Workspace management

Since Hightouch manages the flow of your business-critical data, we provide a full suite of platform governance features to ensure security and compliance. These features fall into two categories: access management and change management.

Before going in-depth on these features, it's helpful to understand the core concepts Hightouch uses to structure workspace management features.

Core concepts

Organization: a container for a set of workspaces, used for billing purposes.
Workspace: a Hightouch account representing a set of resources and users. All settings apply at the workspace level, except for SSO, which applies at the organization level.
User: an individual with access to a workspace. A user can be associated with one or more workspaces.
Role: a set of policies governing a user's access to resources. Users can only be assigned one role.
Policy: a set of actions users can take on resources given certain conditions.
Resource: any of the building blocks of a workspace: for example, sources, destinations, models, syncs, and audiences.

When you have many resources in the same workspace, it can be helpful to organize and navigate them using folders and filters.

Access management

Hightouch's access management features let you govern who can access your workspaces and what actions they can take.

Access management features include:

SAML single sign-on (SSO) to support organizational access and user creation
Role-based access controls (RBAC) to govern and customize what actions users can take
SSO groups to support workspace and role assignment at scale
Label-based access controls (LBAC) to provide deeper access granularity

SAML SSO, SSO groups, role-based controls, and label-based controls are only available on Business tier plans.

Invite team members

You can choose to invite team members to your workspace manually or enable access for your entire organization using SAML SSO. Before inviting team members, you may want to change the default role for a workspace or set up SSO groups to map groups in your identity provider to Hightouch roles.

To manually invite a team member, go to the Members tab on the Settings page and click Invite new people.

In the modal that appears, enter your team member's Email, select the appropriate Role, and click Send invitation.

The Members tab displays pending invitations and team members. You can choose to resend or cancel any pending invitations. Outstanding invitations are active for 30 days.

Check out the SSO documentation to learn how to configure SAML SSO to provide access for your entire organization through an identity provider like Okta or Azure Active Directory.

Remove team members

To remove team members, go to the Members tab on the Settings page and check the boxes next to the members or members you would like to remove. Then click Delete selected members at the top of the page and confirm your choice in the popup window.

If you remove a workspace member, all resources they created, such as models and syncs, will continue to exist. You don't need to be migrate them to a different member.

However, it's best to reauthorize any source or destination configurations that use a removed member's credentials. By reauthorizing them with a current member's credentials, you can avoid a credential's expiration interrupting your syncs.

If possible, use service accounts to authorize connections with resources rather than individuals' user accounts.

Default role settings

Unless you've setup SSO group mappings to Hightouch roles, Hightouch assigns new members the default workspace role.

You can change the default role for a workspace from the Workspace tab on the Settings page. Select the appropriate role for users from the dropdown under the Default role header.

Selecting the default role for all users in a workspace

Be careful when downgrading the default role, for example from Admin to Viewer. You may be unintentionally stripping users of permissions. Review role definitions before setting the default role to select the appropriate role for your workspace.

From the Workspace tab, you can also toggle off using the default role for SSO users.

Toggling off default role for users in a workspace

Your organization may want to do this to restrict unintended access to your workspace. By toggling this setting off, users won't have access to workspaces that have enabled SAML SSO unless they belong to an identity provider group that has been mapped to a Hightouch role.

Change user roles

Unless you've setup SSO group mappings to Hightouch roles, you can change an individual user's role from the Members tab on the Settings page. This page displays a table of all users in your workspace.

Each user row has a Role dropdown where you can select that user's role. You can create custom roles for assignment using role-based access controls.

Changing individual user roles isn't allowed for workspaces using SSO since we don't want to enable users to circumvent permissions set in their organization's identity provider.

Check out the SSO groups documentation to learn how to automatically assign roles to team members based on their group in your identity provider.

Change management

Hightouch's change management features let you enforce reviews of changes and allow you to view historical in-app changes.

Change management features include:

Approval flows to stage changes before pushing them into production
Audit logs to provide records of what changes were made, by whom, and when

Approval flows and audit logs are only available on Business tier plans.

Use approval flows

Approval flows make it so that any changes made by users with the Workspace Draft Contributor role require approval from a privileged user. Check out the approval flows documentation to learn more about the feature and how to enable it.

View audit logs

Hightouch provides audit logs to track, trace, and search through historical actions taken in the Hightouch app. Check out the audit logs documentation to learn more about the feature and how to use it.