1 of 100

Tonic Structural

Tonic Structural User Guide

The Tonic Structural platform creates safe, realistic datasets to use in staging environments or for local development. It includes a web application and API that can be used by engineers, data analysts, or security experts.

Structural connects to source databases that contain sensitive data such as personally identifiable information (PII) or protected health information (PHI). To protect that data, Structural transforms the sensitive values and writes the transformed data to a destination location.

New to Structural? Review the Tonic Structural workflow overview. Go to Getting started with the Structural free trial for information on how to create a Structural account and start a Structural free trial.

Want to know what's in the latest Structural releases? Go to the Tonic Structural release notes.

The Structural application heading includes a feature updates icon, which displays a summary of the newest features, including a link to the Structural release notes.

Connect to your data

Configure and generate transformed data

Manage a self-hosted Tonic Structural instance

Need help with Structural? Contact support@tonic.ai.

About Tonic Structural

The Tonic Structural synthetic data platform combines sensitive data detection and data transformation to allow users to create safe, secure, and compliant datasets.

Common Structural use cases include creating staging and development environments and trying out a new cloud provider without complex data agreements. Structural allows you to reduce bug counts, shorten testing life cycles, and share data with partners, all while helping to ensure security and compliance with the latest regulations, from GDPR to CCPA.

You can use Structural APIs to integrate with CI/CD pipelines or to create automated processes that ensure that the generated data is available on demand.

Structural data generation workflow

Tonic Structural data generation combines sensitive data detection and data transformation to create safe, secure, and compliant datasets.

The Structural data generation workflow involves the following steps:

You can also view this video overview of the Structural data generation workflow.

To get started, you create a workspace. When you create a workspace, you identify the type of source data, such as PostgreSQL or MySQL, and establish the connections to the source database and the destination location. The source database contains the original data that you want to synthesize. The destination location is where Structural stores the synthesized data. It might be a database, a storage location, a container repository, or an Ephemeral database snapshhot.
Next, you analyze the results of the initial sensitivity scan. The sensitivity scan identifies columns that contain sensitive data. These columns need to be protected by a generator.
Based on the sensitivity scan results, you configure the data generation. The configuration includes:
- Assigning table modes to tables. The table mode controls the number of rows and columns that are copied to the destination database.
- Indicating column sensitivity. You can make adjustments to the initial sensitivity assignments. For example, you can mark additional columns as sensitive that the initial scan did not identify as sensitive.
- Assigning and configuring column generators. To protect the data in a column, especially a sensitive column, you assign a generator to it. The generator replaces the source value with a different value in the destination database. For example, the generator might scramble the characters or assign a random value of the same type.
After you complete the configuration, you run the data generation job. The data generation job uses the configured table modes and generators to transform the data from the source database and write the transformed data to the destination location. You can track the job progress and view the job results.

Structural deployment types

Self-hosted Tonic Structural instance

You can deploy a self-hosted, on-premises instance of Tonic Structural.

For a self-hosted instance, Structural provides administrator tools that allow you to monitor Structural services and manage Structural users.

You can configure Structural environment settings to customize your instance.

On a self-hosted instance, based on your license plan, you have access to the full set of supported data connectors.

Structural Cloud

Structural Cloud is our secure hosted environment. On Structural Cloud, Tonic handles monitoring Structural services and updating Structural.

Structural Cloud does not include:

Single sign-on (SSO) for user management
Custom permission sets
Environment setting configuration. Structural Cloud uses a single configuration.
Structural data encryption
Generator presets
Custom sensitivity rules
Access to the following data connectors:

Structural Cloud also supports a pay-as-you-go plan, where free trial users can move on to set up a monthly subscription. For more information, go to Setting up and managing a Structural Cloud pay-as-you-go subscription.

Each Structural Cloud user belongs to a Structural Cloud organization, which is determined either by the user's email domain or by a workspace invitation. Structural Cloud users do not have any access to workspaces or users from other organizations.

Each free trial user is in a separate organization, along with any users that they invite to have access to a free trial workspace.

For information about Structural Cloud organizations, go to Structural organizations.

The Account Admin permission set allows a Structural Cloud user to manage organization users and workspaces. For information about granting access to the Account Admin permission set, go to Granting Account Admin access for a Structural Cloud organization.

Structural implementation roles

A Tonic Structural implementation can involve the following roles - from those who set up the Structural environment to the consumers of the data that Structural processes.

Note that these roles are not related to role-based access (RBAC) within Structural, which is managed using .

Infrastructure engineers

For self-hosted instances of Structural.

Infrastructure engineers set up the Structural application and its relevant dependencies. They are typically DevOps, Site Reliability Engineering (SRE), or Kubernetes cluster administrators.

Infrastructure engineers perform the following Structural-related tasks:

Ensure that the proper infrastructure is ready for Structural installation based on the .
. Works with Tonic.ai support as needed.
Perform routine maintenance of Structural and the Structural environment. and its dependencies as needed.
Create Structural-processed data pipelines for development and testing workflows.

Database administrators

For both self-hosted instances of Structural and Structural Cloud.

Database administrators integrate Structural into your data architecture to support .

They ensure that source databases are available to Structural, and that Structural can write to destination databases.

perform the following Structural-related tasks:

Set up the required Structural access to source databases.
Set up destination databases for Structural to write transformed data to.

Structural users

Structural users are the actual users of the Structural application.

Depending on the use case, Structural users might be compliance analysts, DevOps, or data engineers.

Tonic users perform the following Structural-related tasks:

Work with data consumers to produce usable data

Data consumers

Data consumers are the end users of transformed destination data.

They are typically QA testers, developers, or analysts.

Data consumers perform the following Structural-related tasks.

Validate the usability of the destination data.
Provide guidance on application-specific requirements for data.

Security and compliance

Security and compliance ensure and validate that the data that Structural produces meets expectations, and that Structural is compliant with other security-related processes.

Security and compliance specialists perform the following Structural-related tasks:

Provide guidance on what data is sensitive.
Sign off on proposed approaches to mask sensitive data.
Approve data access and permissions.

Structural license plans

Tonic Structural provides different license plans to accommodate organizations of different sizes who have more or less complex data architectures.

Basic license

The Basic license is designed for very small organizations who have a very simple data architecture. It provides access to Structural's core de-identification and data generation features.

Users

The Basic license allows access for a single user, with an option to purchase an additional two users.

There is no access to .

Data connectors

With a Basic license, you can create workspaces for one data connector type. The data connector type must be one of the following:

Concurrent jobs

With a Basic license, your Structural instance can have only one Structural worker. This means that only one sensitivity scan or data generation job can run at the same time.

Structural features

With a Basic license, you can create and configure workspaces, and run data generation for those workspaces.

The Basic license does NOT provide access to the following features:

Custom generators

Structural API

With a Basic license, you only have access to the basic version of the Structural API.

You cannot use the basic Structural API to perform the following API tasks, which require the advanced API:

Professional license

The Professional license is designed for larger organizations that have more complex data architectures. The organization might have a larger team that supports multiple databases.

The Professional license provides access to a larger set of Structural features than the Basic license.

Users

The Professional license allows up to 10 users. You can purchase access for unlimited users as an add-on.

Data connectors

With a Professional license, you can create workspaces for up to two types of data connectors. You can purchase one additional data connector type as an add-on.

Concurrent jobs

With a Professional license, your Structural instance can have more than one Structural worker.

This means that you can run multiple jobs from different workspaces at the same time. You can never run multiple jobs from the same workspace at the same time.

Structural features

With a Professional license, you can do the following:

Create and configure workspaces, and run data generation for those workspaces

The Professional license does NOT provide access to the following features:

Structural API

With a Professional license, you only have access to the basic version of the Structural API.

You cannot use the basic Structural API to perform the following API tasks, which require the advanced API:

Enterprise license

The Enterprise license is ideal for very large organizations that have multiple teams that support very large and complex data structures, and that might have more requirements related to scale and compliance.

It provides full access to all Structural features.

Users

An Enterprise instance does not limit the number of users.

Data connectors

You can use any number of any of the available data connectors.

Structural features

The following features are exclusive to the Enterprise license:

Structural API

The Enterprise license provides exclusive access to the advanced API.

The advanced Structural API provides access to all of the available API tasks, including the following tasks that are not available in the basic API:

Feature comparison across Structural license plans

The following table compares the available features for the Structural license plans.

Logging into Structural for the first time

When you go to Tonic Structural for the first time, you create an account. How you create an account depends on the type of user you are.

A new Structural user can be one of the following:

A completely new user who is starting a Structural 14-day free trial. Free trial users use Structural Cloud to explore and experiment with Structural before they decide whether to purchase it.
A new user on a self-hosted Structural instance. Self-hosted instances are installed on-premises. The customer administers the Structural users.
A new user in an existing Structural Cloud organization. New users are added to existing organizations based on their email domain.

Managing your user account

From the User Settings view, you can manage settings for your individual Tonic Structural account.

To display the User Settings view:

Click your user image at the top right.
In the menu, click User Settings.

The User Settings view includes options to:

Configure your user image.
View and copy your organization identifier.
Configure email notifications for column comments.
Generate and manage API tokens.
Change your Structural password (if your Structural instance does not use SSO).
Delete your Structural account.

Choosing your user image

You can select an image to associate with your account. The image is displayed next to your name and email address throughout Structural.

If your instance uses Google or Azure single sign-on (SSO) to manage Structural users, then by default your Structural account image is the image from the SSO.

Otherwise, the default image displays your initials.

To change your user image, click Upload, then select the image file.

Viewing and copying your organization identifier

Below your user image file name is the identifier of the organization that your account belongs to.

To copy the identifier, click the copy icon.

Configuring notifications for column comments

Required license: Professional or Enterprise

Structural allows users to provide comments on columns. You can do this from Privacy Hub and Database View.

From the Comment Notification Settings section of User Settings, you can configure when to receive email notifications for comments.

The available options are:

I am an owner, editor, auditor, or am being replied to This is the default option. You receive email notifications when comments are made on columns in a workspace that you are an owner, editor, or auditor for. You also receive an email notification when someone replies to a comment that you made.
I am @ mentioned You only receive an email notification if someone specifically mentions you in a comment.
Never You never receive email notifications for column comments.

Generating and managing API tokens

Before you can use the Structural API, you must create an API token. From the User API Tokens section of the User Settings view, you can create and manage API tokens.

Creating an API token

To create an API token:

Click Create Token.
On the Create New Token dialog, enter a name for the new token.
Click Confirm. The token is added to the list.

Copying an API token

To copy an API token, click the copy icon for the token.

Revoking an API token

To revoke a token, click the Revoke option for the token.

Changing your Structural password

If your Structural account is not managed using SSO, then from User Settings, you can change your Structural password.

If your Structural instance uses SSO to manage users, then your user credentials are managed in the SSO system. You cannot change your user password in Structural.

Under Password Change, to change your Structural password:

In the Old Password field, type your current Structural password.
In the New Password field, type your new Structural password.
In the Repeat New Password field, type your new Structural password again.
Click Confirm.

Deleting your Structural account

From User Settings, you can delete your Structural account. If your instance uses SSO to manage users, then deleting your account only affects your access to Structural.

You cannot delete your Structural account if you are the owner of a workspace for which other users are granted access. Before you can delete your Structural account, you must either:

Revoke access from other users.
Transfer ownership to a different user.

To delete your Structural account, click Delete Account.

When you delete your account, you are logged out of Structural.

Frequently Asked Questions

What is the minimum required screen width for the Tonic Structural application?

The minimum screen width is 1120 pixels.

How do you connect to a local database when running Structural in a Docker container locally?

If the locally running database that you want to connect to runs in a Docker container:

Run: docker inspect
In the networks section of the results, find the Gateway IP address. Use this IP address as the server address in Structural.

If the locally running database does NOT run in a container, but runs on the machine, then:

On Windows or Mac, use host.docker.internal
On Linux, use 172.17.0.1, which is the IP address of the docker0 interface.

I allowlist access to my database. What are your static IP addresses?

If you use Structural Cloud, and your database only allows connections from allowlisted IP addresses, then you need to allowlist Structural static IP addresses.

This is not required for self-hosted instances of Structural.

United States-based instance

For the United States-based instance (), the static IP addresses are:

54.92.217.68
52.22.13.250

The following IP addresses are used if needed for scaling or failover:

44.215.74.226
3.232.203.148
3.224.2.189
44.230.136.147
44.230.79.194

Europe-based instance

18.159.127.160
3.69.249.144

The following IP addresses are used if needed for scaling or failover:

18.159.179.95
3.120.214.225
3.75.12.1
16.16.71.42
16.170.51.237

I allowlist network calls. What do I need to allowlist?

