1 of 100

Tonic Structural

Tonic Structural User Guide

The Tonic Structural platform creates safe, realistic datasets to use in staging environments or for local development. The Structural web application and can be used by engineers, data analysts, or security experts.

Structural connects to source databases that contain sensitive data such as personally identifiable information (PII) or protected health information (PHI). To protect that data, Structural transforms the sensitive values and then writes the transformed data to a destination location.

New to Structural? Review the . For information on how to create a Structural account and start a Structural free trial, go to .

Want to know what's in the latest Structural releases? Go to the .

The Structural application heading includes a feature updates icon, which displays a summary of the newest features, and includes a link to the Structural release notes.

Connect to your data

Configure and generate transformed data

Manage a self-hosted Tonic Structural instance

Need help with Structural? Contact .

About Tonic Structural

The Tonic Structural synthetic data platform combines sensitive data detection and data transformation to allow users to create safe, secure, and compliant datasets.

Common Structural use cases include creating staging and development environments, and trying out a new cloud provider without complex data agreements.

Structural allows you to reduce bug counts, shorten testing life cycles, and share data with partners, all while helping to ensure security and compliance with the latest regulations, from GDPR to CCPA.

You can use the Structural API to integrate with CI/CD pipelines or to create automated processes that ensure that the generated data is available on demand.

Structural data generation workflow

Tonic Structural data generation combines sensitive data detection and data transformation to create safe, secure, and compliant datasets.

The Structural data generation workflow involves the following steps:

You can also view this .

To get started, you . When you create a workspace, you identify the type of source data, such as PostgreSQL or MySQL, and establish the connections to the source database and the destination location. The source database contains the original data that you want to synthesize. The destination location is where Structural stores the synthesized data. It might be a database, a storage location, a container repository, or an Ephemeral database snapshhot.
Next, you . The sensitivity scan identifies columns that contain sensitive data. These columns need to be protected by a generator.
Based on the sensitivity scan results, you configure the data generation. The configuration includes:
- The table mode controls the number of rows and columns that are copied to the destination database.
- You can make adjustments to the initial sensitivity assignments. For example, you can mark additional columns as sensitive that the initial scan did not identify as sensitive.
- To protect the data in a column, especially a sensitive column, you assign a generator to it. The generator replaces the source value with a different value in the destination database. For example, the generator might scramble the characters or assign a random value of the same type.
After you complete the configuration, you . The data generation job uses the configured table modes and generators to transform the data from the source database and write the transformed data to the destination location. You can track the job progress and view the job results.

Structural deployment types

Self-hosted Tonic Structural instance

You can deploy a self-hosted, on-premises instance of Tonic Structural.

For a self-hosted instance, Structural provides administrator tools that allow you to monitor Structural services and manage Structural users.

You can configure Structural environment settings to customize your instance.

On a self-hosted instance, based on your license plan, you have access to the full set of supported data connectors.

Structural Cloud

Structural Cloud is our secure hosted environment. On Structural Cloud, Tonic.ai handles monitoring Structural services and updating Structural.

For single sign-on (SSO), Structural Cloud only supports Okta.

Structural Cloud does not include:

Custom permission sets
Environment setting configuration. Structural Cloud uses a single configuration.
Structural data encryption
Access to the following data connectors:

Structural Cloud also supports a pay-as-you-go plan, where free trial users can move on to set up a monthly subscription. For more information, go to Setting up and managing a Structural Cloud pay-as-you-go subscription.

Each Structural Cloud user belongs to a Structural Cloud organization, which is determined either by the user's email domain or by a workspace invitation. Structural Cloud users do not have any access to workspaces or users from other organizations.

Each free trial user is in a separate organization, along with any users that they invite to have access to a free trial workspace.

For information about Structural Cloud organizations, go to Structural organizations.

The Account Admin permission set allows a Structural Cloud user to manage organization users and workspaces. For information about granting access to the Account Admin permission set, go to Granting Account Admin access for a Structural Cloud organization.

Structural implementation roles

A Tonic Structural implementation can involve the following roles - from those who set up the Structural environment to the consumers of the data that Structural processes.

Note that these roles are not related to role-based access (RBAC) within Structural, which is managed using .

Infrastructure engineers

For self-hosted instances of Structural.

Infrastructure engineers set up the Structural application and its relevant dependencies. They are typically DevOps, Site Reliability Engineering (SRE), or Kubernetes cluster administrators.

Infrastructure engineers perform the following Structural-related tasks:

Ensure that the proper infrastructure is ready for Structural installation based on the .
. Works with Tonic.ai support as needed.
Perform routine maintenance of Structural and the Structural environment. and its dependencies as needed.
Create Structural-processed data pipelines for development and testing workflows.

Database administrators

For both self-hosted instances of Structural and Structural Cloud.

Database administrators integrate Structural into your data architecture to support .

They ensure that source databases are available to Structural, and that Structural can write to destination databases.

perform the following Structural-related tasks:

Set up the required Structural access to source databases.
Set up destination databases for Structural to write transformed data to.

Structural users

Structural users are the actual users of the Structural application.

Depending on the use case, Structural users might be compliance analysts, DevOps, or data engineers.

Tonic users perform the following Structural-related tasks:

Use the to configure the logic used to transform the source data and to generate the transformed data.
Work with data consumers to produce usable data.

Data consumers

Data consumers are the end users of transformed destination data.

They are typically QA testers, developers, or analysts.

Data consumers perform the following Structural-related tasks:

Validate the usability of the destination data.
Provide guidance on application-specific requirements for data.

Security and compliance

Security and compliance specialists ensure and validate that the data that Structural produces meets expectations, and that Structural is compliant with other security-related processes.

Security and compliance specialists perform the following Structural-related tasks:

Provide guidance on what data is sensitive.
Sign off on proposed approaches to mask sensitive data.
Approve data access and permissions.

Logging into Structural for the first time

When you go to Tonic Structural for the first time, you create an account. How you create an account depends on the type of user you are.

A new Structural user can be one of the following:

A completely new user who is starting a Structural 14-day free trial. Free trial users use Structural Cloud to explore and experiment with Structural before they decide whether to purchase it.
A new user on a self-hosted Structural instance. Self-hosted instances are installed on-premises. The customer administers the Structural users.
A new user in an existing Structural Cloud organization. New users are added to existing organizations based on their email domain.

Managing your user account

From the User Settings view, you can manage settings for your individual Tonic Structural account.

To display the User Settings view:

Click your user image at the top right.
In the menu, click User Settings.

The User Settings view includes options to:

Configure your user image.
View and copy your organization identifier.
Configure email notifications for column comments.
Generate and manage API tokens.
Change your Structural password (if your Structural instance does not use SSO).
Delete your Structural account.

Choosing your user image

You can select an image to associate with your account. The image is displayed next to your name and email address throughout Structural.

If your instance uses Google or Azure single sign-on (SSO) to manage Structural users, then by default your Structural account image is the image from the SSO.

Otherwise, the default image displays your initials.

To change your user image, click Upload, then select the image file.

Viewing and copying your organization identifier

Below your user image file name is the identifier of the organization that your account belongs to.

To copy the identifier, click the copy icon.

Configuring notifications for column comments

Required license: Professional or Enterprise

Structural allows users to provide comments on columns. You can do this from Privacy Hub and Database View.

From the Comment Notification Settings section of User Settings, you can configure when to receive email notifications for comments.

The available options are:

I am an owner, editor, auditor, or am being replied to This is the default option. You receive email notifications when comments are made on columns in a workspace that you are an owner, editor, or auditor for. You also receive an email notification when someone replies to a comment that you made.
I am @ mentioned You only receive an email notification if someone specifically mentions you in a comment.
Never You never receive email notifications for column comments.

Generating and managing API tokens

Before you can use the Structural API, you must create an API token. From the User API Tokens section of the User Settings view, you can create and manage API tokens.

Creating an API token

To create an API token:

Click Create Token.
On the Create New Token dialog, enter a name for the new token.
Click Confirm.

In the list, the new token displays as clear text. To copy the new token, click the copy icon next to the token.

The new token text and copy icon only display during the current session. After that, Structural masks the token and removes the copy icon.

Revoking an API token

To revoke a token, click the Revoke option for the token.

Changing your Structural password

If your Structural account is not managed using SSO, then from User Settings, you can change your Structural password.

If your Structural instance uses SSO to manage users, then your user credentials are managed in the SSO system. You cannot change your user password in Structural.

Under Password Change, to change your Structural password:

In the Old Password field, type your current Structural password.
In the New Password field, type your new Structural password.
In the Repeat New Password field, type your new Structural password again.
Click Confirm.

Deleting your Structural account

From User Settings, you can delete your Structural account. If your instance uses SSO to manage users, then deleting your account only affects your access to Structural.

You cannot delete your Structural account if you are the owner of a workspace for which other users are granted access. Before you can delete your Structural account, you must either:

Revoke access from other users.
Transfer ownership to a different user.

To delete your Structural account, click Delete Account.

When you delete your account, you are logged out of Structural.

Frequently Asked Questions

What is the minimum required screen width for the Tonic Structural application?

The minimum screen width is 1120 pixels.

How do you connect to a local database when running Structural in a Docker container locally?

If the locally running database that you want to connect to runs in a Docker container:

Run: docker inspect
In the networks section of the results, find the Gateway IP address. Use this IP address as the server address in Structural.

If the locally running database does NOT run in a container, but runs on the machine, then:

On Windows or Mac, use host.docker.internal.
On Linux, use 172.17.0.1, which is the IP address of the docker0 interface.

I allowlist access to my database. What are your static IP addresses?

If you use Structural Cloud, and your database only allows connections from allowlisted IP addresses, then you need to allowlist Structural static IP addresses.

This is not required for self-hosted instances of Structural.

United States-based instance

For the United States-based instance (app.tonic.ai), the static IP addresses are:

54.92.217.68
52.22.13.250

The following IP addresses are used if needed for scaling or failover:

44.215.74.226
3.232.203.148
3.224.2.189
44.230.136.147
44.230.79.194

Europe-based instance

For the Europe-based instance (app-de.tonic.ai), the static IP addresses are:

18.159.127.160
3.69.249.144

The following IP addresses are used if needed for scaling or failover:

18.159.179.95
3.120.214.225
3.75.12.1
16.16.71.42
16.170.51.237

I allowlist network calls. What do I need to allowlist?

URLs for telemetry sharing

The URL https://telemetry.tonic.ai/ is used for our Amplitude telemetry.

https://telemetry.tonic.ai/logs is used specifically for log sharing.

Allowlist https://telemetry.tonic.ai/ or the following IP addresses:

75.2.74.76
99.83.246.105

Telemetry sharing is required. These metrics are valuable for us as we debug, make product roadmaps, and determine feature viability.

No customer data is included. For more information about the specific telemetry data that we collect, go to Data that Tonic.ai collects.

For more information on how to verify that telemetry is shared, go to Verifying and enabling telemetry sharing.

URLs for Structural version information

To support the one-click update option, Structural needs to be able to retrieve information about the latest Structural version.

