app. Check out the audit logs documentation to learn more about the feature and how to use it.