URLs for telemetry sharing

The URL https://telemetry.tonic.ai/ is used for our Amplitude telemetry. https://telemetry.tonic.ai/logs is used specifically for log sharing.

Allowlist https://telemetry.tonic.ai/ or the following IP addresses:

75.2.74.76
99.83.246.105

Telemetry sharing is required. These metrics are valuable for us as we debug, make product roadmaps, and determine feature viability.

URLs for Structural version information

To support the one-click update option, Structural needs to be able to retrieve information about the latest Structural version.

How do I check my current version of Structural?

Click your user image at the top right. The menu includes the Tonic version.

How should we provision our source database?

We recommend that you use a static copy of your production database that was restored from a backup.

If that's not possible, consider the following when you connect Structural to your source data:

Structural cannot guarantee referential integrity of the output data if the source database is written to while data is generated. For this reason we recommend that you connect to a static copy of production data.
Read replicas and fast followers can be problematic for Structural because of how long it takes some queries run. Read replicas tend to have short query timeout limits, which causes the queries to timeout. Read replicas also reflect recent writes, which means that we cannot guarantee the referential integrity of the output.

What data does Tonic.ai collect from Structural?

Tutorial videos

Use these tutorial videos to learn more about how to use Tonic Structural.

Structural workflow overview

Provides an overview of the workflow to use Structural to de-identify and synthesize your data. For more information, go to .

Creating a Structural workspace

Managing workspace access

Structural generators overview

Generator presets

File connector overview

Generating data with consistency

Subsetting your data

Upsert data generation

Writing destination data to a container repository

Creating and managing workspaces

Configuring data generation

Structural license plans

Tonic Structural provides different license plans to accommodate organizations of different sizes who have more or less complex data architectures.

Basic license

The Basic license is designed for very small organizations who have a very simple data architecture. It provides access to Structural's core de-identification and data generation features.

Users

The Basic license allows access for a single user, with an option to purchase an additional two users.

There is no access to .

Data connectors

With a Basic license, you can create workspaces for one data connector type. The data connector type must be one of the following:

Concurrent jobs

With a Basic license, your Structural instance can have only one Structural worker. This means that only one sensitivity scan or data generation job can run at the same time.

Structural features

With a Basic license, you can create and configure workspaces, and run data generation for those workspaces.

You can use to view the current sensitivity status based on the current workspace configuration.

The Basic license does NOT provide access to the following features:

- Can view foreign keys from the data, but cannot add virtual foreign keys
Custom generators

Structural API

With a Basic license, you only have access to the basic version of the Structural API.

You cannot use the basic Structural API to perform the following API tasks, which require the advanced API:

Professional license

The Professional license is designed for larger organizations that have more complex data architectures. The organization might have a larger team that supports multiple databases.

The Professional license is also granted to .

The Professional license provides access to a larger set of Structural features than the Basic license.

Users

The Professional license allows up to 10 users. You can purchase access for unlimited users as an add-on.

You can use to manage your Structural users.

Data connectors

With a Professional license, you can create workspaces for up to two types of data connectors. You can purchase one additional data connector type as an add-on.

Those data connectors can be of any type except for and .

Concurrent jobs

With a Professional license, your Structural instance can have more than one Structural worker.

This means that you can run multiple jobs from different workspaces at the same time. You can never run multiple jobs from the same workspace at the same time.

Structural features

With a Professional license, you can do the following:

Create and configure workspaces, and run data generation for those workspaces
Use to view the current sensitivity status for your workspace configuration.
. The Professional license does not allow you to assign the built-in Viewer and Auditor permission sets.
. The comments can trigger email notifications.
Run and configure .
Use to generate a smaller destination database.
Create .
Use to add destination database records and update existing destination database records, but keep unchanged destination database records in place. The Professional license does not allow you to connect to migration scripts.
Use view to view and address both conflicting and non-conflicting changes to the source data schema.
Use to have Structural decrypt source data, encrypt destination data, or both.
Request , which are primarily developed to preserve encryption that can't be managed using Structural data encryption. You can also purchase custom generators.

The Professional license does NOT provide access to the following features:

Structural API

With a Professional license, you only have access to the basic version of the Structural API.

You cannot use the basic Structural API to perform the following API tasks, which require the advanced API:

Enterprise license

It provides full access to all Structural features.

Users

An Enterprise instance does not limit the number of users.

Data connectors

You can use any number of any of the available data connectors.

The Enterprise license provides exclusive access to the and data connectors.

Structural features

The following features are exclusive to the Enterprise license:

Structural API

The Enterprise license provides exclusive access to the advanced API.

The advanced Structural API provides access to all of the available API tasks, including the following tasks that are not available in the basic API:

Feature comparison across Structural license plans

The following table compares the available features for the Structural license plans.

Feature

Basic

Professional

Enterprise

Getting started with the Structural free trial

If you are a user who wants to set up an account in an existing Tonic Structural Cloud or self-hosted organization, go to Creating a new account in an existing organization.

About the Structural free trial

The Structural 14-day free trial allows you to explore and experiment in Structural Cloud before you decide whether to purchase Structural.

When you sign up for a free trial, Structural automatically creates a sample workspace for you to use. You can also create a workspace that uses your own database or files.

The free trial provides tools to introduce you to Structural and to guide you through configuring and completing a data generation.

Structural tracks and displays the amount of time remaining in your free trial. You can request a demonstration and contact support.

When the free trial period ends, you can continue to use Structural to configure workspaces. You can no longer generate data or train models. Contact Tonic.ai to discuss purchasing a Structural license, or select the option to start a Structural Cloud pay-as-you-go subscription.

Signing up for the free trial

To start a new free trial of Structural:

Go to app.tonic.ai.
Click Create Account.

On the Create your account dialog, to create an account, either:

To use a corporate Google email address to create the account, click Create account using Google.
To create a new Structural account, enter your email address, create and confirm a Structural password, then click Create Account. You cannot use a public email address for a free trial account.

Structural sends an activation link to your email address.

After you activate your account and log in, Structural next prompts you to select the use case that best matches why you are exploring Structural. If none of the provided use cases fits, use the Other option to tell us about your use case.

After you select a use case, click Next. The Create Your Workspace panel displays.

Determining whether to use your own data

When you sign up for a free trial, Structural automatically creates a sample PostgreSQL workspace that you can use to explore how to configure and run data generation.

You can also choose to create a workspace that uses your own data, either from local files or from a database.

On the Create your workspace panel:

To use the sample workspace, click Use a sample workspace, then click Next. Structural displays Privacy Hub, which summarizes the protection status for the source data. It also displays the Getting Started Guide panel and the quick start checklist.
To create a workspace that uses local files as the source data, click Upload Files, then click Next. Go to #uploading-files.
To create a new workspace that uses your own data, click Bring your own data, then click Next. Go to #connecting-to-a-database.

Uploading files

The Upload files option creates a local files file connector workspace. The source data consists of groups of files selected from a local file system. The files in a file group must have the same type and structure. Each file group becomes a "table" in the source data.

For other workspaces that you create during the free trial, you can also create a file connector workspace that uses files from cloud storage ( Amazon S3 or Google Cloud Storage).

After you select Upload files and click Next, you are prompted to provide a name for the workspace.

In the field provided, enter the name to use for the workspace, then click Next.

Structural displays the File Groups view, where you can set up the file groups for the workspace.

It also displays the Getting Started Guide panel with links to resources to help you get started.

After you create at least one file group, you can start to use the other Structural features and functions.

Connecting to a database

Provide a name for your workspace

If you choose to create a workspace with your own data, then the first step is to provide a name for the workspace.

In the field provided, enter the name to use for your first workspace, then click Next.

The Invite others to Tonic panel displays.

Invite other users to Structural and your workspace

Under Invite others to Tonic, you can optionally invite other users with the same corporate email domain to start their own Structural free trial. The users that you invite are able to view and edit your workspace.

For example, you might want to invite other users if you don't have access to the connection information for the source data. You can invite a user who does have access. They can then update the workspace configuration to add the connection details.

To continue without inviting other users, click Skip this step.

To invite users:

For each user to invite, enter the email address, then press Enter. The email addresses must have the same corporate email domain as your email address.
After you create the list of users to invite, click Next.

The Add source data connection view displays.

Supported databases for free trial workspaces

The final step in the workspace creation is to provide the source data to use for your workspace.

Structural provides data connectors that allow you to connect to an existing database. Each data connector allows you to connect to a specific type of database. Structural supports several types of application databases, data warehouses, and Spark data solutions.

For the first workspace that you create using the free trial wizard, you can choose:

For subsequent workspaces that you create from Workspaces view, you can also choose Databricks and Salesforce.

Selecting the database type

To connect to an existing database, on the Add source data connection panel, click the data connector to use, then click Add connection details.

The panel also includes a Local files option, which creates a local files file connector workspace, the same as the Upload files option.

Use the connection details fields to provide the connection information for your source data. The specific fields depend on the type of data connector that you select.

After you provide the connection details, to test the connection, click Test Connection.

To save your workspace, click Save.

Structural displays Privacy Hub, which summarizes the protection status for the source data.

It also displays the Getting Started Guide panel with links to resources to help you get started.

Free trial resources

The Structural free trial includes a couple of resources to introduce you to Structural and to guide you through the tasks for your first data generation.

Getting Started Guide panel

The Getting Started Guide panel provides access to Structural information and support resources.

The Getting Started Guide panel displays automatically when you first start the free trial. To display the Getting Started Guide panel manually, in the Structural heading, click Getting Started.

The Getting Started Guide panel provides links to Structural instructional videos and this Structural documentation. It also contains links to request a Structural demo, contact Tonic.ai support, and purchase a Structural Cloud pay-as-you-go subscription.

Quick start checklist

For each free trial workspace, Structural provides access to a workspace checklist.

The checklist displays at the bottom left of the workspace management view. It displays automatically when you display the workspace management view. To hide the checklist, click the minimize icon. To display the checklist again, click the checklist icon.

The checklist provides a basic list of tasks to perform in order to complete a Structural data generation.

Each checklist task is linked to the Structural location where you can complete that task. Structural automatically detects and marks when a task is completed.

The checklist tasks are slightly different based on the type of workspace.

Checklist for database-based workspaces

For workspaces that are connected to a database, including the sample PostgreSQL workspace and workspaces that you connect to your own data, the checklist contains:

Connect a source database - Set the connection to the source database. In most cases, you set the source connection when you create the workspace. When you click this step, Structural navigates to the Source Settings section of the workspace details view.
Connect to destination database - Set the location where Structural writes the transformed data. When you click this step, Structural navigates to the Destination Settings section of the workspace details view.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce the destination data. When you click this item, Structural navigates to the Confirm Generation panel.

Checklist for local file workspaces

For workspaces that use data from local files, the checklist contains:

Create a file group - Create a file group with files that you upload from a local file system. Each file group becomes a table in the workspace. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source files. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.
Download your dataset - Download the transformed files from the Structural application database.

Checklist for cloud storage file workspaces

For workspaces that use data from files in cloud storage (Amazon S3 or Google Cloud Storage), the checklist contains:

Configure output location - Configure the cloud storage location where Structural writes the transformed files. When you click this step, Structural navigates to the Output location section of the workspace details view.
Create a file group - Create a file group that contains files selected from cloud storage. When you click this step, Structural navigates to the File Groups view for the workspace.
Apply generators to modify dataset - Configure how Structural transforms at least one column in the source data. When you click this step:
- If there are available generator recommendations, then Structural navigates to Privacy Hub and displays the generator recommendations panel.
- If there are no available generator recommendations, then Structural navigates to Database View.
Generate data - Run the data generation to produce transformed versions of the source files. When you click this step, Structural navigates to the Confirm Generation panel.

Next step hints

In addition to the workspace checklists, Structural uses next step hints to help guide you through the workspace configuration and data generation.

When a next step hint is available, it displays as an animated marker next to the suggested next action.

When you hover over the highlighted action, Structural displays a help text popup that explains the recommended action.

When you click the highlighted action, the hint is removed, and the next hint is displayed.

Creating a file group

For a file connector workspace, to identify the source data, you create file groups. A file group is a set of files of the same type and with the same structure. Each file group becomes a table in the workspace. For CSV files, each column becomes a table column. For XML and JSON file groups, the table contains a single XML or JSON column.

On the File Groups view, click Create File Group.

Uploading local files

For a file connector workspace that uses local files, you can either drag and drop files from your local file system to the file group, or you can search for and select files to add. For more information, go to #adding-files-from-a-local-file-system.