For more information, go to .

How do I check my current version of Structural?

Click your user image at the top right. The menu includes the Tonic version.

How should we provision our source database?

We recommend that you use a static copy of your production database that was restored from a backup.

If that's not possible, consider the following when you connect Structural to your source data:

Structural cannot guarantee referential integrity of the output data if the source database is written to while data is generated. For this reason we recommend that you connect to a static copy of production data.
Read replicas and fast followers can be problematic for Structural because of how long it takes some queries to run. Read replicas tend to have short query timeout limits, which causes the queries to time out. Read replicas also reflect recent writes, which means that we cannot guarantee the referential integrity of the output.

What data does Tonic.ai collect from Structural?

For details about the types of data that Tonic.ai does and does not collect, go to Data that Tonic.ai collects.

Tutorial videos

Use these tutorial videos to learn more about how to use Tonic Structural.

Tonic Structural 101

Provides an overview of the Structural workflow and how to use Structural to generate de-identified data. For more information, go to .

Creating a Structural workspace

Provides an overview of what a Structural workspace is and how to create a new Structural workspace. For more information, go to .

Sensitivity detection and generator recommendations

Provides an overview of how Structural detects sensitive values and how you can apply recommended generators to the detected values.

Managing workspace access

Provides an overview of workspace owners, permissions, and permission sets. Explains how to share and transfer ownership of a workspace. For more information, go to .

Structural generators overview

Identifies the types of generators and transformations that you can use in Structural, and explains how to assign a generator to a column. For more information, go to .

Generator presets

Provides an overview of generator presets. Includes how to create and update them, and how to track where each generator preset is used. For more information, go to .

File connector overview

Provides an overview of the file connector and how to manage file groups in a file connector workspace. For more information, go to .

Generating data with consistency

Provides an overview of the consistency generator property and how it works. For more information, go to .

Using Document View to configure JSON columns

Provides an overview of how to enable Document View for a JSON column and how to use it to configure generators for JSON fields.

Subsetting your data

Provides an overview of subsetting, how it is configured, and how Structural uses the configuration to generate a subset. For more information, go to .

Upsert data generation

Provides an overview of upsert data generation. Includes how it works and how to enable and run it for a workspace. For more information, go to .

Writing destination data to a container repository

Provides an overview of how to write destination data to a container repository instead of a database server. For more information, go to .

Creating and managing workspaces

Managing workspaces

A Tonic Structural workspace provides a context within which to configure and generate transformed data.

A workspace represents a path between the source data and the transformed output data. For example, postgres-prod-copy to postgres-staging.

A workspace includes:

Where to find the source data to transform during data generation
Where to write the transformed data
The rules for the transformation

Manage workspaces

Workspace details and tools

Viewing your list of workspaces

Workspaces view lists the workspaces that you have access to. To display Workspaces view, in the Tonic Structural heading, click Workspaces.

How the workspace list is displayed

The workspace list contains:

Workspaces that you own
Workspaces that you are granted access to

If you have the global permission Copy any workspace or Manage user access to Tonic and to any workspace, then list includes all of the workspaces.

The Permissions column lists the workspace permission sets that you are granted in each workspace. The permission sets include both permission sets that were granted to you directly as a user, and permission sets that were granted to an SSO group that you are a member of.

Child workspaces always display under their parent workspace. The list only includes child workspaces that you have access to. If you have access to a child workspace, but not to its parent workspace, then the parent workspace is grayed out. You cannot select it.

Filtering the workspace list

You can filter the workspaces based on the following information:

Name - In the filter field, begin to type text that is in the name of the workspaces to display in the list.
Owner - From the Filter by Owner dropdown list, select the owner of the workspaces to display in the list.
Database type - From the Filter by Database Type dropdown list, select the type of database for the workspaces to display in the list.
Generation status - In the Generation Status column heading, click the filter icon. Check the checkbox next to the generation status values for the workspaces to display in the list.
Tags - In the Tags column heading, click the filter icon. By default, the workspaces are not filtered by tag, and all of the checkboxes are unchecked. To only include workspaces that have specific tags, check the checkbox next to each tag to include. To uncheck all of the selected tags, click Reset Tags. When you filter by tag, Structural checks whether each workspace contains any of the selected tags.
Permissions - In the Permissions column heading, click the filter icon. You can check and uncheck checkboxes to include or exclude specific permission sets. For example, you can filter the list to only display workspaces for which the Editor permission set is granted either to you or to an SSO group that you belong to. For users that have the global permission Copy any workspace, the Permissions filter panel also contains an Any permissions checkbox. By default, Any permissions is unchecked, and the list includes workspaces for which you are not assigned any workspace permission sets. To display all of the workspaces for which you have any assigned workspace permission sets, check Any permissions. If you filter the list based on a specific permission set, to clear the filter and show all workspaces for which you have any permission set, check Any permissions. To display all workspaces, including workspaces that you do not have any permissions for, uncheck Any permissions.

You can combine different filters. For example, you can filter the list to only include workspaces that use PostgreSQL and for which the generation status is Canceled or Failed.

Child workspaces always display under their parent workspace, even if the parent workspace does not match the filter.

Sorting the workspace list

You can sort the workspace list by name, status, or owner.

By default, the list is sorted alphabetically by name.

To sort by a column, click the column heading. To reverse the order of the sort, click the column heading again.

Child workspaces always display under their parent workspace. The child workspaces are sorted within the parent.

Workspace details on Workspaces view

Workspaces view provides the following information about each workspace:

Name - Contains the name and database type for the workspace. To view the workspace description, hover over the name.
Generation status - The status for the most recent generation job. To display the job details for the job, click the job status. To display more details about the date, time, and duration for the job, hover over the generation timestamp. If a job failed recently, you are given additional information about how long this job has been failing (the date of the first failure occurrence among a continuous series of failures).
Schema changes - Indicates whether Structural detected changes to the source database schema. If there are changes, the column shows the number of changes. Hover over the column value to display additional details, and to navigate to the Schema Changes view. Go to Viewing and resolving schema changes.
Tags - The tags that are assigned to the workspace.
Permissions - The permission sets that are assigned to you for the workspace.
Owner - The name and email address of the workspace owner.

Getting access to workspace tools and actions

Displaying the workspace management view

On Workspaces view, when you click the workspace name, the workspace management view for the workspace is displayed. The Privacy Hub tab is selected.

The Name column also provides access to a menu of workspace configuration options. When you select an option, the workspace management view is displayed, open to the view for the selected option.

Options column

The last column in the workspaces list provides additional workspace options:

Subsetting icon - Displays the subsetting configuration for the workspace. Go to Viewing the current subsetting configuration.
Post-job actions icon - Displays the post-job actions for the workspace. For more information, go to Post-job scripts and Webhooks.
Actions menu - Provides access to additional options.

The Actions menu at the top left of the workspaces list allows you to to perform bulk actions on multiple workspaces. It is enabled when you check one or more of the checkboxes in the first column of each row. The Actions menu provides options for the selected workspaces.

Creating, editing, or deleting a workspace

Creating a workspace

When you create a new workspace, you can either:

Create a completely new workspace.
Create a copy of an existing workspace. The copy initially uses the configuration from the original workspace. After the copy is created, it is completely independent from the original workspace.
Create a child of an existing workspace. Child workspaces inherit configuration from the parent workspace. They continue to be updated automatically when the parent workspace is updated. For more information, go to About workspace inheritance.

You can also view this video overview of how to create a workspace.

Creating a completely new workspace

Required global permission: Create workspaces

To create a completely new workspace, on Workspaces view, click Create Workspace > New Workspace.

Creating a copy of a workspace

Required workspace permission: Copy workspace (in the workspace to copy)

Required global permission: Copy any workspace

To create a workspace based on an existing workspace, either:

On the workspace management view of the workspace to copy, from the workspace actions menu, select Duplicate Workspace.

On Workspaces view, click the actions menu for the workspace, then select Duplicate Workspace.

When you create a copy of a workspace, the copy initially inherits the following workspace configuration:

Source and destination database connections
Sensitivity designations, including manual designations that override the sensitivity scan results
Table mode assignments
Generator configuration
Subsetting configuration
Post-job scripts

Creating a child workspace

Required license: Enterprise

Required workspace permission: Create child workspaces (in the parent workspace)

You can create a workspace that is a child of an existing workspace. You cannot create a child workspace of another child workspace.

The parent workspace must have a source database configured. You cannot create a child workspace from a workspace that uses the Databricks, Spark (Amazon EMR or self-managed Spark cluster), or MongoDB data connector.

To create a child workspace, either:

On Workspaces view:
- Click Create Workspace > Child Workspace.
- Click the actions menu for the parent workspace, then select Create Child Workspace.
On the workspace management view, from the workspace actions menu, select Create Child Workspace.

On the New Workspace view, under Child Workspace, Parent Workspace identifies the parent workspace.

If you used the Create Workspace > Child Workspace option to create the child workspace, then Parent Workspace is not populated. From the Parent Workspace dropdown list, select the parent workspace for the new child workspace.

If you selected the child workspace option for a specific workspace, then Parent Workspace is set to that workspace.

If you originally chose to create a completely new workspace, then on the New Workspace view:

To change to a child workspace, select Create Child Workspace from the Create a child workspace panel at the right. Structural adds the Child Workspace panel to the New Workspace view.
From the Parent Workspace dropdown list, select the parent workspace for the new child workspace.

Editing a workspace

Required workspace permission: Configure workspace settings

To edit the configuration for an existing workspace, either:

On the workspace management view:
- On the workspace navigation bar, click Workspace Settings.
- From the workspace actions menu, select Workspace Settings.
On Workspaces view, click the actions menu for the workspace, then select Workspace Settings.

Deleting a workspace

Required workspace permission: Delete workspace

You can delete workspaces that you no longer need.

You cannot delete a parent workspace. You must first delete all of its child workspaces.

To delete a workspace:

On the workspace management view, from the workspace actions menu, select Delete Workspace.
On the Workspaces view, click the actions menu for the workspace, then select Delete.

Workspace configuration settings

The workspace settings for a new workspace (New Workspace view) or edited workspace (Workspace Settings tab) provide information about the workspace and its data.

Workspace identification and connection type

Every workspace includes the following settings to identify the workspace and to select the type of data connector.

Fields to identify the workspace

All workspaces have the following fields that identify the workspace:

In the Workspace name field, enter the name of the workspace.
In the Workspace description field, provide a brief description of the workspace. The description can contain up to 200 characters.
In the Tags field, provide a comma-separated list of tags to assign to the workspace. For more information on managing tags, go to .

Connection type

Under Connection Type, select the type of data connector to use for the workspace data. You cannot change the connection type on a .

The Basic and Professional licenses limit the number and type of data connectors you can use.

A Basic instance can only use one data connector type, which can be either PostgreSQL or MySQL. After you create your first workspace, any subsequent workspaces must use the same data connector type.
A Professional instance can use up two different data connector types, which can be any type other than Oracle or Db2 for LUW. After you create workspaces that use two different data connector types, any subsequent workspaces must use one of those data connector types.

