1 of 100

Tonic Structural

Tonic Structural User Guide

The Tonic Structural platform creates safe, realistic datasets to use in staging environments or for local development. The Structural web application and API can be used by engineers, data analysts, or security experts.

Structural connects to source databases that contain sensitive data such as personally identifiable information (PII) or protected health information (PHI). To protect that data, Structural transforms the sensitive values and then writes the transformed data to a destination location.

New to Structural? Review the Tonic Structural workflow overview. For information on how to create a Structural account and start a Structural free trial, go to Getting started with the Structural free trial.

Want to know what's in the latest Structural releases? Go to the Tonic Structural release notes.

The Structural application heading includes a feature updates icon, which displays a summary of the newest features, and includes a link to the Structural release notes.

Connect to your data

Configure and generate transformed data

Manage a self-hosted Tonic Structural instance

Need help with Structural? Contact [email protected].

About Tonic Structural

The Tonic Structural synthetic data platform combines sensitive data detection and data transformation to allow users to create safe, secure, and compliant datasets.

Common Structural use cases include creating staging and development environments, and trying out a new cloud provider without complex data agreements.

Structural allows you to reduce bug counts, shorten testing life cycles, and share data with partners, all while helping to ensure security and compliance with the latest regulations, from GDPR to CCPA.

You can use the Structural API to integrate with CI/CD pipelines or to create automated processes that ensure that the generated data is available on demand.

Structural data generation workflow

Tonic Structural data generation combines sensitive data detection and data transformation to create safe, secure, and compliant datasets.

The Structural data generation workflow involves the following steps:

You can also view this .

To get started, you . When you create a workspace, you identify the type of source data, such as PostgreSQL or MySQL, and establish the connections to the source database and the destination location. The source database contains the original data that you want to synthesize. The destination location is where Structural stores the synthesized data. It might be a database, a storage location, a container repository, or an Ephemeral database snapshhot.
Next, you . The sensitivity scan identifies columns that contain sensitive data. These columns need to be protected by a generator.
Based on the sensitivity scan results, you configure the data generation. The configuration includes:
- The table mode controls the number of rows and columns that are copied to the destination database.
- You can make adjustments to the initial sensitivity assignments. For example, you can mark additional columns as sensitive that the initial scan did not identify as sensitive.
- To protect the data in a column, especially a sensitive column, you assign a generator to it. The generator replaces the source value with a different value in the destination database. For example, the generator might scramble the characters or assign a random value of the same type.
After you complete the configuration, you . The data generation job uses the configured table modes and generators to transform the data from the source database and write the transformed data to the destination location. You can track the job progress and view the job results.

Structural deployment types

Self-hosted Tonic Structural instance

You can .

For a self-hosted instance, Structural provides administrator tools that allow you to and .

You can to customize your instance.

On a self-hosted instance, based on your , you have access to the full set of supported data connectors.

Structural Cloud

Structural Cloud is our secure hosted environment. On Structural Cloud, Tonic.ai handles monitoring Structural services and updating Structural.

For , Structural Cloud only supports Okta.

Structural Cloud does not include:

. Structural Cloud uses a single configuration.
Access to the following data connectors:

Structural Cloud also supports a pay-as-you-go plan, where free trial users can move on to set up a monthly subscription. For more information, go to .

Each Structural Cloud user belongs to a Structural Cloud organization, which is determined either by the user's email domain or by a workspace invitation. Structural Cloud users do not have any access to workspaces or users from other organizations.

Each free trial user is in a separate organization, along with any users that they invite to have access to a free trial workspace.

For information about Structural Cloud organizations, go to .

The Account Admin permission set allows a Structural Cloud user to manage organization users and workspaces. For information about granting access to the Account Admin permission set, go to .

Structural implementation roles

A Tonic Structural implementation can involve the following roles - from those who set up the Structural environment to the consumers of the data that Structural processes.

Note that these roles are not related to role-based access (RBAC) within Structural, which is managed using permission sets.

Infrastructure engineers

For self-hosted instances of Structural.

Infrastructure engineers set up the Structural application and its relevant dependencies. They are typically DevOps, Site Reliability Engineering (SRE), or Kubernetes cluster administrators.

Infrastructure engineers perform the following Structural-related tasks:

Ensure that the proper infrastructure is ready for Structural installation based on the deployment checklist.
Follow the installation instructions. Works with Tonic.ai support as needed.
Perform routine maintenance of Structural and the Structural environment. Updates Structural and its dependencies as needed.
Create Structural-processed data pipelines for development and testing workflows.

Database administrators

For both self-hosted instances of Structural and Structural Cloud.

Database administrators integrate Structural into your data architecture to support Structural data connectors.

They ensure that source databases are available to Structural, and that Structural can write to destination databases.

Database administrators perform the following Structural-related tasks:

Set up the required Structural access to source databases.
Set up destination databases for Structural to write transformed data to.

Structural users

Structural users are the actual users of the Structural application.

Depending on the use case, Structural users might be compliance analysts, DevOps, or data engineers.

Tonic users perform the following Structural-related tasks:

Use the Structural data generation workflow to configure the logic used to transform the source data and to generate the transformed data.
Work with data consumers to produce usable data.

Data consumers

Data consumers are the end users of transformed destination data.

They are typically QA testers, developers, or analysts.

Data consumers perform the following Structural-related tasks:

Validate the usability of the destination data.
Provide guidance on application-specific requirements for data.

Security and compliance

Security and compliance specialists ensure and validate that the data that Structural produces meets expectations, and that Structural is compliant with other security-related processes.

Security and compliance specialists perform the following Structural-related tasks:

Provide guidance on what data is sensitive.
Sign off on proposed approaches to mask sensitive data.
Approve data access and permissions.

Logging into Structural for the first time

When you go to Tonic Structural for the first time, you create an account. How you create an account depends on the type of user you are.

A new Structural user can be one of the following:

Free trial users use Structural Cloud to explore and experiment with Structural before they decide whether to purchase it.
Self-hosted instances are installed on-premises. The customer administers the Structural users.
New users are added to existing organizations based on their email domain.

Managing your user account

From the User Settings view, you can manage settings for your individual Tonic Structural account.

To display the User Settings view:

Click your user image at the top right.
In the menu, click User Settings.

The User Settings view includes options to:

Configure your user image.
View and copy your organization identifier.
Configure email notifications for column comments.
Generate and manage API tokens.
Change your Structural password (if your Structural instance does not use SSO).
Delete your Structural account.

Choosing your user image

You can select an image to associate with your account. The image is displayed next to your name and email address throughout Structural.

If your instance uses Google or Azure single sign-on (SSO) to manage Structural users, then by default your Structural account image is the image from the SSO.

Otherwise, the default image displays your initials.

To change your user image, click Upload, then select the image file.

Viewing and copying your organization identifier

Below your user image file name is the identifier of the organization that your account belongs to.

To copy the identifier, click the copy icon.

Configuring notifications for column comments

Required license: Professional or Enterprise

Structural allows users to provide comments on columns. You can do this from Privacy Hub and Database View.

From the Comment Notification Settings section of User Settings, you can configure when to receive email notifications for comments.

The available options are:

I am an owner, editor, auditor, or am being replied to This is the default option. You receive email notifications when comments are made on columns in a workspace that you are an owner, editor, or auditor for. You also receive an email notification when someone replies to a comment that you made.
I am @ mentioned You only receive an email notification if someone specifically mentions you in a comment.
Never You never receive email notifications for column comments.

Generating and managing API tokens

Before you can use the Structural API, you must create an API token. From the User API Tokens section of the User Settings view, you can create and manage API tokens.

Creating an API token

To create an API token:

Click Create Token.
On the Create New Token dialog, enter a name for the new token.
Click Confirm.

In the list, the new token displays as clear text. To copy the new token, click the copy icon next to the token.

The new token text and copy icon only display during the current session. After that, Structural masks the token and removes the copy icon.

Revoking an API token

To revoke a token, click the Revoke option for the token.

Changing your Structural password

If your Structural account is not managed using SSO, then from User Settings, you can change your Structural password.

If your Structural instance uses SSO to manage users, then your user credentials are managed in the SSO system. You cannot change your user password in Structural.

Under Password Change, to change your Structural password:

In the Old Password field, type your current Structural password.
In the New Password field, type your new Structural password.
In the Repeat New Password field, type your new Structural password again.
Click Confirm.

Deleting your Structural account

From User Settings, you can delete your Structural account. If your instance uses SSO to manage users, then deleting your account only affects your access to Structural.

You cannot delete your Structural account if you are the owner of a workspace for which other users are granted access. Before you can delete your Structural account, you must either:

Revoke access from other users.
Transfer ownership to a different user.

To delete your Structural account, click Delete Account.

When you delete your account, you are logged out of Structural.

Frequently Asked Questions

What is the minimum required screen width for the Tonic Structural application?

The minimum screen width is 1120 pixels.

How do you connect to a local database when running Structural in a Docker container locally?

If the locally running database that you want to connect to runs in a Docker container:

Run: docker inspect
In the networks section of the results, find the Gateway IP address. Use this IP address as the server address in Structural.

If the locally running database does NOT run in a container, but runs on the machine, then:

On Windows or Mac, use host.docker.internal.
On Linux, use 172.17.0.1, which is the IP address of the docker0 interface.

I allowlist access to my database. What are your static IP addresses?

If you use Structural Cloud, and your database only allows connections from allowlisted IP addresses, then you need to allowlist Structural static IP addresses.

This is not required for self-hosted instances of Structural.

United States-based instance

For the United States-based instance (app.tonic.ai), the static IP addresses are:

54.92.217.68
52.22.13.250

The following IP addresses are used if needed for scaling or failover:

44.215.74.226
3.232.203.148
3.224.2.189
44.230.136.147
44.230.79.194

Europe-based instance

For the Europe-based instance (app-de.tonic.ai), the static IP addresses are:

18.159.127.160
3.69.249.144

The following IP addresses are used if needed for scaling or failover:

18.159.179.95
3.120.214.225
3.75.12.1
16.16.71.42
16.170.51.237

I allowlist network calls. What do I need to allowlist?

URLs for telemetry sharing

The URL https://telemetry.tonic.ai/ is used for our Amplitude telemetry.

https://telemetry.tonic.ai/logs is used specifically for log sharing.

Allowlist https://telemetry.tonic.ai/ or the following IP addresses:

75.2.74.76
99.83.246.105

Telemetry sharing is required. These metrics are valuable for us as we debug, make product roadmaps, and determine feature viability.

No customer data is included. For more information about the specific telemetry data that we collect, go to Data that Tonic.ai collects.

For more information on how to verify that telemetry is shared, go to Verifying and enabling telemetry sharing.

URLs for Structural version information

To support the one-click update option, Structural needs to be able to retrieve information about the latest Structural version.

For more information, go to .

How do I check my current version of Structural?

Click your user image at the top right. The menu includes the Tonic version.

How should we provision our source database?

We recommend that you use a static copy of your production database that was restored from a backup.

If that's not possible, consider the following when you connect Structural to your source data:

Structural cannot guarantee referential integrity of the output data if the source database is written to while data is generated. For this reason we recommend that you connect to a static copy of production data.
Read replicas and fast followers can be problematic for Structural because of how long it takes some queries to run. Read replicas tend to have short query timeout limits, which causes the queries to time out. Read replicas also reflect recent writes, which means that we cannot guarantee the referential integrity of the output.

What data does Tonic.ai collect from Structural?