Selecting files from cloud storage

For a file connector workspace that uses cloud storage, you select the files to include in the file group. For more information, go to #adding-files-from-amazon-s3-or-gcs.

Configuring file delimiters and settings

For files that contain CSV content, you also configure the delimiters and other file settings. For more information, go to #configuring-delimiters-and-file-settings-for-.csv-files.

Assigning a generator

To get value out of the data generation process, you assign generators to the data columns.

A generator indicates how to transform the data in a column. For example, for a column that contains a name value, you might assign the Name generator, which indicates how to generate a replacement name in the generation output.

Applying all recommendations

For sensitive columns that Structural detects, Structural can also provide a recommended generator configuration.

When there are recommendations available, Privacy Hub displays a link to review all of the recommendations.

The Recommended Generators by Sensitivity Type panel displays a list of sensitive columns that Structural detected, along with the suggested generators to apply.

After reviewing, to apply all of the suggested generators, click Apply All. For more information about using this panel, go to Reviewing and applying recommended generators.

Selecting a generator

You can also choose to apply an individual generator manually. You can do this from Privacy Hub, Database View, or Table View.

To display Database View, on the workspace management view, click Database View.

On Database View, in the column list, the Applied Generator column lists the currently assigned generator for each column. For a new workspace, the columns are all assigned the Passthrough generator. The Passthrough generator simply passes the source value through to the destination data without masking it.

Click a column that is marked as Passthrough, and that is not marked as sensitive. For example, in the sample workspace, the customers.Last_Transaction column. The column configuration panel displays. To select a generator, click the generator dropdown. The list contains generators that can be assigned to the column based on the column data type. For customers.Last_Transaction, the Timestamp Shift generator is a good option.

Assigning a recommended generator

For Passthrough columns that Structural identified as containing sensitive data, the column includes an icon to indicate that there is a recommended generator.

In Database View, click one of those columns. For example, in the sample workspace, the customers.email column is marked as containing an email address.

For customers.Email, click the Email label. Instead of the column configuration panel, you see a panel that indicates the recommended generator. For customers.Email, the recommended generator is Email. To assign the Email generator, click Apply. The column configuration panel displays with the generator assigned.

Configuring the destination location

To run a data generation, Structural must have a destination for the transformed data.

For a local files workspace, Structural saves the transformed files to the application database.

For workspaces that use data from a database, and for workspaces that use cloud storage files, you configure where Structural writes the output data.

Available output options

The destination location for data generation output can be one of the following:

If the data connector supports Tonic Ephemeral, then the default option is to write the output data to Ephemeral.
For database-based data connectors, you can write the transformed data to a destination database.
For some Structural data connectors, Structural can write the transformed data to a data volume in a container repository.
For file connector workspaces that transform files from cloud storage (Amazon S3 or Google Cloud Storage), you configure the cloud storage location where Structural writes the transformed files.

Displaying the current destination configuration

To display the destination configuration for the workspace:

Click the Settings tab.
Scroll to the Destination Settings section or, for a file connector workspace that uses cloud storage files, scroll to the Output location section.

Confirming or changing the destination configuration

Ephemeral snapshot

For data connectors that Ephemeral supports, the default option is to write the output to Ephemeral.

For the Ephemeral option, the default configuration is:

Structural writes the output to Ephemeral Cloud. If you do not have an Ephemeral Cloud account, then we create an Ephemeral free trial account for you. If your organization has a self-hosted Ephemeral instance, then you can choose to write the output to that instance. Note that all workspaces in the same organization or for the same self-hosted Structural instance must use the same Ephemeral instance.
Structural uses the output data to create an Ephemeral user snapshot. You can use the user snapshot to create Ephemeral databases.
When Structural creates the user snapshot in Ephemeral, it creates a temporary Ephemeral database to use as the basis for the user snapshot. There is an option to keep that temporary database. For a free trial workspace, this option is enabled by default. The database expires after 48 hours.

Destination database

To write the data to a destination database, click Database Server. Structural displays the configuration fields for the destination database.

For information on how to configure the destination information for a specific data connector, go to the workspace configuration information for that data connector. The data connector summary contains a list of the available data connectors, and provides a link to the documentation for each data connector.

Container repository

To write the data to a data volume in a container repository, click Container Repository. Structural displays the configuration fields to select a base image and provide the details about the repository.

For more information, go to Writing output to a container repository.

Cloud storage files output location

For a file connector workspace that uses files from cloud storage (Amazon S3 or Google Cloud Storage), you configure the cloud storage output location where Structural writes the transformed files. The configuration includes the required credentials to use.

For more information, go to Configuring the file connector storage type and output options.

Running data generation

After you complete the workspace and generator configuration, you can run your first data generation.

The data generation process uses the assigned generators to transform the source data. It writes the transformed data to the configured destination location.

For a local files workspace, it writes the files to the Structural application database.

Starting the generation

The Generate Data option is at the top right of the Tonic heading.

When you click Generate Data, Structural displays the Confirm Generation panel.

The Confirm Generation panel provides access to the current destination configuration, along with other advanced generation options such as subsetting and upsert. It also indicates if there are any issues that prevent you from starting the data generation. For example, if the workspace does not have a configured destination, then Structural cannot run the data generation.

To start the data generation, click Run Generation. For more information about running data generation, go to Running data generation jobs.

For a new Tonic Ephemeral account, the first time that you run data generation, you also receive an activation email message for the account.

Viewing the job details and connecting to an Ephemeral database

To view the job status and details:

Click Jobs.
In the list, click the data generation job.

For a data generation that writes the output to an Ephemeral database, the Data Available in Tonic Ephemeral panel provides access to the database connection information.

To display the connection details, click Connecting to your database.

The connection details include:

The database location and credentials. Each field contains a copy icon to allow you to copy the value.
SSH tunnel information, including instructions on how to create an SSH tunnel from your local machine to the Ephemeral database.

Next steps for free trial users

The first time that you complete all of the steps in a checklist, Structural displays a panel with options to chat with our sales team, schedule a demo, or purchase a subscription.

You can also continue to get to know Structural and experiment with other Structural features such as subsetting or using composite generators to mask more complex values such as JSON or XML.

If your free trial has expired, to get an extension, you can reach out to us using either the in-app chat or an email message.

Viewing your list of workspaces

Workspaces view lists the workspaces that you have access to. To display Workspaces view, in the Tonic Structural heading, click Workspaces.

How the workspace list is displayed

The workspace list contains:

Workspaces that you own
Workspaces that you are granted access to

If you have the global permission Copy any workspace or Manage user access to Tonic and to any workspace, then you see the complete list of workspaces.

The Permissions column lists the workspace permission sets that you are granted in each workspace. The permission sets include both permission sets that were granted to you directly as a user, and permission sets that were granted to an SSO group that you are a member of.

Child workspaces always display under their parent workspace. You can only see child workspaces that you have access to. If you have access to a child workspace, but not to its parent workspace, then the parent workspace is grayed out. You cannot select it.

Filtering the workspace list

You can filter the workspaces based on the following information:

Name - In the filter field, begin to type text that is in the name of the workspaces to display in the list.
Owner - From the Filter by Owner dropdown list, select the owner of the workspaces to display in the list.
Database type - From the Filter by Database Type dropdown list, select the type of database for the workspaces to display in the list.
Generation status - In the Generation Status column heading, click the filter icon. Check the checkbox next to the generation status values for the workspaces to display in the list.
Tags - In the Tags column heading, click the filter icon. By default, the workspaces are not filtered by tag, and all of the checkboxes are unchecked. To only include workspaces that have specific tags, check the checkbox next to each tag to include. To uncheck all of the selected tags, click Reset Tags. When you filter by tag, Structural checks whether each workspace contains any of the selected tags.
Permissions - In the Permissions column heading, click the filter icon. You can check and uncheck checkboxes to include or exclude specific permission sets. For example, you can filter the list to only display workspaces for which the Editor permission set is granted either to you or to an SSO group that you belong to. For users that have the global permission Copy any workspace, the Permissions filter panel also contains an Any permissions checkbox. By default, Any permissions is unchecked, and the list includes workspaces for which you are not assigned any workspace permission sets. To display all of the workspaces for which you have any assigned workspace permission sets, check Any permissions. If you filter the list based on a specific permission set, to clear the filter and show all workspaces for which you have any permission set, check Any permissions. To display all workspaces, including workspaces that you do not have any permissions for, uncheck Any permissions.

You can combine different filters. For example, you can filter the list to only include workspaces that use PostgreSQL and for which the generation status is Canceled or Failed.

Child workspaces always display under their parent workspace, even if the parent workspace does not match the filter.

Sorting the workspace list

You can sort the workspace list by name, status, or owner.

By default, the list is sorted alphabetically by name.

To sort by a column, click the column heading. To reverse the order of the sort, click the column heading again.

Child workspaces always display under their parent workspace. The child workspaces are sorted within the parent.

Workspace details on Workspaces view

Workspaces view provides the following information about each workspace:

Name - Contains the name and database type for the workspace. To view the workspace description, hover over the name.
Generation status - The status for the most recent generation job. To display the job details for the job, click the job status. To display more details about the date, time, and duration for the job, hover over the generation timestamp. If a job failed recently, you are given additional information about how long this job has been failing (the date of the first failure occurrence among a continuous series of failures).
Schema changes - Indicates whether Structural detected changes to the source database schema. If there are changes, the column shows the number of changes. Hover over the column value to display additional details, and to navigate to the Schema Changes page. See Viewing and resolving schema changes.
Tags - The tags that are assigned to the workspace.
Permissions - The permission sets that are assigned to you for the workspace.
Owner - The name and email address of the workspace owner.

Getting access to workspace tools and actions

Displaying the workspace management view

On Workspaces view, when you click the workspace name, the workspace management view for the workspace is displayed. The Privacy Hub tab is selected.

The Name column also provides access to a menu of workspace configuration options. When you select an option, the workspace management view is displayed, open to the view for the selected option.

Options column

The last column in the workspaces list provides additional workspace options:

Subsetting icon - Displays the subsetting configuration for the workspace. See Viewing the current subsetting configuration.
Post-job actions icon - Displays the post-job actions for the workspace. For more information, go to Post-job scripts and Webhooks.
Actions menu - Provides access to additional options.

The Actions menu at the top left of the workspaces list allows you to to perform bulk actions on multiple workspaces. It is enabled when you check one or more of the checkboxes in the first column of each row. The Actions menu provides options for the selected workspaces.

Writing output to Tonic Ephemeral

Only available for PostgreSQL, MySQL, SQL Server, and Oracle.

Not compatible with upsert.

Not compatible with Preserve Destination or Incremental table modes.

Tonic Ephemeral is a separate Tonic.ai product that allows you to create temporary databases to use for testing and demos. For more information about Ephemeral, go to the .

If Ephemeral supports your workspace database type, then you can write the destination data to a snapshot in Ephemeral. You can then use the snapshot to start Ephemeral databases.

To write the transformed data to Ephemeral, under Destination Settings, click Ephemeral Database.

Selecting the Ephemeral instance type

Structural can write the data snapshot to either Ephemeral Cloud or to a self-hosted instance of Ephemeral. By default, Structural writes the data snapshot to Ephemeral Cloud.

All workspaces on the same self-hosted Structural instance or in the same Structural Cloud organization must write to the same instance of Ephemeral. When you change the Ephemeral output configuration in one workspace, it is automatically changed in other workspaces that write to Ephemeral.

For Ephemeral Cloud, Structural writes the snapshot to the account for the user who runs the data generation job. If that user has an Ephemeral account on Ephemeral Cloud, then Structural uses that account. If the user does not have an account, then Structural creates a two-week Ephemeral free trial account for the user.

Note that if you are on a self-hosted instance of Ephemeral, then you must always provide an Ephemeral API key.

To write a snapshot to Ephemeral Cloud:

Click Tonic Ephemeral cloud.
If you are on a self-hosted instance of Structural:
1. In the API Key field, provide an Ephemeral API key from your Ephemeral account.
2. To test the connection, click Test Connection.

To write the snapshot to a self-hosted instance of Ephemeral:

Click Tonic Ephemeral self-hosted.
In the API Key field, provide an Ephemeral API key from your Ephemeral account. Structural writes the snapshot to the Ephemeral account that is associated with the API key.
In the Tonic Ephemeral URL field, provide the URL to your self-hosted Ephemeral instance.
To test the connection, click Test Connection.

Selecting the image for Oracle

For Oracle, you select the base image to use when it creates the data snapshot.