If the database that you want to connect to isn't in the list, or you want to have different database types for your source and destination database, contact [email protected].

When you select a connector type, Structural updates the view to display the connection fields used for that connector type. The specific fields vary based on the .

Data connection settings

After you select the connector type, you configure:

Where to find the source data
Where to write the data generation output

Source database connection

For data connectors that connect to a database, the Source Settings section provides connection information for the source database.

You cannot change the source data configuration for a .

For information about the source connection fields for a specific data connector, go to the workspace configuration topic for that .

Upsert configuration

For data connectors that support upsert, the workspace configuration includes an Upsert section to allow you to enable and configure upsert. Upsert adds and updates rows in the destination database, but keeps all other existing rows intact.

If you enable upsert, then you cannot write output to an Ephemeral database or to a container repository. You must write the output to a destination database.

For more information, go to .

Destination data location

For data connectors that connect to a database, the Destination Settings section provides information about where and how Structural writes the output data from data generation.

Depending on the data connector type, you might be able to write to either:

Destination database - Writes the output data to a destination database on a database server.
Ephemeral snapshot - Writes the output data to a Tonic Ephemeral user snapshot.
Container repository - Writes the output data to a data volume in a container repository.

Destination database

When you write the output to a destination database, the destination database must be of the same type as the source database.

Structural does not create the destination database. It must exist before you generate data.

In Destination Settings, you provide the connection information for the destination database. For information about the destination database connection fields for a specific data connector, go to the workspace configuration topic for that .

If available, the Copy Settings from Source allows you to copy the source connection details to the destination database, if both databases are in the same location. Structural does not copy the connection password.

Tonic Ephemeral snapshot

Tonic Ephemeral is a separate Tonic.ai product that allows you to create temporary databases to use for testing and demos. For more information about Ephemeral, go to the .

If Ephemeral supports your workspace database type, then you can write the destination data to a snapshot in Ephemeral. For data larger than 10 GB, this option is recommended instead of writing to a container repository.

From Ephemeral, you can use the snapshot to start new Ephemeral databases.

For more information, go to .

Container repository

Some data connectors allow you to write the transformed data to a data volume in a container repository instead of to a database server.

You can use the resulting data volume to create a database in Tonic Ephemeral. If you do plan to use the data to start an Ephemeral database, and the size of the data is larger than 10 GB, then the recommendation is to write the data to an Ephemeral user snapshot instead.

For more information, go to .

Testing database connections

When you provide connection details for a database server, Structural provides a Test Connection button to test the connection, and verify that Structural can use the connection details to connect to the database. Structural uses the connection details to try to reach the database, and indicates whether it succeeded or failed. We strongly recommend that you test the connections.

The TONIC_TEST_CONNECTION_TIMEOUT_IN_SECONDS determines the number of seconds before a connection test times out. You can configure this setting from the Environment Settings tab on Structural Settings. By default, the connection test times out after 15 seconds.

File connector source and destination data

A workspace uses files as its source data and produces transformed versions of those files as its output.

For file connector workspaces, the File Location section indicates where the source files are obtained from - either a local file system or a cloud storage solution (Amazon S3 or Google Cloud Storage).

When the files come from cloud storage, the Output Location section indicates where to write the transformed files. You must also provide the cloud storage connection credentials.

For more information, go to .

Data generation settings

Blocking data generation for all schema changes

Most workspaces that connect to a database have a Block data generation if schema changes detected toggle. The setting is usually in the Source Settings section.

By default, the option is turned off. When the option is off:

Structural blocks data generation when there are sensitive schema changes. A sensitive schema change is a change that might result in data leakage. For example, a new column is added. Until you assign a generator to the column, the data is passed through as is to the output data. Before you can generate data with the new column, you must resolve the schema change.
Structural does not block data generation when there are only notification schema changes. A notification schema change is a change that Structural can ignore during data generation. For example, a column is removed. Structural can ignore that column during data generation, until you are able to permanently resolve the schema change.

If this option is turned on, then if Structural detects any changes at all to the schema, then until you resolve the schema changes, data generation is blocked.

For more information, go to Viewing and resolving schema changes.

Writing output to Tonic Ephemeral

Only available for PostgreSQL, MySQL, SQL Server, and Oracle.

Not compatible with upsert.

Not compatible with Preserve Destination or Incremental table modes.

Tonic Ephemeral is a separate Tonic.ai product that allows you to create temporary databases to use for testing and demos. For more information about Ephemeral, go to the .

If Ephemeral supports your workspace database type, then you can write the destination data to a snapshot in Ephemeral. You can then use the snapshot to start Ephemeral databases.

To write the transformed data to Ephemeral, under Destination Settings, click Ephemeral Database.

Selecting the Ephemeral instance type

Structural can write the data snapshot to either Ephemeral Cloud or to a self-hosted instance of Ephemeral. By default, Structural writes the data snapshot to Ephemeral Cloud.

All workspaces on the same self-hosted Structural instance or in the same Structural Cloud organization must write to the same instance of Ephemeral. When you change the Ephemeral output configuration in one workspace, it is automatically changed in other workspaces that write to Ephemeral.

Writing output to Ephemeral Cloud

Structural writes the snapshot to the Ephemeral Cloud account for the user who runs the data generation job.

If that user has an Ephemeral account on Ephemeral Cloud, then Structural uses that account.
If the user does not have an account, then Structural creates an account for them.

On Structural Cloud, when you save the workspace, if you do not have an Ephemeral Cloud account, then an Ephemeral Cloud account is created for you.

When Structural creates an Ephemeral account, if the user belongs to an existing Ephemeral Cloud organization, then the account is added to the organization. Otherwise, the account is a two-week free trial account.

For a self-hosted Structural workspace, you must provide an API key from an existing Ephemeral Cloud account.

To write a snapshot to Ephemeral Cloud:

Click Tonic Ephemeral cloud.
If you are on a self-hosted instance of Structural:
1. In the API Key field, provide an Ephemeral API key from your Ephemeral account.
2. To test the connection, click Test Connection.

Writing output to self-hosted Ephemeral

When you write to a self-hosted instance of Ephemeral, then you must always provide an Ephemeral API key.

To write the snapshot to a self-hosted instance of Ephemeral:

Click Tonic Ephemeral self-hosted.
In the API Key field, provide an Ephemeral API key from your Ephemeral account. Structural writes the snapshot to the Ephemeral account that is associated with the API key.
In the Tonic Ephemeral URL field, provide the URL to your self-hosted Ephemeral instance.
To test the connection, click Test Connection.

Selecting the image for Oracle

For Oracle, you select the base image to use to create the data snapshot.

If you write to Ephemeral Cloud, then you must use the Oracle 23c base image that comes with Ephemeral. This image has the following limitations:

A maximum of 12GB of user data
A maximum of 2CPU cores and 2GB of RAM

If you write to a self-hosted instance of Ephemeral, then you can also select a custom image that you created in Ephemeral.

For information about how to create and manage custom images for Oracle, go to .

Configuring advanced settings for the snapshot

If you do not configure any advanced settings, then:

The snapshot uses the same name as the workspace, and has no description.
The snapshot size allocation is determined by the source data size.
Structural discards the temporary Ephemeral database that is created during the data generation.

To change any of these settings, click Advanced settings.

Providing a snapshot name and description

By default, the snapshot name uses the workspace name.

When you run data generation, if a snapshot with the same name already exists in Ephemeral, then Structural overwrites that snapshot with the new snapshot.

Under Advanced settings:

In the Snapshot name field, provide the name of the snapshot. The snapshot name can use the following placeholder values to help identify the snapshot:
- {workspaceName} - Inserts the name of the workspace.
- {workspaceId} - Inserts the identifier of the workspace.
- {jobId} - Inserts the identifier of the data generation job that created the snapshot.
- {timestamp} - Inserts the timestamp when the snapshot was created.
Including the job ID or timestamp ensures that a data generation job does not overwrite a previous snapshot.
Optionally, in the Snapshot description field, provide a longer description of the snapshot.

Setting the pod resources for the snapshot

By default, the resources used for the snapshot are based on the size of the source data.

For source data that is 25 GB or less, Nano is used.
For source data larger than 25 GB, Micro is used.

To select a specific option:

Toggle Custom pod resources to the on position.
From the dropdown list, select the option to use for the combination of vCPUs and memory:
- Nano - 0.125 vCPU with 0.5 GB RAM
- Micro - 0.5 vCPU with 2 GB RAM
- Small - 1 vCPU with 4 GB RAM
- Medium - 2 vCPU with 8 GB RAM
- Large - 4 vCPU with 16 GB RAM

Setting the size allocation for the snapshot

By default, the Ephemeral size allocation for the snapshot is based on the size of the source data.

To instead provide a custom data size allocation, under Advanced settings:

Toggle Custom data size allocation to the on position.
In the field, enter the size allocation in gigabytes.

Indicating whether to keep the temporary Ephemeral database

When Structural creates the Ephemeral snapshot, it creates a temporary Ephemeral database.

By default, Structural deletes that database when the data generation is complete.

To instead keep the database, under Advanced settings, toggle Keep database active in Tonic Ephemeral after data generation to the on position.

In Ephemeral Cloud, by default, databases are publicly accessible. To limit database access, you can configure Ephemeral Cloud with an IP allowlist for your organization. For more information, go to in the Ephemeral documentation.

Providing a customization file for MySQL or PostgreSQL

For a MySQL or PostgreSQL workspace, you can provide a customization file that helps to ensure that the temporary Ephemeral database is configured correctly.

To provide the customization details:

Toggle Use custom configuration to the on position.
In the text area, paste the contents of the customization file.

Advanced workspace overrides

For self-hosted instances, Structural provides to configure features that include:

Consistency across runs and databases
Data generation performance

The Advanced Workspace Overrides section of the workspace details view allows you to override those environment settings for an individual workspace.

For example, the environment setting TONIC_TABLE_PARALLELISM determines the number of tables that Structural processes simultaneously. You can then override that value within individual workspaces.

The workspace overrides are available on both self-hosted instances and on Structural Cloud.

Configuring the overrides

To display the available override settings, expand Advanced Workspace Overrides.

Enabling and setting an override

For information on how to configure the statistics seed, go to .

For other settings, to enable the override and set the override value:

Toggle the setting to the on position.

Set the value.

Removing an override

To remove the override, toggle the setting to the off position.

Available overrides

Workspace statistics seed for cross-run consistency

For generators where is enabled, a statistics seed enables consistency across data generation runs. The Structural-wide statistics seed value ensures consistency across both data generation runs and workspaces.

You use the Override Statistics Seed setting to override the Structural-wide statistics seed value.

You can either disable consistency across data generations, or provide a seed value for the workspace. The workspace seed value ensures consistency across data generation runs for that workspace, and across other workspaces that have the same seed value.

For details about using seed values to ensure consistency across data generation runs and databases, go to .

Data generation performance settings

Structural provides environment settings to manage . For example, these settings include configuration for parallel processing.

From Advanced Workspace Overrides, you can override some of these data generation performance settings for an individual workspace.