For details about the types of data that Tonic.ai does and does not collect, go to Data that Tonic.ai collects.

Tutorial videos

Use these tutorial videos to learn more about how to use Tonic Structural.

Tonic Structural 101

Provides an overview of the Structural workflow and how to use Structural to generate de-identified data. For more information, go to Structural data generation workflow.

Creating a Structural workspace

Provides an overview of what a Structural workspace is and how to create a new Structural workspace. For more information, go to Managing workspaces.

Sensitivity detection and generator recommendations

Provides an overview of how Structural detects sensitive values and how you can apply recommended generators to the detected values.

Managing workspace access

Provides an overview of workspace owners, permissions, and permission sets. Explains how to share and transfer ownership of a workspace. For more information, go to Managing access to workspaces.

Structural generators overview

Identifies the types of generators and transformations that you can use in Structural, and explains how to assign a generator to a column. For more information, go to Generator information.

Generator presets

Provides an overview of generator presets. Includes how to create and update them, and how to track where each generator preset is used. For more information, go to Managing generator presets.

File connector overview

Provides an overview of the file connector and how to manage file groups in a file connector workspace. For more information, go to File connector.

Generating data with consistency

Provides an overview of the consistency generator property and how it works. For more information, go to Enabling consistency.

Using Document View to configure JSON columns

Provides an overview of how to enable Document View for a JSON column and how to use it to configure generators for JSON fields.

Subsetting your data

Provides an overview of subsetting, how it is configured, and how Structural uses the configuration to generate a subset. For more information, go to Subsetting data.

Upsert data generation

Provides an overview of upsert data generation. Includes how it works and how to enable and run it for a workspace. For more information, go to Enabling and configuring upsert.

Writing destination data to a container repository

Provides an overview of how to write destination data to a container repository instead of a database server. For more information, go to Writing output to a container repository.

Creating and managing workspaces

Managing workspaces

A Tonic Structural workspace provides a context within which to configure and generate transformed data.

A workspace represents a path between the source data and the transformed output data. For example, postgres-prod-copy to postgres-staging.

A workspace includes:

Where to find the source data to transform during data generation
Where to write the transformed data
The rules for the transformation

Manage workspaces

Workspace details and tools

Viewing your list of workspaces

Workspaces view lists the workspaces that you have access to. To display Workspaces view, in the Tonic Structural heading, click Workspaces.

How the workspace list is displayed

The workspace list contains:

Workspaces that you own
Workspaces that you are granted access to

If you have the global permission Copy any workspace or Manage user access to Tonic and to any workspace, then list includes all of the workspaces.

The Permissions column lists the workspace permission sets that you are granted in each workspace. The permission sets include both permission sets that were granted to you directly as a user, and permission sets that were granted to an SSO group that you are a member of.

always display under their parent workspace. The list only includes child workspaces that you have access to. If you have access to a child workspace, but not to its parent workspace, then the parent workspace is grayed out. You cannot select it.

Filtering the workspace list

You can filter the workspaces based on the following information:

Name - In the filter field, begin to type text that is in the name of the workspaces to display in the list.
Owner - From the Filter by Owner dropdown list, select the owner of the workspaces to display in the list.
Database type - From the Filter by Database Type dropdown list, select the type of database for the workspaces to display in the list.
Generation status - In the Generation Status column heading, click the filter icon. Check the checkbox next to the generation status values for the workspaces to display in the list.
Tags - In the Tags column heading, click the filter icon. By default, the workspaces are not filtered by tag, and all of the checkboxes are unchecked. To only include workspaces that have specific tags, check the checkbox next to each tag to include. To uncheck all of the selected tags, click Reset Tags. When you filter by tag, Structural checks whether each workspace contains any of the selected tags.
Permissions - In the Permissions column heading, click the filter icon. You can check and uncheck checkboxes to include or exclude specific permission sets. For example, you can filter the list to only display workspaces for which the Editor permission set is granted either to you or to an SSO group that you belong to. For users that have the global permission Copy any workspace, the Permissions filter panel also contains an Any permissions checkbox. By default, Any permissions is unchecked, and the list includes workspaces for which you are not assigned any workspace permission sets. To display all of the workspaces for which you have any assigned workspace permission sets, check Any permissions. If you filter the list based on a specific permission set, to clear the filter and show all workspaces for which you have any permission set, check Any permissions. To display all workspaces, including workspaces that you do not have any permissions for, uncheck Any permissions.

You can combine different filters. For example, you can filter the list to only include workspaces that use PostgreSQL and for which the generation status is Canceled or Failed.

Child workspaces always display under their parent workspace, even if the parent workspace does not match the filter.

Sorting the workspace list

You can sort the workspace list by name, status, or owner.

By default, the list is sorted alphabetically by name.

To sort by a column, click the column heading. To reverse the order of the sort, click the column heading again.

Child workspaces always display under their parent workspace. The child workspaces are sorted within the parent.

Workspace details on Workspaces view

Workspaces view provides the following information about each workspace:

Name - Contains the name and database type for the workspace. To view the workspace description, hover over the name.
Generation status - The status for the most recent generation job. To display the job details for the job, click the job status. To display more details about the date, time, and duration for the job, hover over the generation timestamp. If a job failed recently, you are given additional information about how long this job has been failing (the date of the first failure occurrence among a continuous series of failures).
Schema changes - Indicates whether Structural detected changes to the source database schema. If there are changes, the column shows the number of changes. Hover over the column value to display additional details, and to navigate to the Schema Changes view. Go to .
Tags - The tags that are assigned to the workspace.
Permissions - The permission sets that are assigned to you for the workspace.
Owner - The name and email address of the workspace owner.

Getting access to workspace tools and actions

Displaying the workspace management view

On Workspaces view, when you click the workspace name, the for the workspace is displayed. The Privacy Hub tab is selected.

The Name column also provides access to a menu of workspace configuration options. When you select an option, the is displayed, open to the view for the selected option.

Options column

The last column in the workspaces list provides additional workspace options:

Subsetting icon - Displays the subsetting configuration for the workspace. Go to .
Post-job actions icon - Displays the post-job actions for the workspace. For more information, go to and .
Actions menu - Provides access to additional options.

The Actions menu at the top left of the workspaces list allows you to to perform bulk actions on multiple workspaces. It is enabled when you check one or more of the checkboxes in the first column of each row. The Actions menu provides options for the selected workspaces.

Creating, editing, or deleting a workspace

Creating a workspace

When you create a new workspace, you can either:

Create a completely new workspace.
Create a copy of an existing workspace. The copy initially uses the configuration from the original workspace. After the copy is created, it is completely independent from the original workspace.
Create a child of an existing workspace. Child workspaces inherit configuration from the parent workspace. They continue to be updated automatically when the parent workspace is updated. For more information, go to About workspace inheritance.

You can also view this video overview of how to create a workspace.

Creating a completely new workspace

Required global permission: Create workspaces

To create a completely new workspace, on Workspaces view, click Create Workspace > New Workspace.

Creating a copy of a workspace

Required workspace permission: Copy workspace (in the workspace to copy)

Required global permission: Copy any workspace

To create a workspace based on an existing workspace, either:

On the workspace management view of the workspace to copy, from the workspace actions menu, select Duplicate Workspace.

On Workspaces view, click the actions menu for the workspace, then select Duplicate Workspace.

When you create a copy of a workspace, the copy initially inherits the following workspace configuration:

Source and destination database connections
Sensitivity designations, including manual designations that override the sensitivity scan results
Table mode assignments
Generator configuration
Subsetting configuration
Post-job scripts

Creating a child workspace

Required license: Enterprise

Required workspace permission: Create child workspaces (in the parent workspace)

You can create a workspace that is a child of an existing workspace. You cannot create a child workspace of another child workspace.

The parent workspace must have a source database configured. You cannot create a child workspace from a workspace that uses the Databricks, Spark (Amazon EMR or self-managed Spark cluster), or MongoDB data connector.

To create a child workspace, either:

On Workspaces view:
- Click Create Workspace > Child Workspace.
- Click the actions menu for the parent workspace, then select Create Child Workspace.
On the workspace management view, from the workspace actions menu, select Create Child Workspace.

On the New Workspace view, under Child Workspace, Parent Workspace identifies the parent workspace.

If you used the Create Workspace > Child Workspace option to create the child workspace, then Parent Workspace is not populated. From the Parent Workspace dropdown list, select the parent workspace for the new child workspace.

If you selected the child workspace option for a specific workspace, then Parent Workspace is set to that workspace.

If you originally chose to create a completely new workspace, then on the New Workspace view:

To change to a child workspace, select Create Child Workspace from the Create a child workspace panel at the right. Structural adds the Child Workspace panel to the New Workspace view.
From the Parent Workspace dropdown list, select the parent workspace for the new child workspace.

Editing a workspace

Required workspace permission: Configure workspace settings

To edit the configuration for an existing workspace, either:

On the workspace management view:
- On the workspace navigation bar, click Workspace Settings.
- From the workspace actions menu, select Workspace Settings.
On Workspaces view, click the actions menu for the workspace, then select Workspace Settings.

Deleting a workspace

Required workspace permission: Delete workspace

You can delete workspaces that you no longer need.

You cannot delete a parent workspace. You must first delete all of its child workspaces.

To delete a workspace:

On the workspace management view, from the workspace actions menu, select Delete Workspace.
On the Workspaces view, click the actions menu for the workspace, then select Delete.

Workspace configuration settings

The workspace settings for a new workspace (New Workspace view) or edited workspace (Workspace Settings tab) provide information about the workspace and its data.

Workspace identification and connection type

Every workspace includes the following settings to identify the workspace and to select the type of data connector.

Fields to identify the workspace

All workspaces have the following fields that identify the workspace:

In the Workspace name field, enter the name of the workspace.
In the Workspace description field, provide a brief description of the workspace. The description can contain up to 200 characters.
In the Tags field, provide a comma-separated list of tags to assign to the workspace. For more information on managing tags, go to Assigning tags to a workspace.

Connection type

Under Connection Type, select the type of data connector to use for the workspace data. You cannot change the connection type on a child workspace.

The Basic and Professional licenses limit the number and type of data connectors you can use.

A Basic instance can only use one data connector type, which can be either PostgreSQL or MySQL. After you create your first workspace, any subsequent workspaces must use the same data connector type.
A Professional instance can use up two different data connector types, which can be any type other than Oracle or Db2 for LUW. After you create workspaces that use two different data connector types, any subsequent workspaces must use one of those data connector types.

If the database that you want to connect to isn't in the list, or you want to have different database types for your source and destination database, contact [email protected].

When you select a connector type, Structural updates the view to display the connection fields used for that connector type. The specific fields vary based on the connector type.

Data connection settings

After you select the connector type, you configure:

Where to find the source data
Where to write the data generation output

Source database connection

For data connectors that connect to a database, the Source Settings section provides connection information for the source database.

You cannot change the source data configuration for a .

For information about the source connection fields for a specific data connector, go to the workspace configuration topic for that .

Upsert configuration

For data connectors that support upsert, the workspace configuration includes an Upsert section to allow you to enable and configure upsert. Upsert adds and updates rows in the destination database, but keeps all other existing rows intact.

If you enable upsert, then you cannot write output to an Ephemeral database or to a container repository. You must write the output to a destination database.

For more information, go to .

Destination data location

For data connectors that connect to a database, the Destination Settings section provides information about where and how Structural writes the output data from data generation.