If you are writing to Ephemeral Cloud, then you must use the Oracle 23c base image that comes with Ephemeral. This image has the following limitations:

A maximum of 12GB of user data
A maximum of 2CPU cores and 2GB of RAM

If you are writing to a self-hosted instance of Ephemeral, then you can also select a custom image that you created in Ephemeral.

Configuring advanced settings for the snapshot

If you do not configure any advanced settings, then:

The snapshot uses the same name as the workspace, and has no description.
The snapshot size allocation is determined by the source data size.
Structural discards the temporary Ephemeral database that is created during the data generation.

To change any of these settings, click Advanced settings.

Providing a snapshot name and description

By default, the snapshot name uses the workspace name.

When you run data generation, if a snapshot with the same name already exists in Ephemeral, then Structural overwrites that snapshot with the new snapshot.

Under Advanced settings:

In the Snapshot name field, provide the name of the snapshot. The snapshot name can use the following placeholder values to help identify the snapshot:
- {workspaceName} - Inserts the name of the workspace.
- {workspaceId} - Inserts the identifier of the workspace.
- {jobId} - Inserts the identifier of the data generation job that created the snapshot.
- {timestamp} - Inserts the timestamp when the snapshot was created.
Including the job ID or timestamp ensures that a data generation job does not overwrite a previous snapshot.
Optionally, in the Snapshot description field, provide a longer description of the snapshot.

Setting the pod resources for the snapshot

By default, the resources used for the snapshot are based on the size of the source data.

For source data that is 25 GB or less, Nano is used.
For source data larger than 25 GB, Micro is used.

To select a specific option:

Toggle Custom pod resources to the on position.
From the dropdown list, select the option to use for the combination of vCPUs and memory:
- Nano - 0.125 vCPU with 0.5 GB RAM
- Micro - 0.5 vCPU with 2 GB RAM
- Small - 1 vCPU with 4 GB RAM
- Medium - 2 vCPU with 8 GB RAM
- Large - 4 vCPU with 16 GB RAM

Setting the size allocation for the snapshot

By default, the Ephemeral size allocation for the snapshot is based on the size of the source data.

To instead provide a custom data size allocation, under Advanced settings:

Toggle Custom data size allocation to the on position.
In the field, enter the size allocation in gigabytes.

Indicating whether to keep the temporary Ephemeral database

When Structural creates the Ephemeral snapshot, it creates a temporary Ephemeral database.

By default, Structural deletes that database when the data generation is complete.

To instead keep the database, under Advanced settings, toggle Keep database active in Tonic Ephemeral after data generation to the on position.

Providing a customization file for MySQL or PostgreSQL

For a MySQL or PostgreSQL workspace, you can provide a customization file that helps to ensure that the temporary Ephemeral database is configured correctly.

To provide the customization details:

Toggle Use custom configuration to the on position.
In the text area, paste the contents of the customization file.

Enabling and configuring upsert

Required license: Professional or Enterprise

Not compatible with writing output to a container repository or a Tonic Ephemeral snapshot.

By default, Tonic Structural data generation replaces the existing destination database with the transformed data from the current job.

Upsert adds and updates rows in the destination database, but keeps all of the other existing rows intact. For example, you might have a standard set of test records that you do not want to replace every time you generate data in Structural.

If you enable upsert, then you cannot write the destination data to a container repository or to a Tonic Ephemeral snapshot. You must write the data to a database server.

Upsert is currently only supported for the following data connectors:

MySQL
Oracle
PostgreSQL
SQL Server

For an overview of upsert, you can also view the .

About the upsert process

When upsert is enabled, the data generation job writes the generated data to an intermediate database. Structural then runs the upsert job to write the new and updated records to the destination database.

The destination database must already exist. Structural cannot run an upsert job to an empty destination database.

The upsert job adds and updates records based on the primary keys.

If the primary key for a record already exists in the destination database, the upsert job updates the record.
If the primary key for a record does not exist in the destination database, the upsert job inserts a new row.

To only update or insert records that Structural creates based on source records, and ignore other records that are already in the destination database, ensure that the primary keys for each set of records operate on different ranges. For example, allocate the integer range 1-1000 for existing destination database records that you add manually. Then ensure that the source database records, and by extension the records that Structural creates during data generation, use a different range.

Also note that when upsert is enabled, the Truncate table mode does not actually truncate the destination table. Instead, it works more like Preserve Destination table mode, which preserves existing records in the destination table.

Enabling upsert

To enable upsert, in the Upsert section of the workspace details, toggle Enable Upsert to the on position.

When you enable upsert for a workspace, you are prompted to configure the upsert processing and provide the connection details for the intermediate database.

Configuring upsert processing

When you enable upsert, Structural displays the following settings to configure the upsert process.

Connecting to migration scripts for schema changes

Required license: Enterprise

The intermediate database must have the same schema as the destination database. If the schemas do not match, then the upsert process fails.

To ensure that schema changes are automatically reflected in the intermediate database, you can connect the workspace to your own database migration script or tool. Structural then runs the migration script or tool whenever you run upsert data generation.

How upsert works with the migration process

When you start an upsert data generation job:

If migration is enabled, Structural calls the endpoint to start the migration.
Structural cannot start the upsert data generation until the migration completes successfully. It regularly calls the status check endpoint to check whether the migration is complete.
When the migration is complete, Structural starts the upsert data generation.

POST Start Schema Changes endpoint

Required. Structural calls this endpoint to start the migration process specified by the provided URL.

The request includes:

Any custom parameter values that you add.
The connection information for the intermediate database.

The request uses the following format:

The response contains the identifier of the migration task.

The response uses the following format:

GET Status of Schema Change endpoint

Required. Structural calls this endpoint to check the current status of the migration process.

The request includes the task identifier that was returned when the migration process started. The request URL must be able to pass the request identifier as either a path or query parameter.

The response provides the current status of the migration task. The possible status values are:

Unknown
Queued
Running
Canceled
Completed
Failed

The response uses the following format:

GET Schema Change Logs endpoint

Optional. Structural calls this endpoint to retrieve the log entries for the migration process. It adds the migration logs to the upsert logs.

The request includes the task identifier that was returned when the migration process started. The request URL must be able to pass the request identifier as either a path or query parameter

The response body of the request should be 'text/plain'. It contains the raw logs.

DELETE Cancel Schema Changes endpoint

Optional. Structural calls this endpoint to cancel the migration process.

The request includes the task identifier that was returned when the migration process started. The request URL must be able to pass the request identifier as either a path or query parameter.

Enabling and configuring the migration process

To enable the migration process, toggle Enable Migration Service to the on position.

When you enable the migration process, you must configure the POST Start Schema Changes and GET Status of Schema Change endpoints.

You can optionally configure the GET Schema Change Logs and DELETE Cancel Schema Changes endpoints.

To configure the endpoints:

To configure the POST Start Schema Changes endpoint:
1. In the URL field, provide the URL of the migration script.
2. Optionally, in the Parameters field, provide any additional parameter values that your migration scripts need.
To configure the GET Status of Schema Change endpoint, in the URL field, provide the URL for the status check.
The URL must include an {id} placeholder. This is used to pass the identifier that is returned from the Start Schema Changes endpoint.
To configure the GET Schema Change Logs endpoint, in the URL field, provide the URL to use to retrieve the logs. The URL must include an {id} placeholder. This is used to pass the identifier that is returned from the Start Schema Changes endpoint.
To configure the DELETE Cancel Schema Changes endpoint, in the URL field, provide the URL to use for the cancellation. The URL must include an {id} placeholder. This is used to pass the identifier that is returned from the Start Schema Changes endpoint.

Connecting to the intermediate database

When you enable upsert, you must provide the connection information for the intermediate database.

For details, go to the workspace configuration information for the data connector.

Writing output to a container repository

Requires Kubernetes.

For self-hosted Docker deployments, you can install and configure a separate Kubernetes cluster to use. For more information, go to .

For information about required Kubernetes permissions, go to .

Not compatible with upsert.

Not compatible with Preserve Destination or Incremental table modes.

Only supported for PostgreSQL, MySQL, and SQL Server.

You can configure a workspace to write destination data to a container repository instead of to a database server.

Indicating to write destination data to container artifacts

Under Destination Settings, to indicate to write the destination data to container artifacts, click Container Repository.

You can switch between writing to a database server and writing to a container repository at any time. Structural preserves the configuration details for both options. When you run data generation, it uses the currently selected option for the workspace.

Identifying the base image to use to create the container artifacts

From the Database Image dropdown list, select the image to use to create the container artifacts.

Select an image version that is compatible with the version of the database that is used in the workspace.

Providing a customization file for MySQL

For a MySQL workspace, you can provide a customization file that helps to ensure that the temporary destination database is configured correctly.

To provide the customization details:

Toggle Use customization to the on position.
In the text area, paste the contents of the customization file.

Setting the location for the container artifacts

To provide the location where Structural publishes the container artifacts:

In the Registry field, type the path to the container registry where Structural publishes the data volume.
In the Repository Path field, provide the path within the registry where Structural publishes the data volume.

Providing the credentials to write to the registry

You next provide the credentials that Structural uses to read from and write to the registry.

When you provide the registry, Structural detects whether the registry is from Amazon Elastic Container Registry (Amazon ECR), Google Artifact Registry (GAR), or a different container solution.

It displays the appropriate fields based on the registry type.

Fields for registries other than Amazon ECR or GAR

For a registry other than an Amazon ECR or a GAR registry, the credentials can be either a username and access token, or a secret.

The option to use a secret is not available on Structural Cloud.

In general, the credentials must be for a user that has read and write permissions for the registry.

To use a username and access token:

Click Access token.
In the Username field, provide the username.
In the Access Token field, provide the access token.

To use a secret:

Click Secret name.
In the Secret Name field, provide the name of the secret.

Azure Container Registry (ACR) permission requirements

For ACR, the provided credentials must be for a service principal that has sufficient permissions on the registry.

Providing a service file for GAR

Structural only supports Google Artifact Registry (GAR). It does not support Google Container Registry (GCR).

For a GAR registry, you upload a service account file, which is a JSON file that contains credentials that provide access to Google Cloud Platform (GCP).

The associated service account must have the Artifact Registry Writer role.

For Service Account File, to search for and select the file, click Browse.

Amazon ECR registries

For an Amazon ECR registry, you can either:

Provide the AWS access and secret key that is associated with the IAM user that will connect to the registry
Provide an assumed role
(Self-hosted only) Use the credentials configured in the Structural environment settings TONIC_AWS_ACCESS_KEY_ID and TONIC_AWS_SECRET_ACCESS_KEY.
(Self-hosted only) If Structural is deployed in Amazon Elastic Kubernetes Service (Amazon EKS), then you can use the AWS credentials that live on the EC2 instance.

Using AWS access keys

To provide an AWS access key and secret key:

Click Access Keys.
In the Access Key field, enter an AWS access key that is associated with an IAM user or role.
In the Secret Key field, enter the secret key that is associated with the access key.

Using an assumed role

To provide an assumed role:

Click Assume Role.
In the Role ARN field, provide the Amazon Resource Name (ARN) for the role.
In the Session Name field, provide the role session name. If you do not provide a session name, then Structural automatically generates a default unique value. The generated value begins with TonicStructural.
In the Duration (in seconds) field, provide the maximum length in seconds of the session. The default is 3600, indicating that the session can be active for up to 1 hour. The provided value must be less than the maximum session duration that is allowed for the role.

For the assumed role, Structural generates the external ID that is used in the assume role request. Your role’s trust policy must be configured to condition on your unique external ID.

Here is an example trust policy:

Using the credentials from the environment settings (self-hosted only)

On a self-hosted instance, to use the credentials configured in the environment settings, click Environment Variables.

Using the AWS credentials from the EC2 instance (self-hosted only)

On a self-hosted instance, to use the AWS credentials from the EC2 instance, click Instance Profile.

Required permissions for the IAM user

The IAM user must have permission to list, push, and pull images from the registry. The following example policy includes the required permissions.

For additional security, a repository name filter allows you to limit access to only the repositories that are used in Structural. You need to make sure that the repositories that you create for Structural match the filter.

For example, you could prefix Structural repository names with tonic-. In the policy, you include a filter based on the tonic- prefix:

Providing tags for the container artifacts

In the Tags field, provide the tag values to apply to the container artifacts. You can also change the tag configuration for individual data generation jobs.

Use commas to separate the tags.

A tag cannot contain spaces. Structural provides the following built-in values for you to use in tags:

{workspaceId} - The identifier of the workspace.
{workspaceName} - The name of the workspace.
{timestamp} - The timestamp when the data generation job that created the artifact completed.
{jobId} - The identifier of the data generation job that created the artifact.

