Search documentation...

K

Overview

Core to Workspace Permissions are the concepts of users, roles, and resources. Users belong to workspaces, and each user in a workspace must have a role.
When you create a Hightouch Workspace, three roles are created by default: Admin, Editor, and Viewer.
  • Admin users have full, unrestricted access to all resources under a Hightouch workspace. They can also manage the Workspace itself, including managing user membership, creating new API keys, setting up External Storage, and configuring integrations with external services (like Slack and PagerDuty).
  • Editor users have full read and write access to the core Hightouch objects, like Sources, Destinations, Models, Audiences, and Syncs, but are restricted from viewing or editing Workspace-level configuration.
  • Viewer users have read-only access to all Hightouch objects, excluding Workspace-level configuration.
When a user joins a workspace, they are assigned to the default role, which can be set at the workspace level.

Invite a user

From the Settings -> Members page, you can invite a new member to your workspace by adding their email address:
The Members page will display your pending invites as well as offer you the option to cancel or resend an invite. Outstanding invites are active for 30 days.

Change role for user

From the Settings -> Members page, you will see a table of all the users in your Workspace.
Each user row will have a role dropdown. You can use this dropdown to select a new role for any user.

Change the default role

From the Settings -> General page, under the Default Role header, you will see a dropdown that allows you to select the Default Role for users in your Workspace.

Advanced Permissions

With advanced permissions, you can be more granular with control of your workspace. This feature is geared for workspaces with sensitive data sets, companies that want finer control of who can make changes to their production syncs, or the auditor who wants to ensure that SOC2 compliance is maintained for their organization. We have implemented our new advanced permissions similarly to the way that AWS structures their permissions. We utilize a JSON structure for ease, readability, and quick refinement.
When a user does not have the sufficient privileges to a resource like Sources or Models, they will be greyed out in the UI to indicate this to the user.

Setup

To add a new role to your workspace, you'll want to navigate to Settings > Roles.
Once you are here, you have the opportunity to edit any role by clicking on the role or you can create a new one by clicking on Add Role.

Resources

[
	"workspace", // Catch all
	"destination",
	"source",
	"model",
	"sync",
	"audience",
	"audience_schema", // Anything behind setup except sync templates
	"sync_template",
	"workspace_membership", // Can the user invite people (CREATE) or change their role (UPDATE)
	"alert" // Not yet implemented
]

User Actions

By default, all of our permissions are set to deny everything. If you have an empty policies array, it will also default to denying everything.
[
	"read",
	"update",
	"create",
	"delete",
	"start", // Sync only, can the user start a manual sync
	"enable", // Sync only, can the user enable a sync (useful for approval)
	"debugger", // Sync only, can the user view the runs and results of a sync PII
	"preview", // TBD Source, model or audience, can the user test queries against a source
	"testrow" // Sync only, can the user test a row
]

Example - Audience Collaborator

In this example, the Audience Collaborator has access to do anything within the resource of Audiences. They are allowed to read, update, create in Syncs and Workspace Memberships. Lastly, they only have read access to Audience Schemas, destinations, Sync Templates.
{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "audience"
      ]
    },
    {
      "effect": "allow",
      "actions": [
        "read",
        "update",
        "create"
      ],
      "resource": [
        "sync",
        "workspace_membership"
      ]
    },
    {
      "effect": "allow",
      "actions": "read",
      "resource": [
        "audience_schema",
        "destination",
        "sync_template"
      ]
    }
  ]
}

Defaults

Admin
{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": "*"
    }
  ]
}
Editor
{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "destination",
        "source",
        "model",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "workspace_membership",
        "alert"
      ]
    }
  ]
}
Reader
{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": [
        "read"
      ],
      "resource": [
        "destination",
        "source",
        "model",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "workspace_membership",
        "alert"
      ]
    }
  ]
}

    Need help?

    Our team is relentlessly focused on your success. We're ready to jump on a call to help unblock you.

    • Connection issues with your data warehouse?
    • Confusing API responses from destination systems?
    • Unsupported destination objects or modes?
    • Help with complex SQL queries?

    or

    Feature Requests?

    If you see something that's missing from our app, let us know and we'll work with you to build it!

    We want to hear your suggestions for new sources, destinations, and other features that would help you activate your data.

On this page

OverviewInvite a userChange role for userChange the default roleAdvanced PermissionsSetupResourcesUser ActionsExample - Audience CollaboratorDefaults

Was this page helpful?