Hightouch makes it easy for teams to collaborate across your business. Workspace management is designed to be simple so that you can get started quickly. At the same time, it offers deep flexibility to support large enterprises with multiple teams, regional divisions, and complex brand structures.
This guide explains the core concepts behind workspace management, starting with user groups and role-based access control. After setting up your workspace, you can activate additional features like approval flows and staging environments.
Understanding how your organization is structured
Organizations
An organization in Hightouch represents your entire company. It's the top-level entity used for billing and user management.
Workspaces
A workspace is a partition within an organization, typically used to isolate environments (like staging and production) or to divide business units that don't share any resources in common. Each workspace is a completely separate container that houses its own set of resources like syncs and models. By design, nothing can be shared across workspace boundaries—not even the connection to your data source.
While workspaces provide flexibility in structuring your organization, we recommend keeping the number of workspaces to a minimum. Each workspace requires its own configuration, so consolidating into fewer workspaces can help streamline both your onboarding and day-to-day operations.
Hightouch's governance features allow different teams, regions, or brands to operate within a single workspace that shares common settings. Strict access controls ensure that only authorized users can interact with specific resources. For most enterprise customers, a single production workspace is sufficient, though some choose to add an additional workspace for testing purposes. Features like labels, filters, and folders help keep everything organized.
Separate workspaces should only be considered if regions or brands must remain fully independent, or if compliance requires data processing in different locations.
User groups
A user group in Hightouch is a collection of users who share the same permissions. Access control is managed at the group level, rather than for individual users, to ensure consistency and make updates easier as team structures and responsibilities evolve.
User groups are created within organizations and can be granted access to one or more workspaces. Users can belong to multiple groups, and when they do, they inherit the combined access from all of their assigned groups.
Typically, user-to-group mappings are determined by your identity provider (e.g., Okta). However, if SSO isn't enabled, or if you need to create custom groups, you can manually configure user groups and assign users directly in the Hightouch app.
Roles
A role defines the specific actions a user group can perform within a workspace. The key distinction between user groups and roles is that a user group aggregates users, while a role defines the scope of what actions those users can take. For example, a user group called “Lifecycle marketers” may assume the role of “Viewer” in a workspace.
Hightouch offers two types of roles:
- Pre-defined roles: These are pre-defined roles like “Admin,” “Editor,” and “Viewer” that apply broadly to all resources in a workspace. These roles are designed to simplify onboarding but in some cases may not be flexible enough for large, busy workspaces.
- Custom roles: These provide granular control, allowing you to grant specific abilities like creating syncs, accessing sensitive data, or managing credentials. Custom roles can be fine-tuned for individual sources and destinations.