For example, the following creates a tag that contains the workspace name, job identifier, and timestamp:

{workspaceName}_{jobId}_{timestamp}

To also tag the artifacts as latest, check the Tag as "latest" in your repository checkbox.

Specifying custom resources for the Kubernetes pods

You can also optionally configure custom resource values for the Kubernetes pods. You can specify the ephemeral storage, memory, and CPU millicores.

To provide custom resources:

Toggle Set custom pod resources to the on position.
Under Storage Size:
1. In the field, provide the number of megabytes or gigabytes of storage.
2. From the dropdown list, select the unit to use.
The storage can be between 32MB and 25GB.
Under Memory Size:
1. In the field, provide the number of megabytes or gigabytes of RAM.
2. From the dropdown list, select the unit to use.
The memory can be between 512MB and 4 GB.
Under Processor Size:
1. In the field, provide the number of millicores.
2. From the dropdown list, select the unit.
The processor size can be between 250m and 1000m.

Setting a custom database name

Only available for PostgreSQL and SQL Server. Not available for MySQL.

In the Custom Database Name field, provide the name to use for the destination database.

If you do not provide a custom database name, then the destination database uses the same name as the source database.

Setting a custom database user password

In the Custom Password field, provide the password for the destination database user.

If you do not provide a password, then Structural generates a password.

Configuring the required tolerations for datapacker node taints

If your Kubernetes nodes are configured with taints, then on a self-hosted instance, you can configure the tolerations that enable the datapacker pods to be scheduled on the nodes. The datapacker pod hosts the temporary database that Structural uses during the data generation.

CONTAINERIZATION_POD_NODE_TOLERATION_KEY - The toleration key value to apply to the datapacker pods. This setting is required. If you do not configure this setting, then Structural ignores the other settings.
CONTAINERIZATION_POD_NODE_TOLERATION_VALUES - A comma-separated list of toleration values to apply to the datapacker pods.
CONTAINERIZATION_POD_NODE_TOLERATION_EFFECT - The toleration effect to apply to the datapacker pods.
CONTAINERIZATION_POD_NODE_TOLERATION_OPERATOR - The toleration operator to apply to the datapacker pods.

Configuring an individual column

For an individual column in Database View, you can configure the assigned generator and determine the column sensitivity.

Displaying the generator configuration panel

From the column list, to display the generator configuration panel, in the Applied Generator column, click the generator name tag.

Indicating whether a column is sensitive

Required workspace permission: Configure column sensitivity

The Structural sensitivity scan provides an initial indication of whether a column is sensitive and, if it is sensitive:

The type of sensitive data that is in the column.
The confidence level of the sensitivity detection.

For more information, go to Identifying sensitive data.

In a child workspace, you cannot configure whether a column is sensitive. A child workspace always inherits the sensitivity designations from its parent workspace.

Status column

From the Status column, to confirm or change the column sensitivity, click the Status value.

The status panel indicates whether the column is sensitive. It identifies the sensitivity type, and indicates how the sensitivity was determined - by a sensitivity scan or by a user.

Built-in sensitivity type

For a column that matches a built-in sensitivity type, the first time that you display the panel, the Sensitive data? setting displays Yes and No options for you to confirm or change the sensitivity.

To indicate that the column is sensitive, click Yes.
To indicate that the column is not sensitive, click No.

When you click Yes or No, the Yes and No options change to a simple toggle. When you click Yes, the sensitivity confidence level changes to full.

After that:

To indicate that the column is sensitive, toggle Sensitive data? to the on position.
To indicate that the column is not sensitive, toggle Sensitive data? to the off position.

Sensitivity rule match

When a column matches a sensitivity rule, the sensitivity panel indicates that the column matched a sensitivity rule.

You use the Sensitive data? toggle to indicate whether the column is actually sensitive.

No built-in sensitivity type or sensitivity rule match

When a column does not match a built-in sensitivity type or a custom sensitivity rule, the sensitivity panel indicates that column is not sensitive.

The Sensitive data? setting displays Yes and No options for you to confirm or change the sensitivity.

To indicate that the column is sensitive, click Yes.
To confirm that the column is not sensitive, click No.

When you click Yes or No, the Yes and No options change to a simple toggle.

If you click Yes:

The panel updates to indicate that a user confirmed that the column is sensitive.
The sensitivity confidence level is set to full confidence.

After that:

To indicate that the column is sensitive, toggle Sensitive data? to the on position.
To indicate that the column is not sensitive, toggle Sensitive data? to the off position.

Generator configuration panel

You can also configure the sensitivity from the generator configuration panel. On the generator configuration panel, the sensitivity setting is at the top right.

To indicate that a column is sensitive, toggle the sensitivity setting to the on position.
To indicate that the column is not sensitive, toggle the sensitivity setting to the off position.

When you change the sensitivity from the generator configuration panel, the Sensitive data? setting on the sensitivity panel also changes from the Yes and No options to the toggle.

Assigning or ignoring the recommended generator

Required workspace permission: Configure column generators

When a sensitivity scan identifies a column, Structural recommends a generator for the column. For example, when the sensitivity scan identifies a column as a first name, Structural recommends the Name generator configured to generate a first name value.

In the Assigned Generator column on Database View, columns that do not have an assigned generator, and that have a recommended generator, display the available recommendation icon.

To review and either apply or ignore the recommended generator, click the generator dropdown.

The generator recommendation panel contains the following information:

The sensitivity confidence level
The recommended generator
Sample source and destination values based on the recommended generator

From the panel, you choose whether to assign or ignore the recommended generator for that type.

To assign the recommended generator, click Apply. Structural displays the generator configuration panel with the recommended generator selected. You can then adjust the configuration or select a different generator.
To ignore the recommendation, click Ignore. Structural displays the generator configuration panel to allow you to select the generator to assign to the column.

Changing the column generator configuration

Required workspace permission: Configure column generators

To change the generator that is assigned to a selected column:

Click the generator name tag for the column.
To assign a different generator to the column, from the Generator Type dropdown list, select the generator.
Configure the generator options.

To reset an assigned generator to Passthrough, which indicates to not transform the data:

Click the generator name tag.
On the generator configuration panel, click the delete icon next to the generator dropdown.

For details about the configuration options for each generator, go to the Generator reference.

For more information about selecting and configuring generators and generator presets, go to Assigning and configuring generators.

Viewing workspace jobs and job details

Tonic Structural runs the following types of jobs on a workspace:

Sensitivity scans, which analyze the source database to identify sensitive data.
Collection scans, which analyze the source data for a MongoDB workspace to determine the available fields in each collection, the field types, and how prevalent the fields are.
Data generation, data pipeline generation, and containerized generation jobs, which generate the destination data from the source data.
Upsert data generation jobs, which generate the intermediate database from the source database.
Upsert jobs, which use data from the intermediate database to add new rows to and update changed rows in the destination database. If the migration process is enabled, then it is a step in the upsert job.
SDK table statistics jobs. These jobs only run when you use the SDK to generate data in a Spark workspace, and the assigned generators require the statistics.

You can view a list of jobs that ran on the workspace, and view details for individual jobs.

Viewing the list of jobs

The Jobs view displays the list of jobs that ran on the workspace. The list includes the 100 most recent jobs.

To display the Jobs view:

On the workspace management view, in the workspace navigation bar, click Jobs.
On Workspaces view, from the dropdown menu in the Name column, select Jobs.

Information in the job list

For each job, the job list includes the following information:

Job ID - The identifier of the job. To copy the job ID, click the icon at the left of the row.
Type - The type of job.
Submitted - The date and time when the job was submitted.
Completed - The date and time when the job finished running.

Job statuses

A job can have one of the following statuses:

Queued - The job is queued to run, but has not yet started. A job is queued for one of the following reasons:
- Another job is currently running on the same workspace. For example, you cannot run a sensitivity scan and a data generation, or multiple data generations, at the same time on the same workspace. This is true regardless of the number of workers on the instance. On Structural Cloud, there is also a limit on the number of concurrent running jobs for each organization. When that maximum is reached, a new job remains queued until a current running job completes.
- There isn't an available worker on the instance to run the job. A Structural instance with one worker can only run one job at a time. If a job from one workspace is currently running, a job from another workspace cannot start until the first job is finished.
To view information about why a job is queued, click the status value.
Running - The job is in progress.
Canceled - The job is canceled.
Completed - The job completed successfully.
Failed - The job failed to complete.

Each of these statuses has a corresponding "with warnings" status. For example, Running with warnings, Completed with warnings. A "with warnings" status indicates that the job had at least one warning at the time of the request.

Filtering the job list

You can filter the list by either the type or the status.

To filter the list by the job type:

Click the filter icon in the Type column heading. By default, all types are included, and none of the checkboxes are checked.
To only include specific types of jobs, check the checkbox next to each type to include. Checking all of the checkboxes has the same effect as unchecking all of the checkboxes.

To filter the list by the job status:

Click the filter icon in the Status column heading. The status panel displays all of the statuses that are currently in the list. For example, if there are no Queued jobs, then the Queued status is not in the list. By default, all of the statuses are included, and none of the checkboxes are checked.
To only include jobs that have specific statuses, check the checkbox next to each status to include. Checking all of the checkboxes has the same effect as unchecking all of the checkboxes.

Sorting the job list

You can sort the jobs by either the submission or completion timestamp.

To sort by submission date, click the Submitted column heading. To reverse the sort order, click the heading again.

To sort by completion date, click the Completed column heading. To reverse the sort order, click the heading again.

Viewing details for a selected job

For jobs other than Queued jobs, you can display details about the workspace and the job progress.

From the Jobs view, to display the details for a job, click the job row.

Workspace information

The left side of the job details view contains the workspace information.

For a sensitivity scan, the workspace information is limited to the owner, database type, and worker version.

For a data generation job, the workspace information also includes:

Whether subsetting, post-job scripts, or webhooks are used.
The number of schemas, tables, and columns in the source database.
The number of schemas, tables and columns in the destination database.

Job Log

The Job Log tab shows the start date, start time, and duration of the job, followed by the list of job process steps.

Privacy Report

For data generation jobs, the Privacy Report tab displays the number of at-risk, protected, and not sensitive columns in the source database.

At-risk columns contain sensitive data, but still have Passthrough as the assigned generator.

Protected columns have an assigned generator other than Passthrough.

Not sensitive columns have Passthrough as the assigned generator, but do not contain sensitive data.

Ephemeral output details

A workspace can write output to a Tonic Ephemeral snapshot, with an option to preserve the temporary Ephemeral database that is used to create the snapshot.

For data generation jobs that write to Ephemeral, the Data available in Tonic Ephemeral panel displays. It contains a link to Ephemeral, and access to either the snapshot or the database.

Snapshot details

When the temporary database is not preserved, the Data available in Tonic Ephemeral panel provides access to the snapshot.

To navigate to Ephemeral and view the details for an Ephemeral snapshot, click View Snapshot in Tonic Ephemeral.

Database connection details

When the temporary database is preserved, the Data available in Tonic Ephemeral panel provides access to the database.

To display the connection details for the Ephemeral database, click View connection info.

For an Ephemeral database, the connection details include:

The database location and credentials. Each field contains a copy icon to allow you to copy the value.
SSH tunnel information, including instructions on how to create an SSH tunnel from your local machine to the Ephemeral database.

Copying the job ID

The job identifier is a unique identifier for the job. To copy the job ID, either:

Canceling a job

You can cancel Queued or Running jobs.

For jobs with those statuses, the rightmost column in the job list contains a cancel icon.

To cancel the job, click the icon.

Downloading job information

For workspaces that are configured to write destination data to container artifacts, the Jobs view also provides access to those artifacts. For more information, go to Viewing and downloading container artifacts.

Job logs

Required workspace permission: Download job logs

To download diagnostic logs, you must have the Enable diagnostic logging global permission.

For all jobs, the job logs provide detailed information about the job processing. Tonic.ai support might request the job logs to help diagnose issues.

For a failed data generation to Ephemeral, the job logs include the Ephemeral logs and the destination database pod logs.

For upsert jobs where the migration process is enabled, and you configured the GET Schema Change Logs endpoint, the upsert job logs include the migration process logs.

Where to download the job logs

You can download the job logs from the Jobs view or the job details view. The download includes up to 1MB of log entries.

On the Jobs view, to download the logs for a job, click the download icon in the rightmost column.

On the job details view, to download the logs for a job, click Reports and Logs, then select Job Logs.

Downloading diagnostic logs

By default, Structural redacts sensitive values from the job logs. To help support troubleshooting, you can configure data connectors or an individual data generation job to create unredacted versions of the log files, referred to as diagnostic logs. For more information, go to Redacted and diagnostic (unredacted) logs.