Data encryption and decryption keys

To use Structural data encryption, you must .

You use the Override Data Decryption Key and Override Data Encryption Key settings to override the Structural-wide keys that are provided in the environment settings.

Destination database schema creation

Some data connectors allow you to configure whether you provide the schema for the destination database. For more information, go to related information for , , , , , and .

From Advanced Workspace Overrides, you can override the instance-wide configuration.

About the workspace management view

You use the workspace management view to configure and run data generation for an individual workspace.

When you log in to Tonic Structural, it displays the workspace management view for the workspace that was selected when you logged out.

Components of the workspace management view

The workspace management view includes the following components.

Workspace information

The top left of the workspace management view provides information about the workspace, including:

The workspace name
When the workspace was last updated
The user who last updated the workspace
Whether the workspace is a

Workspace options

The top right of the workspace management view provides general options for working with the workspace, including:

Undo and redo options for configuration changes
The workspace share icon, to
The workspace download menu to:
- Download sensitivity scan and privacy reports
The workspace actions menu
The Generate Data button, to

The workspace navigation bar provides access to workspace configuration options.

Displaying the workspace management view

To display the workspace management view for a workspace:

On Workspaces view, in the Name column either:
- Click the workspace name. The workspace management view opens to Privacy Hub.
- Click the dropdown icon, then select a workspace management option.

Click the search field at the top. A list of available type the name of the workspace. As you type, Tonic displays a list of matching workspaces. In the list, click the workspace name.

Collapsing and expanding the workspace heading

To reduce the amount of vertical space used by the heading of the workspace management view, you can collapse it.

To collapse the heading, click the collapse icon in the Structural heading.

When you collapse the workspace management heading:

The workspace information is hidden. The workspace name is displayed in the search field.
The workspace options are moved up into the Structural heading.

The workspace navigation bar remains visible.

When you collapse the heading, the collapse icon changes to an expand icon. To restore the full heading, click the expand icon.

About workspace inheritance

Required license: Enterprise

If you have multiple workspaces, then it is likely that many of the workspace components and configurations are the same or similar. It can be difficult to maintain that consistency across separate, independent workspaces.

When you copy a workspace, the new workspace is completely independent of the original workspace. There is no visibility into or inheritance of changes from the original workspace.

Workspace inheritance allows you to create workspaces that are children of a selected workspace. Unlike a copy of a workspace, a child workspace remains tied to its parent workspace.

By default, a child workspace's configuration is synchronized with the configuration of the parent. In other words, any changes to the parent workspace are copied to its child workspaces. Child workspaces can also override some of the parent configuration. From the parent workspace, you can track the child workspaces and how they are customized .

For example, you might want separate workspaces for different development teams. Each team can make adjustments to suit their specific projects - such as different subsets - but inherit everything else.

What does a child workspace inherit?

By default, a child workspace inherits all of the configuration from the parent workspace, except for the following:

Workspace name - A child workspace has its own name.
Workspace description - A child workspace has its own description.
Tags - A child workspace has its own tags.
Destination database - A child workspace writes output data to its own destination database. You can copy the destination database from the parent workspace.
Intermediate database - For upsert, a child workspace does not inherit the intermediate database.
Webhooks - A child workspace has its own webhooks.

How parent workspace changes affect child workspaces

When you change the configuration of a parent workspace, the configuration is also updated in the child workspaces.

The exception is when a child workspace overrides the configuration. If the configuration is overridden, then the child workspace does not inherit the change.

Tonic Structural indicates on both the parent and child workspaces when the configuration is overridden.

What can a child workspace override?

A child workspace can override the following configuration items.

Table modes - A child workspace can override the table mode for individual tables. The other tables continue to inherit the table mode that is configured in the parent workspace.
Column generators - A child workspace can override the generator for individual columns. The other columns continue to inherit the generator that is configured in the parent workspace. For linked columns, a change to any of the linked columns overrides the inheritance for all of the columns.
Subsetting - A child workspace can override the subsetting configuration from the parent workspace. Any change in the child workspace means that the child workspace no longer inherits any changes to the subsetting configuration from the parent workspace. For example, if you change the percentage setting on a single target table from 5 to 6, that eliminates the subsetting inheritance. The child workspace keeps the subsetting configuration that it already has, but it is not updated when the parent workspace is updated.
Post-job scripts - A child workspace can override the post-job scripts. Any change to the post-job scripts in the child workspace means that the child workspace no longer inherits any changes to the post-job scripts configuration.
Statistics seed - A child workspace can override the .

From each view, you can eliminate the overrides and restore the inheritance.

What must a child workspace inherit?

A child workspace cannot override the following configuration items:

Data connector type and source database - A child workspace always uses the same source data as the parent workspace.
Foreign keys - A child workspace always uses the same foreign key configuration as the parent workspace.
Sensitivity designation for a column - A child workspace cannot change whether a column is marked as sensitive.

How schema changes are resolved in parent and child workspaces

For removed tables and columns, when a child workspace overrides the parent workspace configuration for the table or column, you must resolve the change in the child workspace.

If there is a conflicting change for the removed table or column in the parent workspace configuration, then regardless of whether the configuration is inherited, you must resolve that change in the parent workspace before the change is resolved for the child workspace.

For changes to column nullability or data type, you resolve the change separately in the child and parent workspaces.

You also dismiss notifications (new tables and columns) separately in the parent and child workspaces.

Assigning tags to a workspace

Required workspace permission: Configure workspace settings

You can associate custom tags with each workspace. Tags can help to organize and provide a quick glance into the workspace configuration.

Tags are accessible to every user that has access to the workspace.

Tags are stored in the workspace JSON, and are included in the workspace export. You can also use the API to get access to tags.

Managing tags from workspace settings

You can add and edit tags in the Tags field on the New Workspace and Workspace Settings views.

To add tags, enter a comma-separated list of the tags to add.
To remove a tag, click its delete icon.

Managing tags from Workspaces view

You can also manage tags directly from Workspaces view.

Assigning tags

To add tags to a workspace that does not currently have tags:

Hover over the Tags column for the workspace.
Click Add Tags.
In the tag input field, type a comma-separated list of tags to apply.
Press Enter.

Editing the assigned tags

To edit the assigned tags:

Click the Tags column for the workspace.
In the tag input field, to remove tag, click its delete icon.
To add tags, type a comma-separated list of the tags to add.
To save the tag changes, press Enter.

Exporting and importing the workspace configuration

Required workspace permission: Export and import workspace

You can export a workspace configuration to a JSON file, and import configuration from a workspace configuration JSON file.

For example, you might want to preserve a version of the workspace configuration before you test other changes. You can then use the exported file to restore the original configuration.

Or you might want to use a script to make changes to an exported configuration file. You can then import the updated file to update the workspace configuration.

Information in the exported file

The workspace JSON configuration file includes the following information:

Sensitivity designations that you assigned to columns
Assigned table modes
Assigned column generators
Subsetting configuration
Post-job script configuration

Exporting the workspace configuration

To export the workspace configuration, either:

On the workspace management view, from the download menu, select Export Workspace.

On Workspaces view, click the actions menu for the workspace, then select Export.

When you export a child workspace, the exported workspace does not retain any of the inheritance information. The exported information is the same for all exported workspaces.

Importing a workspace configuration file

To import a workspace configuration file:

Select the import option. Either:
- On the workspace management view, from the download menu, select Import Workspace.
- On Workspaces view, click the actions menu for the workspace, then select Import.
On the Import Workspace dialog, to select the file to import, click Browse.
After you select the file, click Import.

When you import a workspace configuration into a child workspace, Tonic Structural only updates the configuration that can be overridden. If a configuration must be inherited from the parent workspace, then it is not affected by the imported configuration. For more information, go to About workspace inheritance.

Managing access to workspaces

When you create a workspace, you become the owner of the workspace, and by default are assigned the built-in Manager workspace permission set for the workspace. The Manager permission set provides full access to the workspace configuration, data, and results.

With a Professional or Enterprise license, you can also assign workspace permission sets to other users and to SSO groups. You can also transfer a workspace to a different owner.

If you are granted access to any workspace permission set for a workspace, then you have access to all of the workspace management views for that workspace. However, you can only perform tasks that you have permission for in that workspace.

Workspace access is managed from the Workspaces view. You cannot assign workspace permission sets from Structural Settings view.

You can also view an .

Sharing workspace access

Required license: Professional or Enterprise

Required permission

Global permission: View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
Either:
- Workspace permission: Share workspace access
- Global permission: Manage user access to Tonic and to any workspace

Tonic Structural uses workspace permission sets for role-based access (RBAC) of each workspace.

A workspace permission set is a set of workspace permissions. Each permission provides access to a specific workspace feature or function.

Structural provides built-in workspace permission sets. Enterprise instances can also configure custom permission sets.

To share workspace access, you assign workspace permission sets to users and, if you use SSO to manage Structural users, to SSO groups. Before you assign a workspace permission set to an SSO group, make sure that you are aware of who is in the group. The permissions that are granted to an SSO group automatically are granted to all of the users in the group. For information on how to configure Structural to filter the allowed SSO groups, go to Synchronizing SSO groups with Structural.

You cannot remove the owner workspace permission set from the workspace owner. By default, the owner permission set is the built-in Manager permission set.

To change the current access to the workspace:

To manage access to a single workspace, either:
- On the workspace management view, in the heading, click the share icon.
- On Workspaces view, click the actions menu for the workspace, then select Share.
To manage access for multiple workspaces:
1. Check the checkbox for each workspace to grant access to.
2. From the Actions menu, select Share Workspaces.
The workspace access panel contains the current list of users and groups that have access to the workspace. To add a user or group to the list of users and groups, begin to type the user email address or group name. From the list of matching users or groups, select the user or group to add. Free trial users can invite other users to start their own free trial. Provide the email addresses of the users to invite. The email addresses must have the same corporate email domain as your email address. When the invited users sign up for the free trial, they are added to the Structural organization for the free trial user that invited them and have access to the workspace.
For a user or group, to change the assigned workspace permission sets:
1. Click Access. The dropdown list is populated with the list of custom and built-in workspace permission sets. If you selected multiple workspaces, then on the initial display of the workspace sharing panel, for each permission set that a user or group currently has access to, the list shows the number of workspaces for which the user or group has that permission set. For example, you select three workspaces. A user currently has Editor access for one workspace and Viewer access for the other two. The Editor permission set has 1 next to it, and the Viewer permission set has 2 next to it.
2. Under Custom Permission Sets, check the checkbox next to each workspace permission set to assign to the user or group. Uncheck the checkbox next to each workspace permission set to remove from the user or group.
3. Under Built-In Permission Sets, check the workspace permission set to assign to the user or group. You can only assign one built-in permission set. By default, for an added user or group, the Editor permission set is selected. To select a built-in workspace permission set that is lower in access than the currently selected permission set, you must first uncheck the selected permission set. For example, if Editor is currently checked, then to change the selection to Viewer, you must first uncheck Editor.
To remove all access for a user or group, and remove the user or group from the list, click Access, then click Revoke.
To save the new access, click Save.