Depending on the data connector type, you might be able to write to either:

Destination database - Writes the output data to a destination database on a database server.
Ephemeral snapshot - Writes the output data to a Tonic Ephemeral user snapshot.
Container repository - Writes the output data to a data volume in a container repository.

Destination database

When you write the output to a destination database, the destination database must be of the same type as the source database.

Structural does not create the destination database. It must exist before you generate data.

In Destination Settings, you provide the connection information for the destination database. For information about the destination database connection fields for a specific data connector, go to the workspace configuration topic for that .

If available, the Copy Settings from Source allows you to copy the source connection details to the destination database, if both databases are in the same location. Structural does not copy the connection password.

Tonic Ephemeral snapshot

Tonic Ephemeral is a separate Tonic.ai product that allows you to create temporary databases to use for testing and demos. For more information about Ephemeral, go to the .

If Ephemeral supports your workspace database type, then you can write the destination data to a snapshot in Ephemeral. For data larger than 10 GB, this option is recommended instead of writing to a container repository.

From Ephemeral, you can use the snapshot to start new Ephemeral databases.

For more information, go to .

Container repository

Some data connectors allow you to write the transformed data to a data volume in a container repository instead of to a database server.

You can use the resulting data volume to create a database in Tonic Ephemeral. If you do plan to use the data to start an Ephemeral database, and the size of the data is larger than 10 GB, then the recommendation is to write the data to an Ephemeral user snapshot instead.

For more information, go to .

Testing database connections

When you provide connection details for a database server, Structural provides a Test Connection button to test the connection, and verify that Structural can use the connection details to connect to the database. Structural uses the connection details to try to reach the database, and indicates whether it succeeded or failed. We strongly recommend that you test the connections.

The TONIC_TEST_CONNECTION_TIMEOUT_IN_SECONDS determines the number of seconds before a connection test times out. You can configure this setting from the Environment Settings tab on Structural Settings. By default, the connection test times out after 15 seconds.

File connector source and destination data

A workspace uses files as its source data and produces transformed versions of those files as its output.

For file connector workspaces, the File Location section indicates where the source files are obtained from - either a local file system or a cloud storage solution (Amazon S3 or Google Cloud Storage).

When the files come from cloud storage, the Output Location section indicates where to write the transformed files. You must also provide the cloud storage connection credentials.

For more information, go to .

Configuring secrets managers for database connections

Required license: Enterprise

Required global permission: Manage secrets managers

Your organization might use a secrets manager to secure credentials, including database connection credentials.

For data connector credentials, you can configure a set of available secrets managers. In the workspace configuration, users can then select a secret name from a secrets manager.

Supported secrets manager tools and formats

Structural currently supports AWS Secrets Manager.

Structural only supports secrets that store passwords. For AWS Secrets Manager, the passwords must be in one of the following formats:

String
JSON

The JSON must contain a map of key-value pairs. It can either:

Contain a single key for which the value is the password in plaintext.
Contain a key that is labeled either password or pw, for which the value is the password in plaintext.

Viewing the secrets manager list

To display the list of secrets managers, on Structural Settings view, click Secrets Manager.

Working with secrets managers

Creating a secrets manager

To create a secrets manager:

On the Secrets Manager tab, click Add Secrets Manager.
On the Create Secrets Manager panel, in the Name field, provide a name to use to identify the secrets manager. Secrets manager names must be unique. The name is used in the secrets manager dropdown list on the workspace settings view.
From the Type dropdown list, select the secrets manager product. Structural currently supports AWS Secrets Manager.
Configure the credentials to use to connect to the secrets manager.
Click Save.

Editing an existing secrets manager

For an existing secrets manager, you can change the name and the credentials configuration.

You cannot change the type.

To edit an existing secrets manager:

In the secrets manager list, click the edit icon for the secrets manager.
On the Edit Secrets Manager panel, update the configuration.

Click Save.

Deleting a secrets manager

When you delete a secrets manager, it is removed from the workspace database connections that use it. Structural is no longer able to connect to those databases.

To delete a secrets manager:

In the secrets manager list, click the delete icon for the secrets manager.
On the confirmation panel, click Delete.

Providing credentials for AWS Secrets Manager

Required AWS Secrets Manager permissions

The AWS Secrets Manager credentials that you provide must have the following permissions:

secretsmanager:ListSecrets
On each secret to use, secretsmanager:GetSecretValue
On the encryption key for secrets that are encrypted with a customer managed key (CMK), kms:Decrypt

Here is an example policy that grants the required Secrets Manager permissions:

Selecting the source of the credentials

For AWS Secrets Manager, under Authentication, select the source of the credentials:

Environment - Only available on self-hosted instances. Indicates to use either:
- The credentials for the AWS Identity and Access Management (IAM) role on the host machine.
- The credentials set in the following :
  - TONIC_AWS_ACCESS_KEY_ID - An AWS access key that is associated with an IAM user or role
  - TONIC_AWS_SECRET_ACCESS_KEY - The secret key that is associated with the access key
  - TONIC_AWS_REGION - The AWS Region to send the authentication request to
Assumed role - Indicates to use the specified assumed role.
User credentials - Indicates to use the provided user credentials.

Providing an assumed role

To provide an assumed role, click Assume Role, then:

In the Role ARN field, provide the Amazon Resource Name (ARN) for the role.
In the Session Name field, provide the role session name. If you do not provide a session name, then Structural automatically generates a default unique value. The generated value begins with TonicStructural.
In the Duration (in seconds) field, provide the maximum length in seconds of the session. The default is 3600, indicating that the session can be active for up to 1 hour. The provided value must be less than the maximum session duration that is allowed for the role.
From the AWS Region dropdown list, select the AWS Region to send the authentication request to.

Structural generates the external ID that is used in the assume role request. Your role’s trust policy must be configured to condition on your unique external ID.

Here is an example trust policy:

Providing AWS user credentials

To provide the credentials, click User Credentials, then:

In the AWS Access Key field, enter the AWS access key that is associated with an IAM user or role.
In the AWS Secret Key field, enter the secret key that is associated with the access key.
Optional. In the AWS Session Token field, provide the session token to use.
From the AWS Region dropdown list, select the AWS Region to send the authentication request to.

Schema management settings

Responding to schema changes

Schema changes include:

Sensitive schema changes, which if not addressed can result in data leakage. These changes include new tables and columns, and changes to data types.
Notifications, which Structural can handle automatically during each data generation. These include removed tables and columns.

Under Block Data Generation on Schema Changes, select how Structural responds when there are unaddressed changes to the database schema.

The options are:

Do Not Block - With this option, schema changes never block data generation. Structural ignores sensitive schema changes, and automatically handles notifications during data generation.
Block On Sensitive Changes - Indicates to only block data generation if there are sensitive schema changes. Structural automatically handles notifications during data generation.
Block On All Changes - For this option, if there are any unaddressed schema changes at all, either sensitive changes or notifications, data generation fails.

For more information, go to Viewing and resolving schema changes.

Writing output to Tonic Ephemeral

Only available for PostgreSQL, MySQL, SQL Server, and Oracle.

Not compatible with upsert.

Not compatible with Preserve Destination or Incremental table modes.

Tonic Ephemeral is a separate Tonic.ai product that allows you to create temporary databases to use for testing and demos. For more information about Ephemeral, go to the .

If Ephemeral supports your workspace database type, then you can write the destination data to a snapshot in Ephemeral. You can then use the snapshot to start Ephemeral databases.

To write the transformed data to Ephemeral, under Destination Settings, click Ephemeral Database.

Selecting the Ephemeral instance type

Structural can write the data snapshot to either Ephemeral Cloud or to a self-hosted instance of Ephemeral. By default, Structural writes the data snapshot to Ephemeral Cloud.

All workspaces on the same self-hosted Structural instance or in the same Structural Cloud organization must write to the same instance of Ephemeral. When you change the Ephemeral output configuration in one workspace, it is automatically changed in other workspaces that write to Ephemeral.

Writing output to Ephemeral Cloud

Structural writes the snapshot to the Ephemeral Cloud account for the user who runs the data generation job.

If that user has an Ephemeral account on Ephemeral Cloud, then Structural uses that account.
If the user does not have an account, then Structural creates an account for them.

On Structural Cloud, when you save the workspace, if you do not have an Ephemeral Cloud account, then an Ephemeral Cloud account is created for you.

When Structural creates an Ephemeral account, if the user belongs to an existing Ephemeral Cloud organization, then the account is added to the organization. Otherwise, the account is a two-week free trial account.

For a self-hosted Structural workspace, you must provide an API key from an existing Ephemeral Cloud account.

To write a snapshot to Ephemeral Cloud:

Click Tonic Ephemeral cloud.
If you are on a self-hosted instance of Structural:
1. In the API Key field, provide an Ephemeral API key from your Ephemeral account.
2. To test the connection, click Test Connection.

Writing output to self-hosted Ephemeral

When you write to a self-hosted instance of Ephemeral, then you must always provide an Ephemeral API key.

To write the snapshot to a self-hosted instance of Ephemeral:

Click Tonic Ephemeral self-hosted.
In the API Key field, provide an Ephemeral API key from your Ephemeral account. Structural writes the snapshot to the Ephemeral account that is associated with the API key.
In the Tonic Ephemeral URL field, provide the URL to your self-hosted Ephemeral instance.
To test the connection, click Test Connection.

Selecting the image for Oracle

For Oracle, you select the base image to use to create the data snapshot.

If you write to Ephemeral Cloud, then you must use the Oracle 23c base image that comes with Ephemeral. This image has the following limitations:

A maximum of 12GB of user data
A maximum of 2CPU cores and 2GB of RAM

If you write to a self-hosted instance of Ephemeral, then you can also select a custom image that you created in Ephemeral.

For information about how to create and manage custom images for Oracle, go to .

Configuring advanced settings for the snapshot

If you do not configure any advanced settings, then:

The snapshot uses the same name as the workspace, and has no description.
The snapshot size allocation is determined by the source data size.
Structural discards the temporary Ephemeral database that is created during the data generation.

To change any of these settings, click Advanced settings.

Providing a snapshot name and description

By default, the snapshot name uses the workspace name.

When you run data generation, if a snapshot with the same name already exists in Ephemeral, then Structural overwrites that snapshot with the new snapshot.

Under Advanced settings:

In the Snapshot name field, provide the name of the snapshot. The snapshot name can use the following placeholder values to help identify the snapshot:
- {workspaceName} - Inserts the name of the workspace.
- {workspaceId} - Inserts the identifier of the workspace.
- {jobId} - Inserts the identifier of the data generation job that created the snapshot.
- {timestamp} - Inserts the timestamp when the snapshot was created.
Including the job ID or timestamp ensures that a data generation job does not overwrite a previous snapshot.
Optionally, in the Snapshot description field, provide a longer description of the snapshot.

Setting the pod resources for the snapshot

By default, the resources used for the snapshot are based on the size of the source data.

For source data that is 25 GB or less, Nano is used.
For source data larger than 25 GB, Micro is used.

To select a specific option:

Toggle Custom pod resources to the on position.
From the dropdown list, select the option to use for the combination of vCPUs and memory:
- Nano - 0.125 vCPU with 0.5 GB RAM
- Micro - 0.5 vCPU with 2 GB RAM
- Small - 1 vCPU with 4 GB RAM
- Medium - 2 vCPU with 8 GB RAM
- Large - 4 vCPU with 16 GB RAM

Setting the size allocation for the snapshot

By default, the Ephemeral size allocation for the snapshot is based on the size of the source data.