To access diagnostic log files, you must have the Enable diagnostic logging global permission.

If you do not have the Enable diagnostic logging global permission, then you cannot download the logs for that job. The download option is disabled.

Privacy Report for data generation

Required workspace permission: View and download Privacy Report

From the job details view, you can download a Privacy Report file that provides an overview of the current protection status of the database columns based on the workspace configuration at the time that the job ran.

You can download either:

The Privacy Report .csv file, which provides details about the table columns, the column content, and the current protection configuration.
The Privacy Report PDF file, which provides charts that summarize the privacy ranking scores for the table columns. It also includes the table from the .csv file.

To display the download options, click Reports and Logs. In the menu:

To download the Privacy Report .csv file, click Privacy Report CSV.
To download the Privacy Report PDF file, click Privacy Report PDF.

For more information about the Privacy Report files and their content, go to Using the Privacy Report to verify data protection.

Additional logs for output to a container repository

For a workspace that writes the output to a container repository, the job includes the following additional logs:

Database logs - Logs for the database container that is used as the destination.
Datapacker logs - Logs for creating the OCI artifact and uploading it to an OCI registry.

To download these logs for a data generation job, on the job details view, click Reports and Logs, then select Database Logs or Datapacker Logs.

CloudWatch logs for data generation

For workspaces that are connected to Amazon Redshift or Snowflake on AWS databases, the data generation job requires multiple calls to a Lambda function. For these data generation jobs, the CloudWatch logs monitor the progress of and display errors for these Lambda function calls.

To download the CloudWatch logs for a data generation job, on the job details view, click Reports and Logs, then select CloudWatch Logs.

The CloudWatch Logs option only displays for Amazon Redshift and Snowflake on AWS data generation jobs.

Oracle SQL Loader log files

Required workspace permission: Download SqlLdr Files

For an Oracle data generation, if both of the following are true:

The data generation job ran SQL Loader (sqlldr).
sqlldr either failed or succeeded with errors.

Then to download the sqlldr log files, click Reports and Logs, then select sqlldr Logs.

Transformed files for file connector data generation

For a data generation from a file connector workspace that uses local files, you can download the transformed files for that job.

The download is a .zip file that contains the files for a selected file group.

On the job details view, when files are available to download, the Data available for file groups panel displays.

To download the files for a file group:

Click Download Results.
From the list, select the file group. Use the filter field to filter the list by the file group name.

Performance metrics for data generation

Required workspace permission: Download job logs

For workspaces that use the newer data generation processing, users can configure a data generation job to also generate performance metrics. This is usually done for troubleshooting purposes.

On the job details view, to download the performance metrics for the job, click Reports and Logs, then click Performance Metrics.

Privacy Hub

About Privacy Hub

Privacy Hub tracks the current protection status of source data columns based on:

, either from the most recent sensitivity scan or from manual assignments
Assigned
Assigned

To display Privacy Hub, either:

On the workspace management view, in the workspace navigation bar, click Privacy Hub.
On Workspaces view, click the workspace name.

From Privacy Hub, you can:

Review and apply the recommended generators for all detected sensitive columns
View the current protection status of columns
Manually mark columns as sensitive or not sensitive
Configure protection for sensitive columns
Download a preview Privacy Report
Run a new sensitivity scan

Viewing the count of detected sensitive columns that are not protected

The sensitivity scan detects specific types of sensitive data.

If your workspace contains any columns that the sensitivity scan identified, and for which you have not either:

Assigned a generator
Marked as not sensitive

Then Tonic Structural displays a Sensitivity Recommendations banner that contains a count of those columns.

The count only includes sensitive columns that the sensitivity scan detects. If you manually mark a column as sensitive, it is not included in the list.

On the banner, the Review Recommendations option allows you to review the detected columns and the recommended generators for each detected sensitive data type.

You can then apply the recommended generators or ignore the recommendation. When you ignore a recommendation, you either:

Indicate to remove the generator recommendation for the column.
Indicate that the column data is not sensitive.

Viewing the current protection status

The protection status panels at the top of Privacy Hub provide an overview of the current protection status of the columns in the source data.

Each panel displays:

The number of columns that are in that category
The estimated percentage of columns that are in that category

The column counts do not include columns that do not have data in the destination database. For example, if a table is assigned Truncate table mode, then Privacy Hub ignores the columns in that table.

The information on these panels updates automatically as you change whether columns are sensitive and assign generators to columns.

At-Risk Columns

The At-Risk Columns panel reflects columns that:

Are populated in the destination database.
Are marked as sensitive.
Have the generator set to Passthrough, which indicates that Structural does not perform any transformation on the data.

For each column, the At-Risk Columns panel also indicates the sensitivity confidence, from full confidence (completely red) to low confidence (a small percentage of red).

The goal is to have 0 at-risk columns.

Protected Columns

The Protected Columns panel reflects columns that:

Are populated in the destination database.
Are assigned a generator other than Passthrough.

It includes both sensitive and non-sensitive columns.

Note that a column is considered protected based solely on the assigned generator. Some more complex generators, such as JSON Mask or Conditional, allow you to apply different generators to specific portions of a value or based on a specific condition. However, the protection status does not reflect these sub-generators. An applied sub-generator could be Passthrough.

Not Sensitive Columns

The Not Sensitive Columns panel reflects columns that:

Are populated in the destination database.
Are marked as not sensitive.
Have the generator set to Passthrough.

Viewing the protection status for each table

The Database Tables list shows the protection status for each table in the source database. You can view the number of columns that have each protection status, and update the column configuration.

The list does not include tables where the table mode is Truncated or Preserve Destination. Truncated tables are not populated in the destination database. For Preserve Destination tables, the existing data in the destination database does not change.

Information in the list

For each table, Database Tables provides the following information:

Privacy Status - Indicates the current protection status of the columns in the table. It provides the same view and configuration options as the protection status panels at the top of Privacy Hub.

Filtering the list

You can filter the Database Tables list either by the table name or by the schema.

To filter the list by table name, in the filter field, begin typing text in the table name. As you type, Structural updates the list to only display matching tables.

To filter the list to only include tables that belong to a specific schema:

Click Filter by Schema.
From the schema dropdown list, select the schema.

When you select a schema, Structural adds it to the filter field.

Sorting the list

You can sort the Database Tables list by any column except for the Privacy Status column.

To sort by a column, click the column heading. To reverse the sort order, click the heading again.

Managing columns from the table list

The Privacy Status column in the Database Tables list indicates the protection status of the columns in the table.

Viewing and configuring columns

Navigating through columns and viewing column details

Each protection status panel displays a series of boxes to represent the columns that apply to that status. For example, if the source data contains four columns that are at-risk, then the At-Risk Columns panel displays four boxes, one for each column.

The Privacy Status column in the Database Tables list displays the same set of boxes for the columns in an individual table.

If the number of columns is too large to fit, then the last box shows the number of additional columns that apply. For example, if there are 15 columns that don't fit, then the last box is labeled +15.

When you hover over a box, the column name displays in a tooltip.

When you click a box, the details panel for that column displays.

When you click the box for remaining columns, the details panel for the first column in the remaining columns displays.

You can use the next and previous icons at the bottom right of the details panel to display the details for the next or previous column.

The column details panel opens to the settings view. The settings view contains the following information:

The table and column name.
Whether the column is flagged as sensitive.
The type of PII that the column contains.
The data type for the column data.
The generator that is assigned to the column.
For a child workspace, whether the column configuration is inherited from the parent workspace. For columns that have overrides, you can reset to the parent configuration.

Indicating whether a column is sensitive

Required workspace permission: Configure column sensitivity

From the settings view of the column details, you can configure the column sensitivity.

As you change the column sensitivity, Structural updates the protection status panels.

To change whether the column is sensitive, toggle the Sensitive option. The column is moved if needed to reflect its new status. However, you remain on the current panel.

For example, from the At-Risk Columns panel, you change a column to be not sensitive. The column is moved to the Not Sensitive Columns panel. When you click the next or previous icons, you view the details for the next or previous column on the At-Risk Columns panel.

Selecting and configuring a generator for the column

Required workspace permission: Configure column generators

From the column details, you can assign and configure the column generator.

When you change the column generator, Structural updates the protection status panels.

If the column generator was previously Passthrough, then the column is moved to the Protected Columns panel. However, you remain on the current panel. For example, you assign a generator to a column that is on the At-Risk Columns panel. The column is moved to the Protected Columns panel, but when you click the next or previous icons, you view the details for the next or previous column on the At-Risk Columns panel.

Selecting the generator

For sensitive columns that are not protected, Structural displays the recommended generator as a button.

For self-hosted instances that have an Enterprise license, the recommended generator is the built-in generator preset.

To assign the recommended generator to the column, click the button.

Otherwise, select the generator from the Generator Type dropdown list.

Configuring the generator

If the selected generator requires additional configuration, then below the Generator Type dropdown list is an Edit Generator Options link.

To display the configuration fields for the generator, click Generator Options.

After you configure the generator, to return to the settings view, click Back.

Displaying sample data for a column

Required workspace permission:

Source data: Preview source data
Destination data: Preview destination data

From the column details, you can display sample data for the column. The sample data allows you to compare the source and destination versions of the column values.

To display the sample data, click the view sample (magnifying glass) icon.

On the sample data view of the column details:

The Original Data tab shows the values in the source data.
The Protected Output tab shows the values that the generator produced.

Commenting on a column

Required license: Professional or Enterprise

From the column details, you can view and add comments on the column. You might use a comment to explain why you selected a particular generator or marked a column as sensitive or not sensitive.

From the column details, to display the comments for the column, click the comment icon.

The comments view displays any existing comments on the column. The most recent comment is at the bottom of the list. Each comment includes the name of the user who made the comment.

To add the first comment to a column, type the comment into the comment text area, then click Comment.

To add an additional comment, type the comment into the comment text area, then click Reply.

Downloading a preview Privacy Report

Required license: Enterprise

The Privacy Report files that you download from Privacy Hub or the workspace download menu provide an overview of the current protection status based on the current configuration.

This is different from the Privacy Report files that you download from the data generation job details, which show the protection status after the data generation.

You can download either:

The Privacy Report .csv file, which provides details about the table columns, the column content, and the current protection configuration.
The Privacy Report PDF file, which provides charts that summarize the privacy ranking scores for the table columns. It also includes the table from the .csv file.

From the workspace management view, click the download icon. In the download menu:

To download the Privacy Report PDF file, click Download Privacy Report PDF.
To download the Privacy Report .csv file, click Download Privacy Report CSV.

From Privacy Hub, click Reports and Logs, then:

To download the Privacy Report .csv file, click Privacy Report CSV.
To download the Privacy Report PDF file, click Privacy Report PDF.

Running a new sensitivity scan on the data

Required workspace permission: Run sensitivity scan

You add columns to the source database. The new scan identifies whether the new columns contain sensitive data.
The data in a column changes significantly, and a column that Structural originally marked as not sensitive might now contain sensitive data.

To run a new sensitivity scan, click Run Sensitivity Scan.

When Structural runs a new sensitivity scan:

Structural analyzes and determines the sensitivity of any new columns.
It does not change the sensitivity of existing columns that you marked as sensitive or not sensitive.
For existing columns that you did not change the sensitivity of:
- Structural does not change the sensitivity of existing columns that the original scan marked as sensitive.
- It can change the sensitivity of existing columns that the original scan marked as not sensitive.

The protection status panels are updated to reflect the results of the new scan.

Viewing the column list

The column list on Database View contains information about the sensitivity and generator configuration for each column.

Column - Column name and type

The Column column provides general information about the columns and their content, including:

Table and column name. When you click the column name, Table View for the column table displays.
The name of the schema that contains the table.
The data type for the column.
An indicator when the column is a primary key

The Column column also contains the option to display sample data for the column.

Status - Protection and sensitivity status

The Status column provides information about whether the column contains sensitive data and whether it has an assigned generator.

The protection status can be one of the following values:

Protected - The column has an assigned generator.
Not Sensitive - The column is marked as not sensitive.
At Risk - The column is sensitive and does not have an assigned generator.

At the right of the Status column is a confidence indicator. For At Risk columns, the confidence indicator shows how confident Structural is that the column is sensitive and contains values of the displayed sensitivity type.

For more information about how Structural identifies values and assigns the confidence level, go to #sensitive-data-how-identified.

From the Status column, you can change whether a column is sensitive.

Applied Generator - Column configuration

The Applied Generator column is where you select and configure the generator to assign.

The generator dropdown indicates the currently assigned generator. It also indicates when an unprotected column has a recommended generator.