Transferring ownership of a workspace

Required permission

Global permission: View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
Either:
- Workspace permission: Transfer workspace ownership
- Global permission: Manage access to Tonic Structural and to any workspace

To grant yourself access after the transfer:

Workspace permission: Share workspace access

Every workspace has an owner. The owner is always a user.

The user who creates the workspace is automatically the owner of the workspace.

By default, the workspace owner is assigned the built-in Manager workspace permission set. On Enterprise instances, you can .

You cannot remove that permission set from the workspace owner.

You can transfer a workspace to a different owner. The new owner is assigned the owner permission set. If the previous owner does not otherwise have access to the owner permission set, then that permission set is removed.

To transfer workspace ownership:

To transfer ownership of a single workspace, from the workspace actions menu, select Transfer Ownership.
To transfer ownership of multiple workspaces:
1. Check the checkbox for each workspace to grant access to.
2. From the Actions menu, select Transfer Ownership.
On the transfer ownership panel, from the User dropdown list, select the new owner.
If you are the current owner of the workspace, then to grant yourself non-owner access after you transfer the ownership:
1. Toggle Receive access to workspace to the on position.
2. Select the workspace permission set to assign to yourself.
Click Transfer Ownership.

Configuring data generation

Database View

Database View provides a complete view of your source database structure and configuration.

To display Database View, either:

On the workspace management view, in the workspace navigation bar, click Database View.
On Workspaces view, from the dropdown menu in the Name column, select Database View.

Database View consists of:

On the left, the list of tables in the source database.
On the right, the list of columns in those tables.

View table and column information

Configure and comment on columns

Viewing and configuring tables

The table list at the left of Database View contains the list of tables in the source database. You can filter the table list and assign tables modes to the tables.

Information in the table list

The table list is grouped by schema. You can expand and collapse the list of tables in each schema. This does not affect the displayed columns.

For a workspace, each table corresponds to a file group.

For each table, the table list includes the following information:

The name of the table.
The number of columns that have an assigned generator (a generator other than Passthrough). The number does not display if none of the table columns has an assigned generator.
The . The table list only shows the first letter of the table mode:
- D = De-identify
- S = Scale
- T = Truncate
- P = Preserve Destination
- I = Incremental

For a child workspace, if the selected table mode overrides the parent workspace configuration, then the override icon displays.

To display for a table, click the arrow icon to the right of the table entry.

Filtering the table list

You can filter the table list and . You can also filter the tables based on .

As you filter the table list, the column list also is filtered to only include the columns for the filtered tables.

Filtering by table name

To filter the table list by name, in the filter field, begin to type text that is in the table name.

As you type, Tonic Structural filters the list to only display tables with names that contain the filter text.

Filtering by the assigned table mode

To filter the table list based on the assigned table mode:

Click Filters.
On the filter panel, check the checkbox next to each table mode to include. By default, the list includes all of the table modes. As you check and uncheck the table mode checkboxes, Structural adds and removes the associated tables from the list.

Filtering to exclude tables that have assigned generators

You can filter the table list to only display tables that have no assigned generators:

Click Filters.
On the filter panel, to only show tables that do not have assigned generators, check the No Generators Applied checkbox.

Assigning table modes to tables

Required workspace permission: Assign table modes

The table mode determines the number of rows and columns in the destination database. For details about the available table modes and how they work, go to .

Updating a single table

To change the assigned table mode for a single table:

Click the table mode dropdown next to the table name.
From the table mode dropdown list, select the table mode.
For a child workspace, the table mode selection panel indicates whether the selected table mode is inherited from the parent workspace. If the child workspace currently overrides the parent workspace configuration, then to reset the table mode to the table mode that is assigned in the parent workspace, click Reset.

Updating multiple tables

To change the assigned table mode for multiple tables:

Check the checkbox for each table to change the table mode for. To select a continuous range of tables, click the first table in the range, then Shift-click the last table in the range. To select all of the tables in a schema, click the schema name.
Click Bulk Edit.
On the panel, click the radio button for the table mode to assign to the selected tables.

Displaying sample data for a column

Required workspace permission:

Source data: Preview source data
Destination data: Preview destination data

For each column on Database View, you can display a sample list of the column values.

For columns that have an assigned generator, the sample shows both the current values and the possible values after the generator is applied.

To display the sample values, in the Column column, click the magnifying glass icon.

If the generator is Passthrough, then the sample data panel contains only Original Data.

If a different generator is assigned, then the sample data panel contains both Original Data and Protected Output.

Configuring an individual column

For an individual column in Database View, you can configure the assigned generator and determine the column sensitivity.

Displaying the generator configuration panel

From the column list, to display the generator configuration panel, in the Applied Generator column, click the generator name tag.

Indicating whether a column is sensitive

Required workspace permission: Configure column sensitivity

The Structural sensitivity scan provides an initial indication of whether a column is sensitive and, if it is sensitive:

The type of sensitive data that is in the column.
The confidence level of the sensitivity detection.

For more information, go to .

In a child workspace, you cannot configure whether a column is sensitive. A child workspace always inherits the sensitivity designations from its parent workspace.

Status column

From the Status column, to confirm or change the column sensitivity, click the Status value.

The status panel indicates whether the column is sensitive. It identifies the sensitivity type, and indicates how the sensitivity was determined - by a sensitivity scan or by a user.

Built-in sensitivity type

For a column that matches a built-in sensitivity type, the first time that you display the panel, the Sensitive data? setting displays Yes and No options for you to confirm or change the sensitivity.

To indicate that the column is sensitive, click Yes.
To indicate that the column is not sensitive, click No.

When you click Yes or No, the Yes and No options change to a simple toggle. When you click Yes, the sensitivity confidence level changes to full.

After that:

To indicate that the column is sensitive, toggle Sensitive data? to the on position.
To indicate that the column is not sensitive, toggle Sensitive data? to the off position.

Sensitivity rule match

When a column matches a sensitivity rule, the sensitivity panel indicates that the column matched a sensitivity rule.

You use the Sensitive data? toggle to indicate whether the column is actually sensitive.

No built-in sensitivity type or sensitivity rule match

When a column does not match a built-in sensitivity type or a custom sensitivity rule, the sensitivity panel indicates that column is not sensitive.

The Sensitive data? setting displays Yes and No options for you to confirm or change the sensitivity.

To indicate that the column is sensitive, click Yes.
To confirm that the column is not sensitive, click No.

When you click Yes or No, the Yes and No options change to a simple toggle.

If you click Yes:

The panel updates to indicate that a user confirmed that the column is sensitive.
The sensitivity confidence level is set to full confidence.

After that:

To indicate that the column is sensitive, toggle Sensitive data? to the on position.
To indicate that the column is not sensitive, toggle Sensitive data? to the off position.

Column configuration panel

To configure the sensitivity, you can also use the Sensitive Data toggle on the column configuration panel.

To indicate that a column is sensitive, toggle the sensitivity setting to the on position.
To indicate that the column is not sensitive, toggle the sensitivity setting to the off position.

When you change the sensitivity from the generator configuration panel, the Sensitive data? setting on the sensitivity panel also changes from the Yes and No options to the toggle.

Assigning or ignoring the recommended generator

Required workspace permission: Configure column generators

When a sensitivity scan identifies a column, Structural recommends a generator for the column. For example, when the sensitivity scan identifies a column as a first name, Structural recommends the Name generator configured to generate a first name value.

In the Assigned Generator column on Database View, columns that do not have an assigned generator, and that have a recommended generator, display the available recommendation icon.

When you click the generator dropdown, the column configuration panel includes the following information:

The sensitivity confidence level.
The recommended generator.
Sample source and destination values based on the recommended generator.

From the panel, you choose whether to assign or ignore the recommended generator for that type.

To assign the recommended generator, click Apply.
To ignore the recommendation, click Ignore. Structural clears the recommendation.

Changing the column generator configuration

Required workspace permission: Configure column generators

To change the generator that is assigned to a selected column:

Click the generator name tag for the column.
To assign a different generator to the column, from the Generator Type dropdown list, select the generator.
Configure the generator options.

To reset an assigned generator to Passthrough, which indicates to not transform the data:

Click the generator name tag.
On the generator configuration panel, click the delete icon next to the generator dropdown.

For details about the configuration options for each generator, go to the .

For more information about selecting and configuring generators and generator presets, go to .

Enabling Document View for JSON columns

Supported only for the file connector and PostgreSQL.

For a JSON column, instead of assigning a generator, you can enable Document View.

From Document View, you can view the JSON schema structure and assign generators to individual JSON fields. For more information, go to .

To enable Document View, on the column configuration panel, toggle Use Document View to the on position. Note that if you have , or enabled , then the Use Document View toggle is in the advanced options.

When Document View is enabled, the generator dropdown is replaced with the Open in Document View option.

Configuring multiple columns

The bulk edit option on Database View allows you to configure multiple columns at the same time. From the bulk editing panel, you can:

Mark the selected columns as sensitive or not sensitive.
Assign a generator to the selected columns.
Apply the recommended generator to the selected columns.
Reset the generator configuration to the baseline. This option requires that all of the selected columns are assigned the same preset.

Depending on the column selection, you can also create a new sensitivity rule.

Displaying the bulk edit option

To select the columns and display the bulk edit option:

Check the checkbox next to each column to update.
Click Bulk Edit.

Marking the columns as sensitive or not sensitive

Required workspace permission: Configure column sensitivity

On the Bulk Edit panel, under Sensitivity:

To mark the selected columns as sensitive, click Sensitive.
To mark the selected columns as not sensitive, click Not Sensitive.

Changing the assigned generator

Required workspace permission: Configure column generators

On the Bulk Edit panel, under Bulk Edit Applied Generator, select and configure the generator to assign to the selected columns.

Assigning the recommended generator to the columns

Required workspace permission: Configure column generators

If any of the selected columns have a recommended generator, then on the Bulk Edit panel, the Generator recommendations found panel displays. The panel indicates the number of selected columns that have a recommendation.

To assign the recommended generators to those columns, click Apply.

Restoring the baseline configuration for the columns

Required workspace permission: Configure column generators

For a generator preset, the baseline configuration is the configuration that is saved for that preset. The baseline configuration determines the default configuration to use when you assign the preset to a column. After you select the preset, you can override the baseline configuration.

If all of the selected columns are assigned the same preset, then to restore the baseline configuration for all of the columns, click Reset to Baseline.

Creating a sensitivity rule

Required license: Enterprise

Required global permission: Create and manage sensitivity rules

You might bulk edit columns that could benefit from a custom sensitivity rule.

For example, in your data, the Widget column is in multiple tables and contains sensitive data that Structural cannot identify. You select all of the Widget columns so that you can mark them as sensitive and apply the Character Scramble generator to them.

However, a custom sensitivity rule would ensure that in the future, Widget columns are always marked as sensitive and have the Character Scramble generator recommended.

On the Bulk Edit panel, when all of the selected columns:

Have the same data type.
Do not have a generator assigned.
Do not have a recommended generator.