To instead provide a custom data size allocation, under Advanced settings:

Toggle Custom data size allocation to the on position.
In the field, enter the size allocation in gigabytes.

Indicating whether to keep the temporary Ephemeral database

When Structural creates the Ephemeral snapshot, it creates a temporary Ephemeral database.

By default, Structural deletes that database when the data generation is complete.

To instead keep the database, under Advanced settings, toggle Keep database active in Tonic Ephemeral after data generation to the on position.

In Ephemeral Cloud, by default, databases are publicly accessible. To limit database access, you can configure Ephemeral Cloud with an IP allowlist for your organization. For more information, go to in the Ephemeral documentation.

Providing a customization file for MySQL or PostgreSQL

For a MySQL or PostgreSQL workspace, you can provide a customization file that helps to ensure that the temporary Ephemeral database is configured correctly.

To provide the customization details:

Toggle Use custom configuration to the on position.
In the text area, paste the contents of the customization file.

Assigning tags to a workspace

Required workspace permission: Configure workspace settings

You can associate custom tags with each workspace. Tags can help to organize and provide a quick glance into the workspace configuration.

Tags are accessible to every user that has access to the workspace.

Tags are stored in the workspace JSON, and are included in the workspace export. You can also use the API to get access to tags.

Managing tags from workspace settings

You can add and edit tags in the Tags field on the New Workspace and Workspace Settings views.

To add tags, enter a comma-separated list of the tags to add.
To remove a tag, click its delete icon.

Managing tags from Workspaces view

You can also manage tags directly from Workspaces view.

Assigning tags

To add tags to a workspace that does not currently have tags:

Hover over the Tags column for the workspace.
Click Add Tags.
In the tag input field, type a comma-separated list of tags to apply.
Press Enter.

Editing the assigned tags

To edit the assigned tags:

Click the Tags column for the workspace.
In the tag input field, to remove tag, click its delete icon.
To add tags, type a comma-separated list of the tags to add.
To save the tag changes, press Enter.

Managing access to workspaces

When you create a workspace, you become the owner of the workspace, and by default are assigned the built-in Manager workspace permission set for the workspace. The Manager permission set provides full access to the workspace configuration, data, and results.

With a Professional or Enterprise license, you can also assign workspace permission sets to other users and to SSO groups. You can also transfer a workspace to a different owner.

If you are granted access to any workspace permission set for a workspace, then you have access to all of the workspace management views for that workspace. However, you can only perform tasks that you have permission for in that workspace.

Workspace access is managed from the Workspaces view. You cannot assign workspace permission sets from Structural Settings view.

You can also view an .

Transferring ownership of a workspace

Required permission

Global permission: View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
Either:
- Workspace permission: Transfer workspace ownership
- Global permission: Manage access to Tonic Structural and to any workspace

To grant yourself access after the transfer:

Workspace permission: Share workspace access

Every workspace has an owner. The owner is always a user.

The user who creates the workspace is automatically the owner of the workspace.

By default, the workspace owner is assigned the built-in Manager workspace permission set. On Enterprise instances, you can choose a different workspace permission set to assign to all workspace owners.

You cannot remove that permission set from the workspace owner.

You can transfer a workspace to a different owner. The new owner is assigned the owner permission set. If the previous owner does not otherwise have access to the owner permission set, then that permission set is removed.

To transfer workspace ownership:

To transfer ownership of a single workspace, from the workspace actions menu, select Transfer Ownership.
To transfer ownership of multiple workspaces:
1. Check the checkbox for each workspace to grant access to.
2. From the Actions menu, select Transfer Ownership.
On the transfer ownership panel, from the User dropdown list, select the new owner.
If you are the current owner of the workspace, then to grant yourself non-owner access after you transfer the ownership:
1. Toggle Receive access to workspace to the on position.
2. Select the workspace permission set to assign to yourself.
Click Transfer Ownership.

Configuring data generation

Database View

Database View provides a complete view of your source database structure and configuration.

To display Database View, either:

On the workspace management view, in the workspace navigation bar, click Database View.
On Workspaces view, from the dropdown menu in the Name column, select Database View.

Database View consists of:

On the left, the list of tables in the source database.
On the right, the list of columns in those tables.

View table and column information

Configure and comment on columns

Displaying sample data for a column

Required workspace permission:

Source data: Preview source data
Destination data: Preview destination data

For each column on Database View, you can display a sample list of the column values.

For columns that have an assigned generator, the sample shows both the current values and the possible values after the generator is applied.

To display the sample values, in the Column column, click the magnifying glass icon.

If the generator is Passthrough, then the sample data panel contains only Original Data.

If a different generator is assigned, then the sample data panel contains both Original Data and Protected Output.

Identifying similar columns

During sensitivity scans and schema change scans, Tonic Structural identifies groups of similar columns.

To identify similar columns, Structural uses a text embedding model to calculate the semantic similarity between any two column names in the database. When a column name's semantic similarity to the name of a given column is above a specified threshold, then the column is similar to the given column.

If a column has similar columns, then the Applied Generator column contains an icon that includes the count of similar columns.

By default, the similar columns icon is hidden. To display the similar columns icon, hover over the column row.

When you assign a generator to a column, the similar columns icon for that column remains visible during your current session.

When you click the similar columns icon, Structural displays a panel with an option to filter the list to display the current column and its similar columns. To apply the filter, click Filter.

The similar columns filter is applied, and other column filters are removed. Table filters remain in place.

Commenting on columns

Required license: Professional or Enterprise

From Database View, you can add comments to columns. For example, you might use a comment to explain why you selected a particular generator or marked a column as sensitive or not sensitive.

Creating a new comment

If a column does not have any comments, then to add a comment:

In the Applied Generator column, click the comment icon.
In the comment field, type the comment text.
Click Comment.

Responding to existing comments

When a column has existing comments, the comment icon is green. To add comments:

Click the comment icon. The comments panel shows the previous comments. Each comment includes the comment user.
In the comment field, type the comment text.
Click Reply.

Working with document-based data

For document-based data connectors - currently and - Database View and Table View are replaced by Collection View.

"Collection" is the term that Structural uses to refer to MongoDB collections and DynamoDB tables.

Structural also allows you to run collection scans to identify the data structure.

Identifying sensitive data

Tonic Structural uses its sensitivity scan to identify source data columns that contain sensitive information. The scan ignores truncated tables.

The sensitivity scan identifies Structural's built-in sensitivity types. It also looks for custom types that you define.

You can also manually mark a column as sensitive or not sensitive.

Manually indicating whether a column is sensitive

You can also manually indicate that a column is sensitive or not sensitive.

For example, the sensitivity scan might incorrectly identify a column as sensitive. Or a column might contain data that you consider sensitive but that does not match a detected sensitivity type.

When you manually change a column from not sensitive to sensitive, Structural marks the sensitivity detection as full confidence.

For information on how to change whether a column is sensitive:

For Privacy Hub, go to .
For Database View, go to:
- For a single column,
- For multiple selected columns,
For Table View, go to .

The Structural API also provides .

Algebraic

The algebraic generator identifies the algebraic relationship between three or more numeric values and generates new values to match. At least one of the values must be a non-integer.

If a relationship cannot be found, then the generator defaults to the Categorical generator.

This generator can be linked with other Algebraic generators.

Characteristics

Consistency

No, cannot be made consistent.

Linking

Yes, can be linked.

Differential privacy

Data-free

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

To configure the generator, from the Link To dropdown list, select the columns to link this column to. You can select other columns that are assigned the Algebraic generator.

You must select at least three columns.

The column values must be numeric. At least one of the columns must contain a value other than an integer.

If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Alphanumeric String Key

Generates unique alphanumeric strings of the same length as the input.

For example, for the origin value ABC123, the output value is a six-character alphanumeric string such as D24N05.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Array Character Scramble

A version of the generator that can be used for array values.

This generator replaces letters with random other letters, and numbers with random other numbers. Punctuation and whitespace are preserved.

For example, for the following array value:

["ABC.123", 3, "last week"]

The output might be something like:

["KFR.860", 7, "sdrw mwoc"]

This generator securely masks letters and numbers. There is no way to recover the original data.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

ASCII Key

Generates unique alphanumeric strings based on any printable ASCII characters. The length of the source string is not preserved. You can choose to exclude lowercase letters from the generated values.

Characteristics

How to configure

To configure the generator:

To exclude lowercase letters from the generated values, toggle Exclude Lowercase Alphabet to the on position.
Toggle the Consistency setting to indicate whether to make the generator consistent. By default, the generator is not consistent.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Business Name

Generates a random company name-like string.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator consistent.

By default, the generator is not consistent.

If consistency is enabled, then by default it is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column.

When the generator is consistent with itself, then a given source value is always mapped to the same destination value. For example, My Business is always mapped to New Business.

When the generator is consistent with another column, then a given source value in that other column always results in the same destination value for the company name column. For example, if the company name column is consistent with a name column, then every instance of John Smith in the name column in the source database has the same company name in the destination database.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Character Substitution

Performs a random character replacement that preserves formatting (spaces, capitalization, and punctuation).

Characters are replaced with other characters from within the same Unicode Block. A given source character is always mapped to the same destination character. For example, M might always map to V.

For example, for the following input string:

Miami Store #162

The output would be something like:

Vgkjg Gmlvf #681

Note that for a numeric column, when a generated number starts with a 0, the starting 0 is removed. This could result in matching output values in different columns. For example, one column is changed to 113 and the other to 0113, which also becomes 113.

Character Substitution is similar to , with a couple of key differences. Because Character Substitution always maps the same source character to the same destination character, it is always consistent. It also can be used for unique columns.

In Character Scramble, the character mapping is random, which makes Character Scramble slightly more secure. However, Character Scramble cannot be used for unique columns.

Characteristics

How to configure

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Constant

Uses a single value to mask all of the values in the column.

For example, you can replace every value in a string column with the value String1. Or you can replace every value in a numeric column with the value 12345.

Characteristics

How to configure

To configure the generator, in the Constant Value field, provide the value to use.

The value must be compatible with the field type. For example, you cannot provide a string value for an integer column.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Finnish Personal Identity Code

Generates a valid Finnish Personal Identity Code (PIC) that would have been issued during a specific date range.

Characteristics

How to configure

To configure the generator:

Under Date Range, set the start and date for the date range to generate the PICs for.
Toggle the Consistency setting to indicate whether to make the generator self-consistent. By default, the generator is not consistent.
If Structural data encryption is enabled, then to use it for this column, toggle Use data encryption process to the on position.

Geo

This generator can be used to mask columns of latitude and longitude.

The Geo generator divides the globe into grids that are approximately 4.9 x 4.9 km. It then counts the number of points within each grid.

During data generation, each (latitude, longitude) pair is mapped to its grid.

If the grid contains a sufficient number of points to preserve privacy, then the generator returns a randomly chosen point in that grid.
If the grid does not contain enough points to preserve privacy, then the generator returns a random coordinate from the nearest grid that contains enough points.

Characteristics

How to configure

To configure the generator:

From the Link To dropdown list, select the column to link to this one. You typically assign the Geo generator to both the latitude and longitude column, then link those columns.
From the value type dropdown, select whether this column contains a latitude value or a longitude value.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Null

Generates NULL values to fill the rows of the specified column.

Characteristics

How to configure

The Null generator has no configuration options.

Random Hash

Generates a random hash string.

Characteristics

How to configure

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Writing output to a container repository

Requires Kubernetes.