For foreign key columns, the generator dropdown is disabled and the column is marked as a foreign key. Foreign key columns always inherit the generator that is assigned to the primary key.

In a child workspace, when the generator configuration overrides the parent workspace, the generator dropdown displays the override icon.

The Applied Generator column also contains the option to display and create column comments.

Filtering the column list

To filter the column list, you can:

Use the table list to filter the displayed columns based on the table that the columns belong to.
Use the filter field to filter the columns by table or column name.
Use the Filters panel to filter the columns based on column attributes and generator configuration.

You can use column filters to quickly find columns that you want to verify or update the configuration for.

Filter by table

To filter the column list to only include columns for specific tables, either:

Apply a filter to the table list.
Check the checkbox for each table to display columns for.

Filter by table or column name

To filter the column list by table or column name, in the filter field, begin to type text that is in the table or column name.

As you type, Structural filters the column list.

Using the Filters panel

The Filters panel provides access to column filters other than the table and column name.

To display the Filters panel, click Filters.

Searching for a filter

To search for a filter or a filter value, in the search field, start to type the value. The search looks for text in the individual settings.

For each filter, the Filters panel indicates the number of matching columns, based on the selected tables and the current filters.

Adding a filter

To add a filter, depending on the filter type, either check the checkbox or select a filter option. As you add filters, Structural applies them to the column list. Above the list, Structural displays tags for the selected filters.

Clearing the selected filters

To clear all of the currently selected filters, click Clear All.

Filters panel filters

Columns with generator recommendations

To only display detected sensitive columns for which there is a recommended generator, on the Filters panel, check Has Generator Recommendation.

At-risk columns

An at-risk column:

Is marked as sensitive
Is included in the destination data.
Is assigned the Passthrough generator.

To only display at-risk columns, on the Filters panel, check At-Risk Column.

When you check At-Risk Column, Structural adds the following filters under Privacy Settings:

Sets the sensitivity filter to Sensitive
Sets the protection status filter to Not protected
Sets the column inclusion filter to Included

Sensitivity

You can filter the columns based on the column sensitivity.

On the Filters panel, under Privacy Settings, the sensitivity filter is by default set to All, which indicates to display both sensitive and non-sensitive columns.

To only display sensitive columns, click Sensitive.
To only display non-sensitive columns, click Not sensitive.

Note that when you check At-risk Column, Tonic automatically selects Sensitive.

Protection status

You can filter the columns based on whether they have any generator other than Passthrough assigned. To filter the columns based on specific assigned generators, use the Applied Generator filter.

On the Filters panel, under Privacy Settings, the column protection filter is by default set to All, which indicates to display both protected and not protected columns.

To only display columns that have an assigned generator, click Protected.
To only display columns that do not have an assigned generator, click Not protected.

Note that when you check At-Risk Column, Structural automatically selects Not protected.

Inclusion in the destination database

You can filter the columns based on whether they are populated in the destination database. For example, if a table is truncated, then the columns in that table are not populated.

On the Filters panel, under Privacy Settings, the column inclusion filter is by default set to All, which indicates to display both included and not included columns.

To only display columns that are populated in the destination database, click Included.
To only display columns that are not populated in the destination database, click Not included.

Note that when you check At-Risk Column, Structural automatically selects Included.

Assigned generator

To only display columns that are assigned specific generators, on the Filters panel, under Applied Generator, check the checkbox for each generator to include.

The list of generators only includes generators that are assigned to the currently displayed columns and that are compatible with other applied filters.

To search for a specific generator, in the Filters search field, begin to type the generator name.

Column data type

You can filter the columns by the column data type. For example, you can only display varchar columns, or only columns that contain either numeric or integer values.

To only display columns that have specific data types, on the Filters panel, under Database Data Types, check the checkbox for each data type to include.

The list of data types only includes data types that are present in the currently displayed columns and that are compatible with other applied filters.

To search for a specific data type, in the Filters search field, begin to type the data type.

Unresolved schema changes

When the source database schema changes, you might need to update the configuration to reflect those changes. If you do not resolve the schema changes, then the data generation might fail. The data generation fails if there are unresolved conflicting changes, or if you configure Structural to always fail data generation when there are any unresolved changes.

For more information about schema changes, go to Viewing and resolving schema changes.

To only display columns that have unresolved schema changes, on the Filters panel, check Unresolved Schema Changes.

Sensitivity type

For detected sensitive columns, the sensitivity type indicates the type of data that was detected. Examples of sensitivity types include First Name, Address, and Email.

To only display columns that contain specific sensitivity types, on the Filters panel, under Sensitivity Type, check the checkbox for each sensitivity type to include.

The list of sensitivity types only includes sensitivity types that are present in the currently displayed columns.

To search for a specific sensitivity type, in the Filters search field, type the sensitivity type.

Sensitivity confidence

When the Structural sensitivity scan identifies a value as belonging to a sensitivity type, it also determines how confident it is in that determination. The Status column displays the confidence level.

You can filter the columns based on the confidence level.

To only display columns that have a specific confidence level, on the Filters panel, under Sensitivity confidence, check the checkbox next to each confidence level to include.

Column nullability

You can filter the column list based on whether the column is nullable.

On the Filters panel, under Data Attributes, the nullability filter is by default set to All, which indicates to display both nullable and non-nullable columns.

To only display columns that are nullable, click Nullable.
To only display columns that are not nullable, click Non-nullable.

Column uniqueness

You can filter the column list based on whether the column must be unique.

On the Filters panel, under Data Attributes, the uniqueness filter is by default set to All, which indicates to display both unique and not unique columns.

To only display columns that must be unique, click Unique.
To only display columns that do not require uniqueness, click Not unique.

Primary or foreign keys

You can filter the column list to indicate whether to include:

Columns that are not primary or foreign keys.
Columns that are foreign keys.
Columns that are primary keys.

On the Filters panel, under Column Type:

To display columns that are neither a primary key nor a foreign key, check Non-keyed.
To display columns that are primary keys, check Primary key.
To display columns that are foreign keys, check Foreign key.

Generator overrides in a child workspace

In a child workspace, to only display columns that override the generator configuration that is in the parent workspace, on the Filters panel, check Overrides Inheritance.

Uses Structural data encryption

You can enable Structural data encryption, a configuration that allows Structural to:

Decrypt source data before applying the generator
Encrypt generated data before writing it to the destination database

For more information, go to Configuring and using Structural data encryption.

When Structural data encryption is enabled, the generator configuration panel includes an option to use Structural data encryption.

To only display columns that are configured to use Structural data encryption, on the Filters panel, check Uses Data Encryption.

Sorting the column list

By default, the column list is sorted first by table name, then by column name. The columns for each table display together. Within each table, the columns are in alphabetical order.

You can also sort the column list by column name first, then by table. Columns that have the same name display together. Those columns are sorted by the name of the table.

The button at the right of the Column column heading indicates the current sort order.

T.C indicates that the table is sorted by table, then by column
C.T indicates that the table is sorted by column, then by table

To switch the sort order, click the button.

Table View

Table View displays source or preview data for a single table. For a file connector workspace, each table corresponds to a file group.

Required workspace permission:

Source data: Preview source data
Destination data: Preview destination data

If you do not have either of these permissions, then you cannot display Table View.

From Table View, you can:

Select the table mode for a table.
View the generator configuration for the table columns.
Toggle between source data and preview data.
View information about the column data types and protection status.
Update the sensitivity and generator configuration for the table columns.

To display Table View:

On the workspace management view, click Table View.
On Workspaces view, from the dropdown menu in the Name column, select Table View.

You can also display Table View for a table in Database View. To display Table View, either click the arrow icon for the table, or click a row in the table.

Selecting the table to view

When you display Table View from Database View, it displays the data for the selected table.

When you display Table View from the workspace management view or Workspaces view, it displays the most recently displayed table.

If Table View was never displayed before, then it displays the first table in the workspace. To change the selected table, from the Table dropdown list, select the table to view.

Viewing overrides in a child workspace

Required license: Enterprise

By default, a child workspace inherits the configuration from the parent workspace. You can override the table mode or column generator.

In a child workspace, each Model entry indicates whether the configuration overrides the parent configuration.

When a column overrides the parent configuration, an Overriding label displays above the column.

To filter Table View to only display columns with overrides, toggle Show Overrides Only to the on position.

On the column configuration or Model entry, to reset the configuration to match the parent workspace, click Reset.

Selecting the table mode

Required workspace permission: Assign table modes

To change the table mode that is assigned to the table:

Click the current table mode.
On the table mode panel, from the Table Mode dropdown list, select the new table mode.

When you change the table mode, Tonic Structural updates the preview data as needed. For example, if you change the table mode to Truncate, then the preview data is empty.

For a child workspace, the table mode selection panel indicates whether the selected table mode is inherited from the parent workspace.

If the child workspace currently overrides the parent workspace configuration, then to reset the table mode to the table that is assigned in the parent workspace, click Reset.

Viewing the list of generator configurations

The Model section of Table View displays the configured generators for the table columns.

The header for each Model entry is the column name.

Linked columns share an entry. The heading is a comma-separated list of the linked columns.

Each entry contains the following information:

The column and generator, in the format Column Name >> Generator Name. For example, First_Name >> Name indicates that the First_Name column has the Name generator applied. For linked columns, there is a Column Name >> Generator Name entry for each column.
The selected configuration options for the generator.

By default, a child workspace inherits the configuration from its parent workspace. You can also override the configuration. For a child workspace, each Model entry indicates whether the configuration overrides the parent configuration. For configurations that override the parent, to remove the overrides and restore the inheritance, click Reset.

The Model entry also indicates when Tonic data encryption is enabled for the column.

To remove the generator from a column, click the delete icon.

Viewing column attributes and data

The columns section of Table View displays a sample set of data for the table.

Information about the column protection status

The column heading background color indicates the column's protection status.

Red - At risk - The column is marked as sensitive, but the generator is still Passthrough.
Orange - Protected - The column has an assigned generator other than Passthrough. Protected columns might be either sensitive or not sensitive.
Gray - The column is not sensitive and the generator is Passthrough.

Toggling between source and preview data

The Preview toggle at the top right of Table View allows you to choose whether to display original source data or the transformed data. You can switch back and forth to understand exactly how Structural transforms the data based on the table and column configuration.

By default, the Preview toggle is in the on position, and the displayed data reflects the selected table mode and the assigned generators. For tables that use Truncate mode, the preview data is empty. Truncated tables do not have data in the destination database.

To display the original source data, toggle Preview to the off position.

Using a query to filter the source data

You can provide a query to filter the source data. The query is always against the source data, not the preview data, regardless of whether the Preview toggle is off or on.

For example, you configure a first name field to use the Name generator and enable consistency. You can then query the source data for a specific first name value to check that the preview data uses the same destination value for all of those records.

To apply a query to the source data:

Click the query filter icon, located between the table name and the table mode.
On the Table Filter dialog, provide the where clause for the query.
To apply the query, click Apply.
To close the dialog, click Close.

To clear an applied query, on the Table Filter dialog, click Clear.

If no filter is applied, then the query filter icon has a white background.

If a valid filter is applied, then the query filter icon has a gray background.

If the provided where clause is not valid, then the query filter icon has a red background.

Identifying primary keys, foreign keys, and data types

In addition to the column name, the column heading identifies primary keys and foreign keys, and indicates the type of data.

Primary key columns are indicated by a gold key icon.

Foreign key columns are indicated by a black key icon.

For other columns, the icon reflects the type of data that is in the column, such as text, numeric values, or datetime values.

Configuring columns

To display the configuration panel for a column, click the dropdown icon.

From the configuration panel, you can:

Indicate whether a column is sensitive.
Select and configure a generator for the column.

Indicating whether a column is sensitive

Required workspace permission: Configure column sensitivity

On the column configuration panel, the sensitivity toggle at the top right indicates whether the column is marked as sensitive.

To mark a column as sensitive, toggle the setting to the Sensitive position.

To mark a column as not sensitive, toggle the setting to the Not Sensitive position.

In a child workspace, you cannot configure whether a column is sensitive. A child workspace always inherits the sensitivity designation from its parent workspace.

When you copy a workspace, Structural performs a new sensitivity scan on the copy. It does not copy the sensitivity designations from the original workspace.

Selecting and configuring a generator

Required workspace permission: Configure column generators

On the column configuration panel, from the Generator Type dropdown list, select the generator to assign to the column.

When you select a generator, Structural displays the available configuration options for that generator. For details about the configuration options for each generator, go to the Generator reference.

To remove the selected generator or generator preset, and reset the generator to Passthrough, click the delete icon next to the Generator Type dropdown.

For more information about selecting and configuring generators and generator presets, go to Assigning and configuring generators.