Then Structural displays the Create a Sensitivity Rule panel, which contains the option to create a new sensitivity rule.

To create a sensitivity rule:

Click Create Custom Rule.
On the Create Custom Rule view, configure the new sensitivity rule. Structural automatically selects a data type based on the selected columns. The current workspace is used as the testing workspace to verify the columns that match the rule configuration. For details about the sensitivity rule configuration, go to .
When you finish configuring the new rule:
- To both save the rule and apply the generator preset to all workspace columns that match the rule, click Save and Apply. On the confirmation panel, click Confirm Auto Apply.
- To save the rule, but not apply the configured generator preset to matching columns, click Save.

Structural closes the sensitivity rule configuration view and returns you to Database View. It maintains the previous column selection.

If you did not apply the generator preset, then the sensitivity rule is included in the next sensitivity scan.

Identifying similar columns

During sensitivity scans and schema change scans, Tonic Structural identifies groups of similar columns.

To identify similar columns, Structural uses a text embedding model to calculate the semantic similarity between any two column names in the database. When a column name's semantic similarity to the name of a given column is above a specified threshold, then the column is similar to the given column.

If a column has similar columns, then the Applied Generator column contains an icon that includes the count of similar columns.

By default, the similar columns icon is hidden. To display the similar columns icon, hover over the column row.

When you assign a generator to a column, the similar columns icon for that column remains visible during your current session.

When you click the similar columns icon, Structural displays a panel with an option to filter the list to display the current column and its similar columns. To apply the filter, click Filter.

The similar columns filter is applied, and other column filters are removed. Table filters remain in place.

Commenting on columns

Required license: Professional or Enterprise

From Database View, you can add comments to columns. For example, you might use a comment to explain why you selected a particular generator or marked a column as sensitive or not sensitive.

Creating a new comment

If a column does not have any comments, then to add a comment:

In the Applied Generator column, click the comment icon.
In the comment field, type the comment text.
Click Comment.

Responding to existing comments

When a column has existing comments, the comment icon is green. To add comments:

Click the comment icon. The comments panel shows the previous comments. Each comment includes the comment user.
In the comment field, type the comment text.
Click Reply.

Working with document-based data

For document-based data connectors - currently and - Database View and Table View are replaced by Collection View.

"Collection" is the term that Structural uses to refer to MongoDB collections and DynamoDB tables.

Structural also allows you to run collection scans to identify the data structure.

Identifying sensitive data

Tonic Structural uses its sensitivity scan to identify source data columns that contain sensitive information. The scan ignores truncated tables.

The sensitivity scan identifies Structural's built-in sensitivity types. It also looks for custom types that you define.

You can also manually mark a column as sensitive or not sensitive.

Manually indicating whether a column is sensitive

You can also manually indicate that a column is sensitive or not sensitive.

For example, the sensitivity scan might incorrectly identify a column as sensitive. Or a column might contain data that you consider sensitive but that does not match a detected sensitivity type.

When you manually change a column from not sensitive to sensitive, Structural marks the sensitivity detection as full confidence.

For information on how to change whether a column is sensitive:

For Privacy Hub, go to .
For Database View, go to:
- For a single column,
- For multiple selected columns,
For Table View, go to .

The Structural API also provides .

Generator information

Generators transform the data in a source database column. You assign the generators to use. Tonic Structural offers a variety of generators to transform different types of data.

For details about how to assign and configure generators, and manage generator presets, go to .

You can also view this .

About the available generators

Generator characteristics and types

Algebraic

The algebraic generator identifies the algebraic relationship between three or more numeric values and generates new values to match. At least one of the values must be a non-integer.

If a relationship cannot be found, then the generator defaults to the generator.

This generator can be linked with other Algebraic generators.

Characteristics

How to configure

To configure the generator, from the Link To dropdown list, select the columns to link this column to. You can select other columns that are assigned the Algebraic generator.

You must select at least three columns.

The column values must be numeric. At least one of the columns must contain a value other than an integer.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Alphanumeric String Key

Generates unique alphanumeric strings of the same length as the input.

For example, for the origin value ABC123, the output value is a six-character alphanumeric string such as D24N05.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Array Character Scramble

A version of the generator that can be used for array values.

This generator replaces letters with random other letters, and numbers with random other numbers. Punctuation and whitespace are preserved.

For example, for the following array value:

["ABC.123", 3, "last week"]

The output might be something like:

["KFR.860", 7, "sdrw mwoc"]

This generator securely masks letters and numbers. There is no way to recover the original data.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

ASCII Key

Generates unique alphanumeric strings based on any printable ASCII characters. The length of the source string is not preserved. You can choose to exclude lowercase letters from the generated values.

Characteristics

How to configure

To configure the generator:

To exclude lowercase letters from the generated values, toggle Exclude Lowercase Alphabet to the on position.
Toggle the Consistency setting to indicate whether to make the generator consistent. By default, the generator is not consistent.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Business Name

Generates a random company name-like string.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator consistent.

By default, the generator is not consistent.

If consistency is enabled, then by default it is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column.

When the generator is consistent with itself, then a given source value is always mapped to the same destination value. For example, My Business is always mapped to New Business.

When the generator is consistent with another column, then a given source value in that other column always results in the same destination value for the company name column. For example, if the company name column is consistent with a name column, then every instance of John Smith in the name column in the source database has the same company name in the destination database.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Character Scramble

This generator replaces letters with random other letters and numbers with random other numbers. Punctuation, whitespace, and mathematical symbols are preserved.

For example, for the following input string:

ABC.123 123-456-789 Go!

The output would be something like:

PRX.804 296-915-378 Ab!

This generator securely masks letters and numbers. There is no way to recover the original data.

Character Scramble is similar to , with a couple of key differences.

While you can enable consistency for the entire value, Character Scramble does not always replace the same source character with the same destination character. Because there is no guarantee of unique values, you cannot use Character Scramble on unique columns.

Character Substitution, however, does always map the same source character to the same destination character. Character Substitution is always consistent, which makes it less secure than Character Scramble. You can use Character Substitution on unique columns.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Company Name

This generator is deprecated. Use the generator instead.

Generates a random company name-like string.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator consistent.

By default, the generator is not consistent.

If consistency is enabled, then by default it is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column.

When the generator is consistent with itself, then a given source value is always mapped to the same destination value. For example, My Company is always mapped to New Company.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Constant

Uses a single value to mask all of the values in the column.

For example, you can replace every value in a string column with the value String1. Or you can replace every value in a numeric column with the value 12345.

Characteristics

Consistency

No, cannot be made consistent.

Linking

No, cannot be linked.

Differential privacy

Yes

Data-free

Yes

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

To configure the generator, in the Constant Value field, provide the value to use.

The value must be compatible with the field type. For example, you cannot provide a string value for an integer column.

If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Continuous

Generates a continuous distribution to fit the underlying data.

This generator can be linked to other Continuous generators to create multivariate distributions and can be partitioned by other columns.

Characteristics

How to configure

To configure the generator:

From the Link To drop-down list, select the other Continuous generator columns to link to. The linking creates a multivariate distribution.
From the Partition By drop-down list, select one or more columns to use to partition the data. The selected columns must have the generator set to either Passthrough or Categorical. For more information about partitioning and how it works, go to .
Toggle the Differential Privacy setting to indicate whether to make the output data differentially private. By default, the generator is not differentially private.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Custom Categorical

A version of the Categorical generator that selects from values that you provide instead of shuffling the original values.

Characteristics

Consistency

Yes, can be made self-consistent or consistent with another column.

Linking

Yes, can be linked.

Differential privacy

Yes, if consistency is not enabled.

Data-free

Yes, if consistency is not enabled.

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

1 if not consistent
4 if consistent

Generator ID (for the API)

How to configure

To configure the generator:

From the Link To dropdown list, select the columns to link this column to. You can only select other columns that use the Custom Categorical generator.
In the Custom Categories text area, enter the list of values that the generator can choose from. Put each value on a separate line. To add a NULL value to the list, use the keyword {NULL}.
Toggle the Consistency setting to indicate whether to make the column consistent. By default, consistency is disabled.
If you enable consistency, then by default the generator is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column. When a generator is self-consistent, then a given value in the source database is always mapped to the same value in the destination database. When a generator is consistent with another column, then a given source value in that column always results in the same value for the current column in the destination database. For example, a department column is consistent with a username column. For each instance of User1 in the source database, the value in the department column is the same.
If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Event Timestamps

Generates timestamps that fit an event distribution. The source timestamp must include a date. It cannot be a time-only value.

Link columns to create a sequence of events across multiple columns. This generator can be partitioned by other columns.

Characteristics

Consistency

No, cannot be made consistent.

Linking

Yes, can be linked.

Differential privacy

Data-free

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

To configure the generator:

From the Link To dropdown list, select the other Event Timestamps generator columns to link this column to. Linking creates a sequence across multiple columns.
From the Partition drop-down list, select one or more columns to use to partition the data. The selected columns must have their generator set to either Passthrough or Categorical. For more information about partitioning and how it works, go to Partitioning a column.
The Options list displays the current column and linked columns. Use the Up and Down buttons to configure the column sequence.
If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

File Name

This generator scrambles characters, but preserves formatting and keeps the file extension intact.

For example, for the following input value:

DataSummary1.pdf

The output value would look something like:

RsnoPwcsrtv5.pdf

This generator securely masks letters and numbers. There is no way to recover the original data.

Characteristics

Consistency

Yes, can be made self-consistent.

Linking

No, cannot be linked.

Differential privacy

Data-free

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

3 if not consistent
4 if consistent

Generator ID (for the API)

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Find and Replace

This generator replaces all instances of the find string with the replace string.

For example, you can indicate to replace all instances of abc with 123.

Characteristics

How to configure

To configure the generator:

In the Find field, type the string to look for in the source column value. To use a regular expression to identify the source value, check the Use Regex checkbox. If you use a regular expression, use backslash ( \ ) as the escape character.
In the Replace field, type the string to replace the matching string with.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Finnish Personal Identity Code

Generates a valid Finnish Personal Identity Code (PIC) that would have been issued during a specific date range.

Characteristics

Consistency

Yes, can be made self-consistent.

Linking

No, cannot be linked.

Differential privacy

No, cannot be made differentially private.

Data-free

Yes, if consistency is not enabled.

Allowed for primary keys

Allowed for unique columns

Yes

Generator ID (for the API)

How to configure

To configure the generator:

Under Date Range, set the start and date for the date range to generate the PICs for.
Toggle the Consistency setting to indicate whether to make the generator self-consistent. By default, the generator is not consistent.
If Structural data encryption is enabled, then to use it for this column, toggle Use data encryption process to the on position.

FNR

The FNR generator transforms Norwegian national identity numbers. In Norwegian, the term for national identity number abbreviates to FNR.

The first six digits of an FNR reflects the person's birthdate. You can choose to preserve the birthdates from the source values in the destination values. If you do not preserve the source values, the destination values are still within the same date range as the source values.