For self-hosted Docker deployments, you can install and configure a separate Kubernetes cluster to use. For more information, go to Setting up a Kubernetes cluster to use to write output data to a container repository.

For information about required Kubernetes permissions, go to Required access to write destination data to a container repository.

Not compatible with upsert.

Not compatible with Preserve Destination or Incremental table modes.

Only supported for PostgreSQL, MySQL, and SQL Server.

You can configure a workspace to write destination data to a container repository instead of to a database server.

When Structural writes data generation output to a repository, it writes the destination data to a container volume. From the list of container artifacts, you can copy the volume digest, and download a Docker Compose file that provides connection settings for the database on the volume. Structural generates the Compose file when you make the request to download it. For more information about getting access to the container artifacts, go to Viewing and downloading container artifacts.

You can also use the data volume to start a Tonic Ephemeral database. However, if the data is larger than 10 GB, we recommend that you write the data to an Ephemeral user snapshot instead. For information about writing to an Ephemeral snapshot, go to Writing output to Tonic Ephemeral.

For an overview of writing destination data to container artifacts, you can also view the video tutorial.

Indicating to write destination data to container artifacts

Under Destination Settings, to indicate to write the destination data to container artifacts, click Container Repository.

For a Structural instance that is deployed on Docker, unless you set up a separate Kubernetes cluster, the Container Repository option is hidden.

You can switch between writing to a database server and writing to a container repository at any time. Structural preserves the configuration details for both options. When you run data generation, it uses the currently selected option for the workspace.

Identifying the base image to use to create the container artifacts

From the Database Image dropdown list, select the image to use to create the container artifacts.

Select an image version that is compatible with the version of the database that is used in the workspace.

Providing a customization file for MySQL

For a MySQL workspace, you can provide a customization file that helps to ensure that the temporary destination database is configured correctly.

To provide the customization details:

Toggle Use customization to the on position.
In the text area, paste the contents of the customization file.

Setting the location for the container artifacts

To provide the location where Structural publishes the container artifacts:

In the Registry field, type the path to the container registry where Structural publishes the data volume.
Do not include the HTTP protocol, such as http:// or https://.
In the Repository Path field, provide the path within the registry where Structural publishes the data volume.
For a Google Artifact Registry (GAR) repository, the path format is PROJECT-ID/REPOSITORY/IMAGE.
For more information about repository and image names, go to the Google Cloud documentation.

Providing the credentials to write to the registry

You next provide the credentials that Structural uses to read from and write to the registry.

When you provide the registry, Structural detects whether the registry is from Amazon Elastic Container Registry (Amazon ECR), Google Artifact Registry (GAR), or a different container solution.

It displays the appropriate fields based on the registry type.

Fields for registries other than Amazon ECR or GAR

For a registry other than an Amazon ECR or a GAR registry, the credentials can be either a username and access token, or a secret.

The option to use a secret is not available on Structural Cloud.

In general, the credentials must be for a user that has read and write permissions for the registry.

The secret is the name of a Kubernetes secret that lives on the pod that the Structural worker runs on. The secret type must be kubernetes.io/dockerconfigjson. The Kubernetes documentation provides information on how to create a registry credentials secret.

To use a username and access token:

Click Access token.
In the Username field, provide the username.
In the Access Token field, provide the access token.

To use a secret:

Click Secret name.
In the Secret Name field, provide the name of the secret.

Azure Container Registry (ACR) permission requirements

For ACR, the provided credentials must be for a service principal that has sufficient permissions on the registry.

For Structural, the service principal must at least have the permissions that are associated with the AcrPush role.

Providing a service file for GAR

Structural only supports Google Artifact Registry (GAR). It does not support Google Container Registry (GCR).

For a GAR registry, you upload a service account file, which is a JSON file that contains credentials that provide access to Google Cloud Platform (GCP).

The associated service account must have the Artifact Registry Writer role.

For Service Account File, to search for and select the file, click Browse.

Amazon ECR registries

For an Amazon ECR registry, you can either:

Provide the AWS access and secret key that is associated with the IAM user that will connect to the registry
Provide an assumed role
(Self-hosted only) Use the credentials configured in the Structural environment settings TONIC_AWS_ACCESS_KEY_ID and TONIC_AWS_SECRET_ACCESS_KEY.
(Self-hosted only) If Structural is deployed in Amazon Elastic Kubernetes Service (Amazon EKS), then you can use the AWS credentials that live on the EC2 instance.

Using AWS access keys

To provide an AWS access key and secret key:

Click Access Keys.
In the AWS Access Key field, enter an AWS access key that is associated with an IAM user or role.
In the AWS Secret Key field, enter the secret key that is associated with the access key.
Optionally, in the AWS Session Token field, enter the session token to use for the connection.

Using an assumed role

To provide an assumed role:

Click Assume Role.
In the Role ARN field, provide the Amazon Resource Name (ARN) for the role.
In the Session Name field, provide the role session name. If you do not provide a session name, then Structural automatically generates a default unique value. The generated value begins with TonicStructural.
In the Duration (in seconds) field, provide the maximum length in seconds of the session. The default is 3600, indicating that the session can be active for up to 1 hour. The provided value must be less than the maximum session duration that is allowed for the role.

For the assumed role, Structural generates the external ID that is used in the assume role request. Your role’s trust policy must be configured to condition on your unique external ID.

Here is an example trust policy:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": "<originating-account-id>"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "<external-id>"
      }
    }
  }
}

Using the credentials from the environment settings (self-hosted only)

On a self-hosted instance, to use the credentials configured in the environment settings, click Environment Variables.

Using the AWS credentials from the EC2 instance (self-hosted only)

On a self-hosted instance, to use the AWS credentials from the EC2 instance, click Instance Profile.

Required permissions for the IAM user

The IAM user must have permission to list, push, and pull images from the registry. The following example policy includes the required permissions.

{
  {
    "Sid": "ManageTonicRepositoryContents",
    "Effect": "Allow",
    "Action": [
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:PutImage"
    ],
    "Resource": [
       "arn:aws:ecr:<region>:<account_id>:repository/<optional name filter>"
    ]
  },
  {
    "Sid": "GetAuthorizationToken",
    "Effect": "Allow",
    "Action": [
      "ecr:GetAuthorizationToken"
    ],
    "Resource": "*"
  }
}

For additional security, a repository name filter allows you to limit access to only the repositories that are used in Structural. You need to make sure that the repositories that you create for Structural match the filter.

For example, you could prefix Structural repository names with tonic-. In the policy, you include a filter based on the tonic- prefix:

"Resource": [
  "arn:aws:ecr:<region>:<account_id>:repository/tonic-*"
]

Providing tags for the container artifacts

In the Tags field, provide the tag values to apply to the container artifacts. You can also change the tag configuration for individual data generation jobs.

Use commas to separate the tags.

A tag cannot contain spaces. Structural provides the following built-in values for you to use in tags:

{workspaceId} - The identifier of the workspace.
{workspaceName} - The name of the workspace.
{timestamp} - The timestamp when the data generation job that created the artifact completed.
{jobId} - The identifier of the data generation job that created the artifact.

For example, the following creates a tag that contains the workspace name, job identifier, and timestamp:

{workspaceName}_{jobId}_{timestamp}

To also tag the artifacts as latest, check the Tag as "latest" in your repository checkbox.

Specifying custom resources for the Kubernetes pods

You can also optionally configure custom resource values for the Kubernetes pods. You can specify the ephemeral storage, memory, and CPU millicores.

To provide custom resources:

Toggle Set custom pod resources to the on position.
Under Storage Size:
1. In the field, provide the number of megabytes or gigabytes of storage.
2. From the dropdown list, select the unit to use.
The storage can be between 32MB and 25GB.
Under Memory Size:
1. In the field, provide the number of megabytes or gigabytes of RAM.
2. From the dropdown list, select the unit to use.
The memory can be between 512MB and 4 GB.
Under Processor Size:
1. In the field, provide the number of millicores.
2. From the dropdown list, select the unit.
The processor size can be between 250m and 1000m.

Setting a custom database name

Only available for PostgreSQL and SQL Server. Not available for MySQL.

In the Custom Database Name field, provide the name to use for the destination database.

If you do not provide a custom database name, then the destination database uses the same name as the source database.

Setting a custom database user password

In the Custom Password field, provide the password for the destination database user.

If you do not provide a password, then Structural generates a password.

The destination database username is always the default user for the database:

For PostgreSQL, postgres
For MySQL, root
For SQL Server, sa

Configuring the required tolerations for datapacker node taints

If your Kubernetes nodes are configured with taints, then on a self-hosted instance, you can configure the tolerations that enable the datapacker pods to be scheduled on the nodes. The datapacker pod hosts the temporary database that Structural uses during the data generation.

For an overview of taints and tolerations, go to the Kubernetes documentation.

To configure the tolerations, you configure the following environment settings. You can add these settings to the Environment Settings list on Structural Settings.

CONTAINERIZATION_POD_NODE_TOLERATION_KEY - The toleration key value to apply to the datapacker pods. This setting is required. If you do not configure this setting, then Structural ignores the other settings.
CONTAINERIZATION_POD_NODE_TOLERATION_VALUES - A comma-separated list of toleration values to apply to the datapacker pods.
CONTAINERIZATION_POD_NODE_TOLERATION_EFFECT - The toleration effect to apply to the datapacker pods.
CONTAINERIZATION_POD_NODE_TOLERATION_OPERATOR - The toleration operator to apply to the datapacker pods.

Getting started with the Structural free trial

If you are a user who wants to set up an account in an existing Tonic Structural Cloud or self-hosted organization, go to .

About the Structural free trial

The Structural 14-day free trial allows you to explore and experiment in Structural Cloud before you decide whether to purchase Structural.

When you sign up for a free trial, Structural automatically creates a sample workspace for you to use. You can also create a workspace that uses your own database or files.

The free trial provides tools to introduce you to Structural and to guide you through configuring and completing a data generation.

Structural tracks and displays the amount of time remaining in your free trial. You can request a demonstration and contact support.

When the free trial period ends, you can continue to use Structural to configure workspaces. You can no longer generate data or train models. Contact Tonic.ai to discuss purchasing a Structural license, or select the option to .

Signing up for the free trial

To start a new free trial of Structural:

Go to .
Click Create Account.

On the Create your account dialog, to create an account, either:

To use a corporate Google email address to create the account, click Create account using Google.
To create a new Structural account:
1. Enter your email address. You cannot use a public email address for a free trial account.
2. Create and confirm a Structural password.
3. Click Create Account.

Structural sends an activation link to your email address.

After you activate your account and log in, Structural next prompts you to select the use case that best matches why you are exploring Structural.

If none of the provided use cases fits, use the Other option to tell us about your use case.

After you select a use case, click Next. The Create Your Workspace panel displays.

Determining whether to use your own data

When you sign up for a free trial, Structural provides access to a sample PostgreSQL workspace that you can use to explore how to configure and run data generation.

You can also choose to create a workspace that uses your own data, either from local files or from a database.

If you do connect to your own data, then you must allowlist the Structural static IP addresses. For more information, go to .

On the Create your workspace panel:

To use the sample workspace, click Use a sample workspace, then click Next. Structural displays , which summarizes the protection status for the source data. It also displays the and the .
To create a workspace that uses local files as the source data, click Upload Files, then click Next. Go to .
To create a new workspace that uses your own data, click Bring your own data, then click Next. Go to .

Uploading files

The Upload files option creates a local files workspace. The source data consists of groups of files selected from a local file system. The files in a file group must have the same type and structure. Each file group becomes a "table" in the source data.