Another digit in an FNR indicates whether the person is male or female. You can specify whether to preserve in the generated value the gender indicated in the source value.

The last digits in an FNR are a checksum value. The last digits in the destination value are not a checksum - the values are random.

Characteristics

How to configure

To configure the generator:

To preserve the gender from the source value in the destination value, toggle Preserve Gender to the on position.
To preserve the birthdate from the source value in the destination value, toggle Preserve Birthdate to the on position.
Toggle the Consistency setting to indicate whether to make the generator consistent. By default, consistency is disabled.
If you enable consistency, then by default the generator is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column. When a generator is self-consistent, then a given value in the source database is always mapped to the same value in the destination database. When a generator is consistent with another column, then a given value for that other column in the source database results in the same value in the destination database. For example, if the FNR column is consistent with a Name column, then every instance of John Smith in the source database results in the same FNR in the destination database.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Hostname

Generates random host names, based on the English language.

Characteristics

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator consistent.

By default, the generator is not consistent.

If you enable consistency, then by default the generator is self-consistent. To make the generator consistent with another column, from Consistent to, select the column.

When the generator is consistent with itself, then a given value in the source database is mapped to the same value in the destination database. For example, Host123 in the source database always produces MyHostABC in the destination database.

When the generator is consistent with another column, then a given source value in the other column results in the same host name value in the destination database. For example, a host name column is consistent with a department column. Every instance of Sales in the source data is given the same host name in the destination database.

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

HStore Mask

This is a .

Runs selected generators on specified key values in an HStore column in a PostgreSQL database. HStore columns contain a set of key-value pairs.

Characteristics

How to configure

Adding a sub-generator

To assign a generator to a key:

Under Sub-generators, click Add Generator. On the sub-generator configuration panel, the Cell HStore field contains a sample value from the source database. You can use the previous and next icons to page through different values.
Under Enter a key, enter the name of a key from the column value. For example, for the column value: "pages"=>"446", "title"=>"The Iliad", "category"=>"mythology" To apply a generator to the title, you would enter title as the key. Matched HStore Values shows the result from the value in Cell HStore.
From the Generator Configuration dropdown list, select the generator to apply to the key value. You cannot select another composite generator.
Configure the selected generator. You cannot configure the selected generator to be consistent with another column.
To save the configuration and immediately add a generator for another key, click Save and Add Another. To save the configuration and close the add generator panel, click Save.

Managing the sub-generators list

From the Sub-Generators list:

To edit a generator assignment, click the edit icon.
To remove a generator assignment, click the delete icon.
To move a generator assignment up or down in the list, click the up or down arrow.

International Address

Generates an address-like string to replace either:

For a Canadian postal address, the street name or postal code.
For a United Kingdom (UK) mailing address, the postal code.

To replace a Canadian postal code:

The generator selects a real postal code that starts with the same three digits - has the same Forward Sortation Area (FSA) - as the original postal code, but that has a different Local Delivery Unit (LDU).
For a postal code whose FSA is not on the list that the generator uses, you can provide a fallback value to use.

To replace a UK postal code, the generator selects a real postal code.

Characteristics

How to configure

To configure the generator:

From the Generator Type dropdown list, select International Address.
From the Country dropdown list, select the country (Canada or United Kingdom).
From the Address Component dropdown list, select the address component that this column contains. For Canada, the available options are:
- Street Name
- Postal Code
For the UK, the only option is to generate a postal code.
For a Canadian postal code, in the Fallback Value field, type the FSA to use if the value in the data does not exist. For example, the FSA in the data might be new and not yet in the list that Structural uses, or the FSA might be invalid. By default, the fallback value is NULL, meaning that in the destination data, the postal code value is the string literal "NULL".
Toggle the Consistency setting to indicate whether to make the column self-consistent. By default, consistency is disabled.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

IP Address

Generates a random IP address formatted string.

Characteristics

How to configure

To configure the generator:

In the Percent IPv4 field, type the percentage of output values that are IPv4 addresses. For example, if you set this to 60, then 60% of the generated IP addresses are IPv4 addresses, and 40% of the generated IP addresses are IPv6 addresses. If you set this to 100, then all of the generated IP addresses are IPv4 addresses. If you set this to 0, then all of the generated IP addresses are IPv6 addresses.
Toggle the Consistency setting to indicate whether to make the column consistent. By default, consistency is disabled.
If you enable consistency, then by default the generator is self-consistent. To make the generator consistent with another column, from the Consistent to dropdown list, select the column. When a generator is self-consistent, then a given value in the source database is always mapped to the same value in the destination database. When a generator is consistent with another column, then a given source value in that column always results in the same IP address value in the destination database. For example, an IP address column is consistent with a username column. For each instance of User1 in the source database, the value in the IP address column is the same.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Mongo ObjectId Key

Generates unique object identifiers.

Can be assigned to text columns that contain MongoDB ObjectId values. The column value must be 12 bytes long.

Characteristics

How to configure

To configure the generator:

A MongoID object identifier consists of an epoch timestamp, a random value, and an incremented counter. To only change the random value portion of the identifier, but keep the timestamp and counter portions, toggle Preserve Timestamp and Incremental Counter to the on position.
Toggle the Consistency setting to indicate whether to make the generator self-consistent. By default, the generator is not consistent.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Null

Generates NULL values to fill the rows of the specified column.

Characteristics

Consistency

No, cannot be made consistent.

Linking

No, cannot be linked.

Differential privacy

Yes

Data-free

Yes

Allowed for primary keys

Allowed for unique columns

Yes

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

The Null generator has no configuration options.

Numeric String Key

Generates unique numeric strings of the same length as the input value.

For example, for the input value 123456, the output value would be something like 832957.

You can apply this generator only to columns that contain numeric strings.

Characteristics

Consistency

Yes, can be made self-consistent.

Linking

No, cannot be linked.

Differential privacy

Data-free

Allowed for primary keys

Yes

Allowed for unique columns

Yes

Uses format-preserving encryption (FPE)

Yes

Privacy ranking

3 if not consistent
4 if consistent

Generator ID (for the API)

How to configure

To configure the generator, toggle the Consistency setting to indicate whether to make the generator self-consistent.

By default, the generator is not consistent.

If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Passthrough

Passthrough is the default option.

It passes through the value from the source database to the destination database without masking it.

Characteristics

Consistency

No, cannot be made consistent.

Linking

No, cannot be linked.

Differential privacy

Data-free

Allowed for primary keys

Allowed for unique columns

Yes

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

Passthrough has no configuration options.

Phone

Generates a random telephone number that matches the country or region of the input telephone number, but preserves the format. For example, (123) 456-7890 or 123-456-7890.

If the input is not a valid telephone number, the generator randomly replaces numeric characters. You can also replace invalid numbers with valid numbers.

By default, the numbers are United States telephone numbers.

If the input is a valid telephone number, or if you replace invalid numbers, then the generated numbers pass Google's verification.

Characteristics

How to configure

To configure the generator:

Toggle the Replace invalid numbers setting to indicate whether to replace invalid input values with a valid output value. By default, the generator does not replace invalid values. It randomly replaces numeric characters.
Toggle the Consistency setting to indicate whether to make the generator self-consistent. By default, consistency is disabled.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Random Boolean

Generates a random boolean value.

Characteristics

Consistency

No, cannot be made consistent.

Linking

No, cannot be linked.

Differential privacy

Yes

Data-free

Yes

Allowed for primary keys

Allowed for unique columns

Uses format-preserving encryption (FPE)

Privacy ranking

Generator ID (for the API)

How to configure

To configure the generator, in the Percent True field, enter the percentage of values to set to True in the output.

For example, if you set this to 60, then 60% of the output values are True, and 40% of the output values are False.

If you set this to 100, then all of the output values are True.

If you set this to 0, then all of the output values are False.

If Structural data encryption is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Random Double

Generates a random double number between the specified minimum (inclusive) and maximum (exclusive).

Characteristics

How to configure

To configure the generator:

In the Minimum field, type the minimum value to use in the output values. The minimum value is inclusive. The output values can be that value or higher.
In the Maximum field, type the maximum value to use in the output values. The maximum value is exclusive. The output values are lower than that value.
If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Random Hash

Generates a random hash string.

Characteristics

How to configure

If is enabled, then to use it for this column, in the advanced options section, toggle Use data encryption process to the on position.

Getting started with the Structural free trial

If you are a user who wants to set up an account in an existing Tonic Structural Cloud or self-hosted organization, go to Creating a new account in an existing organization.

About the Structural free trial

The Structural 14-day free trial allows you to explore and experiment in Structural Cloud before you decide whether to purchase Structural.

When you sign up for a free trial, Structural automatically creates a sample workspace for you to use. You can also create a workspace that uses your own database or files.

The free trial provides tools to introduce you to Structural and to guide you through configuring and completing a data generation.

Structural tracks and displays the amount of time remaining in your free trial. You can request a demonstration and contact support.

When the free trial period ends, you can continue to use Structural to configure workspaces. You can no longer generate data or train models. Contact Tonic.ai to discuss purchasing a Structural license, or select the option to start a Structural Cloud pay-as-you-go subscription.

Signing up for the free trial

To start a new free trial of Structural:

Go to app.tonic.ai.
Click Create Account.

On the Create your account dialog, to create an account, either:

To use a corporate Google email address to create the account, click Create account using Google.
To create a new Structural account:
1. Enter your email address. You cannot use a public email address for a free trial account.
2. Create and confirm a Structural password.
3. Click Create Account.

Structural sends an activation link to your email address.

After you activate your account and log in, Structural next prompts you to select the use case that best matches why you are exploring Structural.

If none of the provided use cases fits, use the Other option to tell us about your use case.

After you select a use case, click Next. The Create Your Workspace panel displays.

Determining whether to use your own data

When you sign up for a free trial, Structural provides access to a sample PostgreSQL workspace that you can use to explore how to configure and run data generation.

You can also choose to create a workspace that uses your own data, either from local files or from a database.

If you do connect to your own data, then you must allowlist the Structural static IP addresses. For more information, go to I allowlist access to my database. What are your static IP addresses?.

On the Create your workspace panel:

To use the sample workspace, click Use a sample workspace, then click Next. Structural displays Privacy Hub, which summarizes the protection status for the source data. It also displays the Getting Started Guide panel and the quick start checklist.
To create a workspace that uses local files as the source data, click Upload Files, then click Next. Go to Uploading files.
To create a new workspace that uses your own data, click Bring your own data, then click Next. Go to Connecting to a database.

Uploading files

The Upload files option creates a local files file connector workspace. The source data consists of groups of files selected from a local file system. The files in a file group must have the same type and structure. Each file group becomes a "table" in the source data.

For other workspaces that you create during the free trial, you can also create a file connector workspace that uses files from cloud storage ( Amazon S3 or Google Cloud Storage).

After you select Upload files and click Next, you are prompted to provide a name for the workspace.

In the field provided, enter the name to use for the workspace, then click Next.

Structural displays the File Groups view, where you can set up the file groups for the workspace.

It also displays the Getting Started Guide panel with links to resources to help you get started.

After you create at least one file group, you can start to use the other Structural features and functions.

Connecting to a database

If you connect to your own data, then you must allowlist the Structural static IP addresses. For more information, go to I allowlist access to my database. What are your static IP addresses?.

Provide a name for your workspace

If you choose to create a workspace with your own data, then the first step is to provide a name for the workspace.

In the field provided, enter the name to use for your first workspace, then click Next.

The Invite others to Tonic panel displays.

Invite other users to Structural and your workspace

Under Invite others to Tonic, you can optionally invite other users with the same corporate email domain to start their own Structural free trial. The users that you invite are able to view and edit your workspace.

For example, you might want to invite other users if you don't have access to the connection information for the source data. You can invite a user who does have access. They can then update the workspace configuration to add the connection details.

To continue without inviting other users, click Skip this step.

To invite users:

For each user to invite, enter the email address, then press Enter. The email addresses must have the same corporate email domain as your email address.
After you create the list of users to invite, click Next.

The Add source data connection view displays.

Supported databases for free trial workspaces

The final step in the workspace creation is to provide the source data to use for your workspace.

Structural provides data connectors that allow you to connect to an existing database. Each data connector allows you to connect to a specific type of database. Structural supports several types of application databases, data warehouses, and Spark data solutions.

For the first workspace that you create using the free trial wizard, you can choose:

For subsequent workspaces that you create from Workspaces view, you can also choose Databricks, Salesforce, and Amazon DynamoDB.

Selecting the database type

To connect to an existing database, on the Add source data connection panel, click the data connector to use, then click Add connection details.

The panel also includes a Local files option, which creates a local files file connector workspace, the same as the Upload files option.

Use the connection details fields to provide the connection information for your source data. The specific fields depend on the type of data connector that you select.

After you provide the connection details, to test the connection, click Test Connection.

To save your workspace, click Save.

Structural displays Privacy Hub, which summarizes the protection status for the source data.

It also displays the Getting Started Guide panel with links to resources to help you get started.

Free trial resources

The Structural free trial includes a couple of resources to introduce you to Structural and to guide you through the tasks for your first data generation.

Getting Started Guide panel

The Getting Started Guide panel provides access to Structural information and support resources.

The Getting Started Guide panel displays automatically when you first start the free trial. To display the Getting Started Guide panel manually, in the Structural heading, click Getting Started.

The Getting Started Guide panel provides links to Structural instructional videos and this Structural documentation. It also contains links to request a Structural demo, contact Tonic.ai support, and purchase a Structural Cloud pay-as-you-go subscription.

Quick start checklist

For each free trial workspace, Structural provides access to a workspace checklist.

The checklist displays at the bottom left of the workspace management view. It displays automatically when you display the workspace management view. To hide the checklist, click the minimize icon. To display the checklist again, click the checklist icon.

The checklist provides a basic list of tasks to perform in order to complete a Structural data generation.

Each checklist task is linked to the Structural location where you can complete that task. Structural automatically detects and marks when a task is completed.

The checklist tasks are slightly different based on the type of workspace.

Checklist for database-based workspaces

For workspaces that are connected to a database, including the sample PostgreSQL workspace and workspaces that you connect to your own data, the checklist contains:

Connect a source database - Set the connection to the source database. In most cases, you set the source connection when you create the workspace. When you click this step, Structural navigates to the Source Settings section of the workspace details view.
Connect to destination database - Set the location where Structural writes the transformed data. When you click this step, Structural navigates to the Destination Settings section of the workspace details view.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce the destination data. When you click this item, Structural navigates to the Confirm Generation panel.

Checklist for local file workspaces

For workspaces that use data from local files, the checklist contains:

Create a file group - Create a file group with files that you upload from a local file system. Each file group becomes a table in the workspace. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source files. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.
Download your dataset - Download the transformed files from the Structural application database.

Checklist for cloud storage file workspaces

For workspaces that use data from files in cloud storage (Amazon S3 or Google Cloud Storage), the checklist contains:

Configure output location - Configure the cloud storage location where Structural writes the transformed files. When you click this step, Structural navigates to the Output location section of the workspace details view.
Create a file group - Create a file group that contains files selected from cloud storage. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.

Next step hints

In addition to the workspace checklists, Structural uses next step hints to help guide you through the workspace configuration and data generation.

When a next step hint is available, it displays as an animated marker next to the suggested next action.

When you hover over the highlighted action, Structural displays a help text popup that explains the recommended action.

When you click the highlighted action, the hint is removed, and the next hint is displayed.

Creating a file group

For a file connector workspace, to identify the source data, you create file groups. A file group is a set of files of the same type and with the same structure. Each file group becomes a table in the workspace. For CSV files, each column becomes a table column. For XML and JSON file groups, the table contains a single XML or JSON column.

On the File Groups view, click Create File Group.

Uploading local files

For a file connector workspace that uses local files, you can either drag and drop files from your local file system to the file group, or you can search for and select files to add. For more information, go to .

Selecting files from cloud storage

For a file connector workspace that uses cloud storage, you select the files to include in the file group. For more information, go to .

Configuring file delimiters and settings

For files that contain CSV content, you configure the delimiters and other file settings. For more information, go to .

Assigning a generator

To get value out of the data generation process, you assign generators to the data columns.

A generator indicates how to transform the data in a column. For example, for a column that contains a name value, you might assign the Name generator, which indicates how to generate a replacement name in the generation output.

Applying all recommendations

For sensitive columns that Structural detects, Structural can also provide a recommended generator configuration.

When there are recommendations available, Privacy Hub displays a link to review all of the recommendations.

The Recommended Generators by Sensitivity Type panel displays a list of sensitive columns that Structural detected, along with the suggested generators to apply.

After reviewing, to apply all of the suggested generators, click Apply All. For more information about using this panel, go to Reviewing and applying recommended generators.

Selecting a generator

You can also choose to apply an individual generator manually. You can do this from Privacy Hub, Database View, or Table View.

To display Database View, on the workspace management view, click Database View.

On Database View, in the column list, the Applied Generator column lists the currently assigned generator for each column. For a new workspace, the columns are all assigned the Passthrough generator. The Passthrough generator simply passes the source value through to the destination data without masking it.

Click a column that is marked as Passthrough, and that is not marked as sensitive. For example, in the sample workspace, the customers.Last_Transaction column. The column configuration panel displays. To select a generator, click the generator dropdown. The list contains generators that can be assigned to the column based on the column data type. For customers.Last_Transaction, the Timestamp Shift generator is a good option.

Assigning a recommended generator

For Passthrough columns that Structural identified as containing sensitive data, the Applied Generator column displays an icon to indicate that there is a recommended generator.

In Database View, click one of those columns. For example, in the sample workspace, the customers.email column is marked as containing an email address.

For customers.Email, click the generator dropdown. Instead of the column configuration panel, there is a panel that indicates the recommended generator. For customers.Email, the recommended generator is Email. To assign the Email generator, click Apply. The column configuration panel displays with the generator assigned.

Configuring the destination location

To run a data generation, Structural must have a destination for the transformed data.

For a local files workspace, Structural saves the transformed files to the application database.

For workspaces that use data from a database, and for workspaces that use cloud storage files, you configure where Structural writes the output data.

Available output options

The destination location for data generation output can be one of the following:

If the data connector supports Tonic Ephemeral, then the default option is to write the output data to Ephemeral.
For database-based data connectors, you can write the transformed data to a destination database.
For some Structural data connectors, Structural can write the transformed data to a data volume in a container repository.
For file connector workspaces that transform files from cloud storage (Amazon S3 or Google Cloud Storage), you configure the cloud storage location where Structural writes the transformed files.

Displaying the current destination configuration

To display the destination configuration for the workspace:

Click the Workspace Settings tab.
Scroll to the Destination Settings section or, for a file connector workspace that uses cloud storage files, scroll to the Output location section.

Confirming or changing the destination configuration

Ephemeral snapshot

For data connectors that Ephemeral supports, the default option is to write the output to Ephemeral.

For the Ephemeral option, the default configuration is:

Structural writes the output to Ephemeral Cloud. If you do not have an Ephemeral Cloud account, then we create an Ephemeral free trial account for you. If your organization has a self-hosted Ephemeral instance, then you can choose to write the output to that instance. Note that all workspaces in the same organization or for the same self-hosted Structural instance must use the same Ephemeral instance.
Structural uses the output data to create an Ephemeral user snapshot. You can use the user snapshot to create Ephemeral databases.
When Structural creates the user snapshot in Ephemeral, it creates a temporary Ephemeral database to use as the basis for the user snapshot. There is an option to keep that temporary database. For a free trial workspace, this option is enabled by default. The database expires after 48 hours.

For details about how to configure Structural to write output to Ephemeral, go to Writing output to Tonic Ephemeral. For more information about Ephemeral, go to the Ephemeral documentation.

Destination database

To write the data to a destination database, click Database Server. Structural displays the configuration fields for the destination database.

For information on how to configure the destination information for a specific data connector, go to the workspace configuration information for that data connector. The data connector summary contains a list of the available data connectors, and provides a link to the documentation for each data connector.

Container repository

To write the data to a data volume in a container repository, click Container Repository. Structural displays the configuration fields to select a base image and provide the details about the repository.

For more information, go to Writing output to a container repository.

Cloud storage files output location

For a file connector workspace that uses files from cloud storage (Amazon S3 or Google Cloud Storage), you configure the cloud storage output location where Structural writes the transformed files. The configuration includes the required credentials to use.

For more information, go to Configuring the file connector storage type and output options.

Running data generation

After you complete the workspace and generator configuration, you can run your first data generation.

The data generation process uses the assigned generators to transform the source data. It writes the transformed data to the configured destination location.

For a local files workspace, it writes the files to the Structural application database.

Starting the generation

The Generate Data option is at the top right of the Tonic heading.

When you click Generate Data, Structural displays the Confirm Generation panel.

The Confirm Generation panel provides access to the current destination configuration, along with other advanced generation options such as subsetting and upsert.

It also indicates if there are any issues that prevent you from starting the data generation. For example, if the workspace does not have a configured destination, then Structural cannot run the data generation.

To start the data generation, click Run Generation. For more information about running data generation, go to Running data generation jobs.

For a new Tonic Ephemeral account, the first time that you run data generation, you also receive an activation email message for the account.

Viewing the job details and connecting to an Ephemeral database

To view the job status and details:

Click Jobs.
In the list, click the data generation job.

For a data generation that writes the output to an Ephemeral database, the Data Available in Tonic Ephemeral panel provides access to the database connection information.

To display the connection details, click Connecting to your database.

The connection details include the database location and credentials. Each field contains a copy icon to allow you to copy the value.

Next steps for free trial users

The first time that you complete all of the steps in a checklist, Structural displays a panel with options to chat with our sales team, schedule a demo, or purchase a subscription.

You can also continue to get to know Structural and experiment with other Structural features such as subsetting or using composite generators to mask more complex values such as JSON or XML.

If your free trial has expired, to get an extension, you can reach out to us using either the in-app chat or an email message.