For other workspaces that you create during the free trial, you can also create a file connector workspace that uses files from cloud storage ( Amazon S3 or Google Cloud Storage).

After you select Upload files and click Next, you are prompted to provide a name for the workspace.

In the field provided, enter the name to use for the workspace, then click Next.

Structural displays the File Groups view, where you can .

It also displays the with links to resources to help you get started.

After you create at least one file group, you can start to use the other Structural features and functions.

Connecting to a database

If you connect to your own data, then you must allowlist the Structural static IP addresses. For more information, go to .

Provide a name for your workspace

If you choose to create a workspace with your own data, then the first step is to provide a name for the workspace.

In the field provided, enter the name to use for your first workspace, then click Next.

The Invite others to Tonic panel displays.

Invite other users to Structural and your workspace

Under Invite others to Tonic, you can optionally invite other users with the same corporate email domain to start their own Structural free trial. The users that you invite are able to view and edit your workspace.

For example, you might want to invite other users if you don't have access to the connection information for the source data. You can invite a user who does have access. They can then update the workspace configuration to add the connection details.

To continue without inviting other users, click Skip this step.

To invite users:

For each user to invite, enter the email address, then press Enter. The email addresses must have the same corporate email domain as your email address.
After you create the list of users to invite, click Next.

The Add source data connection view displays.

Supported databases for free trial workspaces

The final step in the workspace creation is to provide the source data to use for your workspace.

Structural provides data connectors that allow you to connect to an existing database. Each data connector allows you to connect to a specific type of database. Structural supports several types of application databases, data warehouses, and Spark data solutions.

For the first workspace that you create using the free trial wizard, you can choose:

For subsequent workspaces that you create from Workspaces view, you can also choose , , and .

Selecting the database type

To connect to an existing database, on the Add source data connection panel, click the data connector to use, then click Add connection details.

The panel also includes a Local files option, which creates a local files file connector workspace, the same as the Upload files option.

Use the connection details fields to provide the connection information for your source data. The specific fields depend on the type of data connector that you select.

After you provide the connection details, to test the connection, click Test Connection.

To save your workspace, click Save.

Structural displays , which summarizes the protection status for the source data.

It also displays the with links to resources to help you get started.

Free trial resources

The Structural free trial includes a couple of resources to introduce you to Structural and to guide you through the tasks for your first data generation.

Getting Started Guide panel

The Getting Started Guide panel provides access to Structural information and support resources.

The Getting Started Guide panel displays automatically when you first start the free trial. To display the Getting Started Guide panel manually, in the Structural heading, click Getting Started.

The Getting Started Guide panel provides links to Structural instructional videos and this Structural documentation. It also contains links to request a Structural demo, contact Tonic.ai support, and purchase a Structural Cloud pay-as-you-go subscription.

Quick start checklist

For each free trial workspace, Structural provides access to a workspace checklist.

The checklist displays at the bottom left of the workspace management view. It displays automatically when you display the workspace management view. To hide the checklist, click the minimize icon. To display the checklist again, click the checklist icon.

The checklist provides a basic list of tasks to perform in order to complete a Structural data generation.

Each checklist task is linked to the Structural location where you can complete that task. Structural automatically detects and marks when a task is completed.

The checklist tasks are slightly different based on the type of workspace.

Checklist for database-based workspaces

For workspaces that are connected to a database, including the sample PostgreSQL workspace and workspaces that you connect to your own data, the checklist contains:

Connect a source database - Set the connection to the source database. In most cases, you set the source connection when you create the workspace. When you click this step, Structural navigates to the Source Settings section of the workspace details view.
Connect to destination database - Set the location where Structural writes the transformed data. When you click this step, Structural navigates to the Destination Settings section of the workspace details view.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce the destination data. When you click this item, Structural navigates to the Confirm Generation panel.

Checklist for local file workspaces

For workspaces that use data from local files, the checklist contains:

Create a file group - Create a file group with files that you upload from a local file system. Each file group becomes a table in the workspace. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source files. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.
Download your dataset - Download the transformed files from the Structural application database.

Checklist for cloud storage file workspaces

For workspaces that use data from files in cloud storage (Amazon S3 or Google Cloud Storage), the checklist contains:

Configure output location - Configure the cloud storage location where Structural writes the transformed files. When you click this step, Structural navigates to the Output location section of the workspace details view.
Create a file group - Create a file group that contains files selected from cloud storage. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.

Next step hints

In addition to the workspace checklists, Structural uses next step hints to help guide you through the workspace configuration and data generation.

When a next step hint is available, it displays as an animated marker next to the suggested next action.

When you hover over the highlighted action, Structural displays a help text popup that explains the recommended action.

When you click the highlighted action, the hint is removed, and the next hint is displayed.

Creating a file group

For a file connector workspace, to identify the source data, you create file groups. A file group is a set of files of the same type and with the same structure. Each file group becomes a table in the workspace. For CSV files, each column becomes a table column. For XML and JSON file groups, the table contains a single XML or JSON column.

On the File Groups view, click Create File Group.

Uploading local files

For a file connector workspace that uses local files, you can either drag and drop files from your local file system to the file group, or you can search for and select files to add. For more information, go to .

Selecting files from cloud storage

For a file connector workspace that uses cloud storage, you select the files to include in the file group. For more information, go to .

Configuring file delimiters and settings

For files that contain CSV content, you configure the delimiters and other file settings. For more information, go to .

Assigning a generator

To get value out of the data generation process, you assign generators to the data columns.

A generator indicates how to transform the data in a column. For example, for a column that contains a name value, you might assign the Name generator, which indicates how to generate a replacement name in the generation output.

Applying all recommendations

For sensitive columns that Structural detects, Structural can also provide a recommended generator configuration.

When there are recommendations available, Privacy Hub displays a link to review all of the recommendations.

The Recommended Generators by Sensitivity Type panel displays a list of sensitive columns that Structural detected, along with the suggested generators to apply.

After reviewing, to apply all of the suggested generators, click Apply All. For more information about using this panel, go to .

Selecting a generator

You can also choose to apply an individual generator manually. You can do this from , , or .

To display Database View, on the workspace management view, click Database View.

On Database View, in the column list, the Applied Generator column lists the currently assigned generator for each column. For a new workspace, the columns are all assigned the Passthrough generator. The Passthrough generator simply passes the source value through to the destination data without masking it.

Click a column that is marked as Passthrough, and that is not marked as sensitive. For example, in the sample workspace, the customers.Last_Transaction column. The column configuration panel displays. To select a generator, click the generator dropdown. The list contains generators that can be assigned to the column based on the column data type. For customers.Last_Transaction, the Timestamp Shift generator is a good option.

Assigning a recommended generator

For Passthrough columns that Structural identified as containing sensitive data, the Applied Generator column displays an icon to indicate that there is a recommended generator.

In Database View, click one of those columns. For example, in the sample workspace, the customers.email column is marked as containing an email address.

For customers.Email, click the generator dropdown. Instead of the column configuration panel, there is a panel that indicates the recommended generator. For customers.Email, the recommended generator is Email. To assign the Email generator, click Apply. The column configuration panel displays with the generator assigned.

Configuring the destination location

To run a data generation, Structural must have a destination for the transformed data.

For a local files workspace, Structural saves the transformed files to the application database.

For workspaces that use data from a database, and for workspaces that use cloud storage files, you configure where Structural writes the output data.

Available output options

The destination location for data generation output can be one of the following:

If the data connector supports Tonic Ephemeral, then the default option is to .
For database-based data connectors, you can write the transformed data to a destination database.
For some Structural data connectors, Structural can .
For file connector workspaces that transform files from cloud storage (Amazon S3 or Google Cloud Storage), you .

Displaying the current destination configuration

To display the destination configuration for the workspace:

Click the Workspace Settings tab.
Scroll to the Destination Settings section or, for a file connector workspace that uses cloud storage files, scroll to the Output location section.

Confirming or changing the destination configuration

Ephemeral snapshot

For data connectors that Ephemeral supports, the default option is to write the output to Ephemeral.

For the Ephemeral option, the default configuration is:

Structural writes the output to Ephemeral Cloud. If you do not have an Ephemeral Cloud account, then we create an Ephemeral free trial account for you. If your organization has a self-hosted Ephemeral instance, then you can choose to write the output to that instance. Note that all workspaces in the same organization or for the same self-hosted Structural instance must use the same Ephemeral instance.
Structural uses the output data to create an Ephemeral user snapshot. You can use the user snapshot to create Ephemeral databases.
When Structural creates the user snapshot in Ephemeral, it creates a temporary Ephemeral database to use as the basis for the user snapshot. There is an option to keep that temporary database. For a free trial workspace, this option is enabled by default. The database expires after 48 hours.

For details about how to configure Structural to write output to Ephemeral, go to . For more information about Ephemeral, go to the .

Destination database

To write the data to a destination database, click Database Server. Structural displays the configuration fields for the destination database.

For information on how to configure the destination information for a specific data connector, go to the workspace configuration information for that data connector. The contains a list of the available data connectors, and provides a link to the documentation for each data connector.

Container repository

To write the data to a data volume in a container repository, click Container Repository. Structural displays the configuration fields to select a base image and provide the details about the repository.

For more information, go to .

Cloud storage files output location

For a file connector workspace that uses files from cloud storage (Amazon S3 or Google Cloud Storage), you configure the cloud storage output location where Structural writes the transformed files. The configuration includes the required credentials to use.

For more information, go to .

Running data generation

After you complete the workspace and generator configuration, you can run your first data generation.

The data generation process uses the assigned generators to transform the source data. It writes the transformed data to the configured destination location.

For a local files workspace, it writes the files to the Structural application database.

Starting the generation

The Generate Data option is at the top right of the Tonic heading.

When you click Generate Data, Structural displays the Confirm Generation panel.

The Confirm Generation panel provides access to the current destination configuration, along with other advanced generation options such as subsetting and upsert.

It also indicates if there are any issues that prevent you from starting the data generation. For example, if the workspace does not have a configured destination, then Structural cannot run the data generation.

To start the data generation, click Run Generation. For more information about running data generation, go to .

For a new Tonic Ephemeral account, the first time that you run data generation, you also receive an activation email message for the account.

Viewing the job details and connecting to an Ephemeral database

To view the job status and details:

Click Jobs.
In the list, click the data generation job.

For a data generation that writes the output to an Ephemeral database, the Data Available in Tonic Ephemeral panel provides access to the database connection information.

To display the connection details, click Connecting to your database.

The connection details include the database location and credentials. Each field contains a copy icon to allow you to copy the value.

Next steps for free trial users

The first time that you complete all of the steps in a checklist, Structural displays a panel with options to chat with our sales team, schedule a demo, or purchase a subscription.

You can also continue to get to know Structural and experiment with other Structural features such as or using to mask more complex values such as JSON or XML.

If your free trial has expired, to get an extension, you can reach out to us using either the in-app chat or an email message.

Privacy Hub

About Privacy Hub

Privacy Hub tracks the current protection status of source data columns based on:

Column sensitivity, either from the most recent sensitivity scan or from manual assignments
Assigned table modes
Assigned generators

To display Privacy Hub, either:

On the workspace management view, in the workspace navigation bar, click Privacy Hub.
On Workspaces view, click the workspace name.

From Privacy Hub, you can:

Review and apply the recommended generators for all detected sensitive columns
View the current protection status of columns
Manually mark columns as sensitive or not sensitive
Configure protection for sensitive columns
Download a preview Privacy Report
Run a new sensitivity scan

You can also track the history of changes to column sensitivity and the assigned column generators. For more information, go to Tracking changes to workspaces, generator presets, and sensitivity rules.

Viewing the count of detected sensitive columns that are not protected

The sensitivity scan detects specific types of sensitive data.

If your workspace contains any columns that the sensitivity scan identified, and for which you have not either:

Assigned a generator
Marked as not sensitive

Then Tonic Structural displays a Sensitivity Recommendations banner that contains a count of those columns.

The count only includes sensitive columns that the sensitivity scan detects. If you manually mark a column as sensitive, it is not included in the list.

On the banner, the Review Recommendations option allows you to review the detected columns and the recommended generators for each detected sensitive data type.

You can then apply the recommended generators or ignore the recommendations. When you ignore a recommendation, you either:

Indicate to remove the generator recommendation for the column.
Indicate that the column data is not sensitive.

For more information, go to Reviewing and applying recommended generators.

Viewing the protection status for each column

The protection status panels at the top of Privacy Hub provide an overview of the current protection status of the columns in the source data.

Each panel displays:

The number of columns that are in that category.
The estimated percentage of columns that are in that category.

Note that for a JSON column that uses Document View, the protection status displays a separate box for each combination of JSON path and data type.

From each panel, you can display details for and configure protection for each column.

The column counts do not include columns that do not have data in the destination database. For example, if a table is assigned Truncate table mode, then Privacy Hub ignores the columns in that table.

The information on these panels updates automatically as you change whether columns are sensitive and assign generators to columns.

At-Risk Columns

The At-Risk Columns panel reflects columns that:

Are populated in the destination database.
Are marked as sensitive.
Have the generator set to Passthrough, which indicates that Structural does not perform any transformation on the data.

For each column, the At-Risk Columns panel also indicates the sensitivity confidence, from full confidence (completely red) to low confidence (a small percentage of red).

The goal is to have 0 at-risk columns.

When you click Open in Database View, you navigate to Database View. The column list is filtered to show columns that are at risk.

Protected Columns

The Protected Columns panel reflects columns that:

Are populated in the destination database.
Are assigned a generator other than Passthrough.

It includes both sensitive and non-sensitive columns.

Note that a column is considered protected based solely on the assigned generator. Some more complex generators, such as JSON Mask or Conditional, allow you to apply different generators to specific portions of a value or based on a specific condition. However, the protection status does not reflect these sub-generators. An applied sub-generator could be Passthrough.

When you click Open in Database View, you navigate to Database View. The column list is filtered to show all included columns that are protected.

Not Sensitive Columns

The Not Sensitive Columns panel reflects columns that:

Are populated in the destination database.
Are marked as not sensitive.
Have the generator set to Passthrough.

When you click Open in Database View, you navigate to Database View. The column list is filtered to show included columns that are not sensitive and are not protected.

Viewing the protection status for each table

The Database Tables list shows the protection status for each table in the source database. You can view the number of columns that have each protection status, and update the column configuration.

The list does not include tables where the table mode is Truncate or Preserve Destination. Truncated tables are not populated in the destination database. For Preserve Destination tables, the existing data in the destination database does not change.

Information in the list

For each table, Database Tables provides the following information:

Name - The table name. For a file connector workspace, each table corresponds to a file group. Each JSON column that uses Document View is also in a separate row. For JSON columns, the Name column displays both the table name and the column name.
Not Sensitive - The number of not sensitive columns in the table. Not sensitive columns are not marked as sensitive and have Passthrough as the generator. When you click the value, you navigate to Database View, filtered to display the not sensitive columns for the table.
Protected - The number of protected columns in the table. Protected columns have an assigned generator. A protected column can be either sensitive or not sensitive. When you click the value, you navigate to Database View, filtered to display the protected columns for the table.
At-Risk - The number of at-risk columns in the table. These columns are marked as sensitive, but have Passthrough as the generator. The goal is to have 0 unprotected sensitive columns. When you click the value, you navigate to Database View, filtered to display the at-risk columns for the table.
Privacy Status - Indicates the current protection status of the columns in the table. It provides the same view and configuration options as the protection status panels at the top of Privacy Hub.

Filtering the list

You can filter the Database Tables list either by the table name or by the schema.

Filtering by table name

To filter the list by table name, in the filter field, begin to type text that is in the table name. As you type, Structural updates the list to only display matching tables.

Filtering by schema

To filter the list to only include tables that belong to a specific schema:

Click Filter by Schema.
From the schema dropdown list, select the schema.

When you select a schema, Structural adds it to the filter field.

Sorting the list

You can sort the Database Tables list by any column except for the Privacy Status column.

To sort by a column, click the column heading. To reverse the sort order, click the heading again.

Managing columns from the table list

The Privacy Status column in the Database Tables list indicates the protection status of the columns in the table.

This column provides the same options to view and configure columns as the protection status panels at the top of Privacy Hub, but is limited to the columns in a specific table.

Viewing and configuring columns

Navigating through columns and viewing column details

Each protection status panel displays a series of boxes to represent the columns that apply to that status. For example, if the source data contains four columns that are at-risk, then the At-Risk Columns panel displays four boxes, one for each column.

The Privacy Status column in the Database Tables list displays the same set of boxes for the columns in an individual table.

If the number of columns is too large to fit, then the last box shows the number of additional columns that apply. For example, if there are 15 columns that don't fit, then the last box is labeled +15.

When you hover over a box, the column name displays in a tooltip.

When you click a box, the details panel for that column displays.

When you click the box for remaining columns, the details panel for the first column in the remaining columns displays.

You can use the next and previous icons at the bottom right of the details panel to display the details for the next or previous column.

The column details panel opens to the settings view. The settings view contains the following information:

The table and column name.
Whether the column is flagged as sensitive.
The type of sensitive data that the column contains.
The data type for the column data.
The generator that is assigned to the column.
For a child workspace, whether the column configuration is inherited from the parent workspace. For columns that have overrides, you can reset to the parent configuration.

Indicating whether a column is sensitive

Required workspace permission: Configure column sensitivity

From the settings view of the column details, you can configure the column sensitivity.

You cannot change the sensitivity of columns in a child workspace. A child workspace always inherits the sensitivity from its parent workspace. For more information, go to About workspace inheritance.

As you change the column sensitivity, Structural updates the protection status panels.

To change whether the column is sensitive, toggle the Sensitive option. The column is moved if needed to reflect its new status. However, you remain on the current panel.

For example, from the At-Risk Columns panel, you change a column to be not sensitive. The column is moved to the Not Sensitive Columns panel. When you click the next or previous icons, you view the details for the next or previous column on the At-Risk Columns panel.

Selecting and configuring a generator for the column

Required workspace permission: Configure column generators

From the column details, you can assign and configure the column generator.

When you change the column generator, Structural updates the protection status panels.

If the column generator was previously Passthrough, then the column is moved to the Protected Columns panel. However, you remain on the current panel. For example, you assign a generator to a column that is on the At-Risk Columns panel. The column is moved to the Protected Columns panel, but when you click the next or previous icons, you view the details for the next or previous column on the At-Risk Columns panel.

Selecting the generator

For sensitive columns that are not protected, Structural displays the recommended generator as a button.

For self-hosted instances that have an Enterprise license, the recommended generator is the built-in generator preset.

To assign the recommended generator to the column, click the button.

Otherwise, select the generator from the Generator Type dropdown list.

For more information about selecting a generator, go to Assigning and configuring generators.

Configuring the generator

If the selected generator requires additional configuration, then below the Generator Type dropdown list is an Edit Generator Options link.

To display the configuration fields for the generator, click Edit Generator Options.

For information about configuring a selected generator or generator preset, go to Assigning and configuring generators.

After you configure the generator, to return to the settings view, click Back.

Displaying sample data for a column

Required workspace permission:

Source data: Preview source data
Destination data: Preview destination data

From the column details, you can display sample data for the column. The sample data allows you to compare the source and destination versions of the column values.

To display the sample data, click the view sample (magnifying glass) icon.

On the sample data view of the column details:

The Original Data tab shows the values in the source data.
The Protected Output tab shows the values that the generator produced.

Enabling Document View for JSON columns

Supported only for the file connector and PostgreSQL.

For a JSON column, instead of assigning a generator, you can enable Document View.

From Document View, you can view the JSON schema structure and assign generators to individual JSON fields. For more information, go to Document View for JSON columns.

To enable Document View, on the column details panel, toggle Use Document View to the on position. When Document View is enabled, the generator dropdown is replaced with the Open in Document View option.

Commenting on a column

Required license: Professional or Enterprise

From the column details, you can view and add comments on the column. You might use a comment to explain why you selected a particular generator or marked a column as sensitive or not sensitive.

From the column details, to display the comments for the column, click the comment icon.

The comments view displays any existing comments on the column. The most recent comment is at the bottom of the list. Each comment includes the name of the user who made the comment.

To add the first comment to a column, type the comment into the comment text area, then click Comment.

To add an additional comment, type the comment into the comment text area, then click Reply.

Downloading a preview Privacy Report

Required license: Enterprise

The Privacy Report files that you download from Privacy Hub or the workspace download menu provide an overview of the current protection status based on the current configuration.

This is different from the Privacy Report files that you download from the data generation job details, which show the protection status for the data produced by that data generation.

You can download either:

The Privacy Report .csv file, which provides details about the table columns, the column content, and the current protection configuration.
The Privacy Report PDF file, which provides charts that summarize the privacy ranking scores for the table columns. It also includes the table from the .csv file.

For more information about the Privacy Report files and their content, go to Using the Privacy Report to verify data protection.

From workspace management view

To download the report from the workspace management view, click the download icon. In the download menu:

To download the Privacy Report PDF file, click Download Privacy Report PDF.
To download the Privacy Report .csv file, click Download Privacy Report CSV.

From Privacy Hub

To download the report from Privacy Hub, click Reports and Logs, then:

To download the Privacy Report .csv file, click Privacy Report CSV.
To download the Privacy Report PDF file, click Privacy Report PDF.

Running a new sensitivity scan on the data

Required workspace permission: Run sensitivity scan

Privacy Hub provides an option to manually start a new sensitivity scan. For example, you might want to run a new sensitivity scan when:

You add columns to the source database. The new scan identifies whether the new columns contain sensitive data.
The data in a column changes significantly, and a column that Structural originally marked as not sensitive might now contain sensitive data.

You cannot run a sensitivity scan on a child workspace. Child workspaces always inherit the sensitivity results from their parent workspace.

To run a new sensitivity scan, click Run Sensitivity Scan.

When Structural runs a new sensitivity scan:

Structural analyzes and determines the sensitivity of any new columns.
It does not change the sensitivity of existing columns that you marked as sensitive or not sensitive.
For existing columns that you did not change the sensitivity of:
- Structural does not change the sensitivity of columns that the original scan marked as sensitive.
- It can change the sensitivity of columns that the original scan marked as not sensitive.

The protection status panels are updated to reflect the results of the new scan.

Generator summary

The following table summarizes the available generators. The table includes generator characteristics that you might take into account when you select the generator to use for a column.

Generator hints and tips also provides some suggestions for generators to use for specific use cases.

Information in the table

The generator summary includes the following columns:

Generator - The name of the generator, linked to the entry in the generator reference.
Description - An overview description of the generator.
Supported features - Includes the following information:
- The generator characteristics that the generator supports
- Whether the generator is a composite generator or a primary key generator
- The generator privacy ranking

Generator

Description

Supported features

API:

Generates replacement values for U.S. mailing addresses. You select the address component or format for the replacement values. For example, the column might only contain a street address or a postal code, or it might contain a full address.

Consistency - Self and other Linkable Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Identifies the algebraic relationship between 3 or more numeric values, including at least one non-integer. Based on the relationship, generates new values to match. If there is no relationship, uses the Categorical generator.

Linkable - linking is required Privacy ranking: 3

API:

Generates unique alphanumeric strings of the same length as the input. For example, for the origin value ABC123, the output value is a six-character alphanumeric string such as D24N05.

Consistency - Self only Primary key generator Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Within an array, replaces letters with random other letters, and numbers with random other numbers. Preserves punctuation and whitespace.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Used to transform array values in JSON.

To identify values to transform, you provide a list of JSONPaths. For each JSONPath, you assign a sub-generator to apply to matching values.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Used to transform values in an array. To identify values to transform, you provide a regular expression. For each capture group in an expression, you assign a sub-generator to apply to matching values.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Generates unique alpha-numeric strings based on any printable ASCII characters. You can optionally exclude lowercase letters from the generated values. The replacement value does not preserve the length of the original value.

Consistency - Self only Primary key generator Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Generates a random company name-like string.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Shuffles the original values for a column to different rows. Maintains the overall frequency of each value. For example, a column contains the values Small (3 times), Medium (4 times), and Large (5 times). In the transformed data, each value appears the same number of times, but the values are shuffled to different rows.

Linkable Differential privacy is configurable Privacy ranking: - 2 with differential privacy - 3 without differential privacy

API:

Replaces letters with random other letters and numbers with random other numbers. Preserves punctuation, whitespace, and mathematical symbols.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Replaces characters with other random characters. Preserves punctuation, capitalization, and whitepace. A replacement character is always from within the same Unicode Block as the source character. A source character is always mapped to the same destination character. For example, M might always map to V.

Always self-consistent Unique columns allowed Privacy ranking: 4

(Deprecated) API:

This generator is deprecated. Use the generator instead. Generates a random company name-like string.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Applies different generators to rows conditionally based on the column value. For example, apply the Character Scramble generator for values other than Test. You configure a list of conditions. Each condition performs a check against the column value. For each condition, you assign a sub-generator to apply to matching values.

Unique columns allowed Composite generator. Other feature support is based on the sub-generators. Privacy ranking: If a fallback generator is selected, then the lower of 5 or the fallback generator. 5 if no fallback generator is selected.

API:

Uses a single specified value to replace all of the values in the column. The replacement value must be compatible with the column data type.

Differential privacy Data-free Privacy ranking: 1

API:

Generates a continuous distribution to fit the underlying data. Can link to other columns to create multivariate distributions. Can also be partitioned by other columns.

Linkable Differential privacy is configurable Privacy ranking: - 2 with differential privacy - 3 without differential privacy

API:

Populates the column using the sum of values from a column in another table. To select the rows to use, uses a foreign key value that matches the primary key value for the current row. For example, to transform the Total_Sales column in the Customers table, from the Transactions table, use the sum of the Amount values for rows where the Customer_ID value matches the primary key value for the current customer.

Privacy ranking: 3

API:

Used to mask text in a delimited format.

Parses the text as a row where the columns are delimited by a specified character. For each index, you assign a sub-generator to apply to the index value.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Replaces the original column value with a value from list of values that you provide.

Consistency - Self and other Linkable Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Truncates dates or timestamps to a specific date or time component. For example, you might truncate a date value to the month or a timestamp to the hour.

Privacy ranking: 5

API:

Scrambles characters in an email address.

Preserves the formatting and keeps the @ and .. You can identify specific email domains to not scramble.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Generates timestamps that fit an event distribution. You can link columns to create a sequence of events across multiple columns. You can also partition the generator by other columns.

Linkable Privacy ranking: 3

API:

Scrambles characters in a file name.

Preserves the formatting and the file extension.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Replaces all instances of the find string with the replace string. For the find string, you can optionally provide a regular expression.

Privacy ranking: 5

API:

Generates a valid Finnish Personal Identity Code (PIC).

You configure the date range during which the PIC was issued.

Consistency - Self only

Data-free if not consistent

Unique columns allowed

Format-preserving encryption (FPE)

Privacy ranking:

1 if not consistent
4 if consistent

API:

Transforms Norwegian national identity numbers. You can optionally preserve the gender and birthdate portions of the identifier values.

Consistency - Self and other Unique columns allowed Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Used to transform columns that contain latitude and longitude values.

Linkable Unique columns allowed Privacy ranking: 3

API:

Can be used to generate cities, states, zip codes, and latitude/longitude values that follow HIPAA guidelines for safe harbor.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Generates random host names, based on the English language.

Consistency - Self and other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Used to transform values in an HStore column in a PostgreSQL database. You specify a list of keys for which to transform the values. For each key, you assign a generator to apply to the key value.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Used to transform columns that contain HTML content. To identify the values to transform, you provide a list of path expressions. For each path expression, you assign a generator to apply to the matching value.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Generates unique integer values.

By default, the generated values are within the range of the column’s data type.

You can also specify a range for the generated values. The source values must be within that range.

Consistency - Self only Differential privacy if not consistent Data-free if not consistent Primary key generator Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 1 if not consistent - 4 if consistent

API:

For Canadian mailing addresses, can generate:

Street name
Postal code

For United Kingdom (UK) mailing addresses, can generate postal codes.

Consistency - Self only Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Generates a random IP address-formatted string. You specify the percentage of IPv4 addresses. The remaining addresses are IPv6.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Used to transform values in JSON columns. To identify values to transform, you provide a list of JSONPaths.

For each JSONPath, you assign a sub-generator to apply to matching values.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Generates a random MAC address formatted string.

Consistency - Self only Differential privacy if not consistent Data-free if not consistent Format-preserving encryption (FPE) Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Generates unique MongoDB objectId values. Can be assigned to text columns that contain MongoDB ObjectId values. The column value must be 12 bytes long.

Consistency - Self only Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Generates a random name string from a dictionary of first and last names. You specify the name format. For example, a column might contain only a first name, or a full name that is last name first.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Masks values in numeric columns.

Either adds or multiplies the original value by random noise.

Consistency - Self or other Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Replaces all of the column values with NULL values.

Differential privacy Data-free Unique columns allowed Privacy ranking: 1

API:

Generates unique numeric strings of the same length as the input numeric string.

Consistency - Self only Primary key generator Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Default generator. Does not perform any transformation on the source data.

Unique columns allowed Privacy ranking: 6

API:

Generates a random telephone number that matches the country or region and format of the input telephone number. For invalid telephone numbers, either replaces individual numbers or generates a valid replacement number.

Consistency - Self only Privacy ranking: 3

API:

Generates a random boolean value. You specify the percentage of true values. The remaining values are false.

Differential privacy Data-free Privacy ranking: 1

API:

Generates a random double number that is between the specified minimum (inclusive) and maximum (exclusive) values.

Differential privacy Data-free Privacy ranking: 1

API:

Generates a random hash string.

Differential privacy Data-free Privacy ranking: 1

API:

Returns a random integer that is between the specified minimum (inclusive) and maximum (exclusive) values.

Differential privacy Data-free Privacy ranking: 1

API:

Generates random dates, times, and timestamps that fall within a specified range.

Differential privacy Data-free Privacy ranking: 1

API:

Generates a random new UUID string.

Differential privacy Data-free Unique columns allowed Privacy ranking: 1

API:

To identify values to transform, you provide a regular expression.

For each capture group in an expression, you assign a sub-generator to apply to matching values.

Unique columns allowed Composite generator. Other feature support is based on the sub-generators. Privacy ranking: 5

API:

Generates a column of unique integer values that start with specified value, and then increment by 1 for each processed row.

Linkable Unique columns allowed Privacy ranking: 3

API:

Generates values of ISO 6346 compliant shipping container codes. The codes are all in the freight ("U") category.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Generates a new valid Canadian Social Insurance Number. Preserves the formatting from the original value.

Consistency - Self only Data-free if not consistent Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Generates a new valid United States Social Security Number. For numeric columns, the dashes (xxx-xx-xxxx) are always excluded. Otherwise, you can specify the percentage of values for which to include the dashes.

Consistency - Self or other Differential privacy if not consistent Data-free if not consistent Privacy ranking: - 1 if not consistent - 4 if consistent

API:

Used to transform StructFields within a StructType in Spark databases (Databricks and Amazon EMR). To identify the StructField value to transform, you provide a path expression. For each path expression, you assign a sub-generator to apply to the matching values.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

API:

Shifts timestamps by a random amount of a specific unit of time, within a set range. The range can start before the original value.

Consistency - Self or other Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Generates unique email addresses.

Replaces the username with a randomly generated GUID, and masks the domain with a character scramble.

Consistency - Self only Unique columns allowed Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Used to transform URLs. Preserves the formatting. Keeps the URL scheme and top-level domain intact.

Unique columns allowed Privacy ranking: 3

API:

Generates UUIDs.

Consistency - Self only Primary key generator Unique columns allowed Format-preserving encryption (FPE) Privacy ranking: - 3 if not consistent - 4 if consistent

API:

Used to transform values in XML columns. To identify the values to transform, you provide XPaths. For each XPath, you assign a sub-generator to apply to the matching values.

Composite generator. Feature support is based on the sub-generators. Privacy ranking: 5

Tonic Structural

Tonic Structural User Guide

Connect to your data

Configure and generate transformed data

Manage a self-hosted Tonic Structural instance

About Tonic Structural

Structural data generation workflow

Structural deployment types

Self-hosted Tonic Structural instance

Structural Cloud

Structural implementation roles

Infrastructure engineers

Database administrators

Structural users

Data consumers

Security and compliance

Logging into Structural for the first time

Managing your user account

Choosing your user image

Viewing and copying your organization identifier

Configuring notifications for column comments

Generating and managing API tokens

Creating an API token

Revoking an API token

Changing your Structural password

Deleting your Structural account

Frequently Asked Questions

What is the minimum required screen width for the Tonic Structural application?

How do you connect to a local database when running Structural in a Docker container locally?

I allowlist access to my database. What are your static IP addresses?

United States-based instance

Europe-based instance

I allowlist network calls. What do I need to allowlist?

URLs for telemetry sharing

URLs for Structural version information

How do I check my current version of Structural?

How should we provision our source database?

What data does Tonic.ai collect from Structural?

Tutorial videos

Tonic Structural 101

Creating a Structural workspace

Sensitivity detection and generator recommendations

Managing workspace access

Structural generators overview

Generator presets

File connector overview

Generating data with consistency

Using Document View to configure JSON columns

Subsetting your data

Upsert data generation

Writing destination data to a container repository

Creating and managing workspaces

Managing workspaces

Manage workspaces

Workspace details and tools

Viewing your list of workspaces

How the workspace list is displayed

Filtering the workspace list

Sorting the workspace list

Workspace details on Workspaces view

Getting access to workspace tools and actions

Displaying the workspace management view

Options column

Actions menu for bulk actions

Creating, editing, or deleting a workspace

Creating a workspace

Creating a completely new workspace

Creating a copy of a workspace

Creating a child workspace

Editing a workspace

Deleting a workspace

Workspace configuration settings

Workspace identification and connection type

Fields to identify the workspace

Connection type

Data connection settings

Source database connection

Upsert configuration

Destination data location

Destination database