Running the Structural sensitivity scan

When sensitivity scans run

Structural runs sensitivity scans automatically based on specific events. You can also run manual sensitivity scans on demand.

On a self-hosted instance, sensitivity scans can also run automatically at the same time each day.

Event-based sensitivity scans

Structural automatically runs a sensitivity scan when you:

Create a completely new workspace and connect a data source
Change the data connection details for the source database
Add a file group to a file connector workspace

A child workspace always inherits the sensitivity designations from its parent workspace.

When you copy a workspace, Structural runs a new sensitivity scan on the copy to identify sensitive columns. However, it keeps the sensitivity designation for columns that you specifically marked as sensitive or not sensitive.

Manual sensitivity scans

In addition to the automatic scans, from Privacy Hub, you can .

Scheduling daily sensitivity scans

On self-hosted instances, Structural can also run scheduled daily sensitivity scans in the background.

The daily scans only run on the 10 workspaces that had the most recent activity. Activity includes:

Data generation jobs

By default, Structural runs the sensitivity scans each day at midnight.

TONIC_ENABLE_SCHEDULED_SENSITIVITY_SCAN - Boolean to indicate whether to enable the scheduled daily sensitivity scans. The default value is true. To disable the scheduled daily scan, set this to false.
TONIC_SENSITIVITY_SCAN_HOUR - When scheduled scans are enabled, the hour at which to run the scans. The setting uses the local time zone. The value is an integer between 0 and 23, where 0 is midnight and 23 is 11:00 PM. For example, a value of 14 indicates to run the job at 2:00 PM. The default value is 0.

Configuring parallel processing for sensitivity scans

For improved performance, sensitivity scans can use parallel processing.

For document-based databases such as MongoDB, you use the environment setting TONIC_PII_SCAN_PARALLELISM_DOCUMENTDB. The default value is 1.

How Structural identifies sensitive values

The Structural sensitivity scan uses the following rules and processes to:

Identify sensitive columns
Indicate its confidence that an identified column is sensitive and is of the detected sensitivity type

Note that this process cannot guarantee perfect precision and recall. We strongly recommend that a human reviews the sensitivity scan results and the broader dataset to ensure that nothing sensitive was missed.

Rule-based data type, column name, and value analysis - High, medium, or low confidence

This part of the sensitivity scan uses regular expression matching and dictionary lookups. It produces high, medium, or low confidence detections.

When this part of the sensitivity scan determines that a column contains sensitivity data, it:

Marks the column as sensitive
Assigns the sensitivity type to the column
Recommends the generator configuration for the identified sensitivity type. Note that if the recommended generator is not compatible with the column, then Structural discards the recommendation.
Marks the sensitivity detection as high, medium, or low confidence. The confidence level is based on a calculation of how well the column matched the applicable rules.

Custom sensitivity rules - Full confidence

The sensitivity scan also looks for any columns that match custom sensitivity types that you define in your custom sensitivity rules.

Custom sensitivity rules always produce full confidence detections.

When a column matches a custom sensitivity rule, Structural:

Marks the column as sensitive
Assigns the sensitivity rule name as the sensitivity type
Recommends the generator preset from the sensitivity rule
Marks the sensitivity detection as full confidence

Model-based analysis - Medium and low confidence

To identify additional sensitive columns that might not be captured by the other parts of the scan, the sensitivity scan uses an artificial intelligence (AI) model. Note that the model is pre-trained. Structural does not use customer data to train the model or send any customer data externally.

This part of the scan produces medium or low confidence detections for built-in entity types.

The model considers the table and column name. If the combination of table and column name is similar in meaning to a sensitivity type that Structural has a recommended generator for, then Structural:

Marks the column as sensitive
Assigns the sensitivity type to the column
Recommends the generator configuration for that sensitivity type
Uses AI to compare the table name and column name combination to the sensitivity type, and produces a semantic similarity score.
Based on the semantic similarity score, marks the sensitivity detection as either medium or low confidence.

Downloading the sensitivity scan log

To download the log of the most recent sensitivity scan:

On the workspace management view, from the download menu, select Download Sensitivity Scan Log.
On Privacy Hub, click Reports and Logs, then select Scan Log.

The log tracks the progress of the scan.

Table modes

Each table is assigned a table mode. The table mode determines at a high level how the table is populated in the destination database.

Selecting the table mode for a table

Required workspace permission: Assign table modes

Both Database View and Table View allow you to view and update the selected table mode for a table.

For Database View, go to .

For Table View, go to .

Available table modes

De-Identify

This is the default table mode for new tables.

In this mode, Tonic Structural copies over all of the rows to the destination database.

For columns that have the generator set to Passthrough, Structural copies the original source data to the destination database.

For columns that are assigned a generator other than Passthrough, Structural uses the generator to replace the column data in the destination database.

Truncate

This mode drops all data for the table in the destination database.

For data connectors other than Spark-based data connectors, the table schema and any constraints associated with the table are included in the destination database.

Any existing data in the destination database is removed. For example, if you change the table mode to Truncate after an initial data generation, the next data generation clears the table data. For Spark-based data connectors, the table is removed.

If you assign Truncate mode to a table that has a foreign key constraint, it fails during data generation. If this is a requirement, contact support@tonic.ai for assistance.

Preserve Destination

This mode preserves the data in the destination database for this table. It does not add or update any records.

This feature is primarily used for very large tables that don't need to be de-identified during subsequent runs after the data exists in the destination database.

When you assign Preserve Destination mode to a table, Structural locks the generator configuration for the table columns.

The destination database must have the same schema as the source database.

You cannot use Preserve Destination mode when you:

Enable upsert for a workspace.
Write destination data to a container artifact.
Write destination data to an Ephemeral snapshot.

Incremental

Incremental mode only processes the changes that occurred to the source table since the most recent data generation or other changes in the destination. This can greatly reduce generation time for large tables that don't have a lot of changes.

For Incremental mode to work, the following conditions must be satisfied:

The table must exist in the destination database. Either Structural created the table during data generation, or the table was created and populated in some other way.
A reliable updated date column must be present. When you select Incremental mode for a table, Structural prompts you to select the updated date column to use.
The table must have a primary key.

To maximize performance, we recommend that you have an index on the date updated field.

For tables that use Incremental mode, Structural checks the source database for records that have an updated date that that is greater than the maximum date in that column in the destination database.

When identifying records to update, Structural only checks the updated date. It does not check for other updates. Records where the generator configuration is changed are not updated if they do not meet the updated date requirement.

For the identified records, Structural checks for primary key matches between the source and destination databases, then does one of the following:

If the primary key value exists in the destination database, then Structural overwrites the record in the destination database.
If the primary key value does not exist in the destination database, then Structural adds a new record to the destination database.

This mode currently only updates and adds records. Rows that are deleted from the source database remain in the destination database.

To ensure accurate incremental processing of records, we recommend that you do not directly modify the destination database. A direct modification might cause the maximum updated date in the destination database to be after the date of the last data generation. This could prevent records from being identified for incremental processing.

You cannot use Incremental mode when you:

Enable upsert for a workspace.
Write destination data to a container artifact.
Write destination data to an Ephemeral snapshot

Scale

In this mode, Structural generates an arbitrary number of new rows, as specified by the user, using the generators that are assigned to the table columns.

You can use linking and partitioning to create complex relationships between columns.

Structural generates primary and foreign keys that reflect the distribution (1:1 or 1:many) between the tables in the source database.

You cannot use Scale mode when you enable upsert for a workspace.

Indicating whether to return an error when destination data already exists (Databricks only)

For the Databricks data connector, the table mode configuration includes an Error on Overwrite setting. The setting indicates whether to return an error when Structural attempts to write data to a destination table that already contains data. The option is not available when you write destination data to Databricks Delta tables.

To return the error, toggle the setting to the on position.

To not return the error, toggle the setting to the off position.

Applying a filter to tables

For workspaces that use following data connectors, the table mode configuration for De-Identify mode includes an option to apply a filter to the table:

Configuring partitioning for the destination database

This option is only available for workspaces that use the following data connectors:

On the table mode configuration panel, you can use the Repartition or Coalesce option to indicate a number of partitions to generate.

By default, the destination database uses the same partitioning as the source database. The partition option is set to Neither.

The Repartition option allows you to provide a specific number of partitions to generate.

To use the Repartition option:

Click Repartition.
In the field, enter the number of partitions.

The Coalesce option allows you to provide a maximum number of partitions to generate. If the source data has fewer partitions than the number you specify, then Structural only generates that number. The Coalesce option should be more efficient than the Repartition option.

To use the Coalesce option:

Click Coalesce.
In the field, enter the number of partitions.

Creating and managing custom sensitivity rules

Required license: Enterprise

Required global permission: Create and manage sensitivity rules

Not available on Structural Cloud

By default, when you run a Structural security scan on a workspace, it looks for the .

You can also define custom sensitivity rules to identify other values and the corresponding recommended generator. Your data might include values that are specific to your organization.

Each custom sensitivity rule specifies:

The data type for matching columns
Text matching criteria for the names of matching columns
The recommended generator preset

Displaying the list of custom sensitivity rules

To display the current list of sensitivity rules, in the Tonic navigation menu, click Sensitivity Rules.

For each rule, the list includes:

The rule name and description
The recommended generator preset
When the rule was most recently modified

Filtering the rules

You can filter the rule list by the following:

Rule name
Rule description
Generator preset name
Name of the user who most recently updated the rule

In the filter field, start to type text from any of those values. As you type, the list is filtered to only include matching rules.

Note that when the list is filtered, you cannot change the display sequence of the rules.

Setting the rule sequence

Structural applies the rules based on their display order in the list.

If a column matches more than one rule, Structural applies the first matching rule.

To change the display order of a rule, drag and drop it to the new location in the list.

Note that you cannot change the rule sequence when the list is filtered.

Creating and editing a sensitivity rule

Creating a sensitivity rule

To create a sensitivity rule:

On the Sensitivity Rules view, click New Custom Rule.
Click Save.

Editing a sensitivity rule

To change the configuration of a sensitivity rule:

On the Sensitivity Rules view, click the edit icon for the rule.
Click Save.

Note that any changes to a sensitivity rule do not take effect until the next sensitivity scan.

Sensitivity rule configuration

Rule name and description

In the Name field, type the name of the sensitivity rule. The rule name becomes the sensitivity type for matching columns. The rule name must be unique, and also cannot match the name of a built-in sensitivity type.

Optionally, in the Description field, type a longer description of the sensitivity rule.

Data type

From the Data Type dropdown list, select the data type for matching columns. For example, a rule might only be used for columns that contain text.

The available data types are general types that map to specific data types in a given database. The available types are:

Array
Binary
Boolean
Continuous Numerical
Date Range
Datetime
Integer
JSON
MAC Address
Network Address
Text
UUID
XML

Column name criteria

Under Column Name Match, provide the criteria to identify matching columns based on the column name.

Note that a matching column must match the data type and the column name criteria.

Configuring text matching conditions

When you provide a list of text matching conditions, a matching column must match all of the conditions. In other words, the conditions are joined by AND.

To apply the same generator preset to columns that have completely different names, you must create separate sensitivity rules.

To create a list of text matching conditions:

Click Text Match.
To add a column name condition, click Add String Match.
For each condition:
1. From the comparison type dropdown list, select the type of comparison. For example, Contains, Starts with, Ends with.
2. In the comparison text field, provide the text to check for. The comparison text is case insensitive. For example, if you set a condition to match column names that contain the text term, it also matches column names that contain TERM or Term or tErM.
To remove a column name condition, click its delete icon.

Providing a regular expression

To use a regular expression to identify matching columns based on the column name:

Click Regular Expression.
In the field, provide the regular expression.

Generator preset to apply

From the Recommended Generator Preset dropdown list, select the generator preset that is the recommended generator for matching columns.

To search for a specific preset, begin to type the generator preset name.

Managing generator preset configuration

Required global permission: Create and manage generator presets

When you configure a sensitivity rule, you can also create a new generator preset or update the configuration of the selected generator preset.

To create a new generator preset, click Create Preset. On the generator preset details panel, provide the generator preset configuration, then click Create.

To edit the selected generator preset, click Edit Current Preset. On the generator preset details panel, update the generator preset configuration, then click Save and Apply.

Previewing the rule results

If you have access to a workspace, then you can use the workspace to preview the sensitivity rule results.

Under Test Results, from the workspace dropdown list, select the workspace to use.

Structural searches the workspace schema for matching columns based on the sensitivity rule configuration.

It displays any matching columns. You can filter the matching columns based on the table or column name.

For each matching column, the list includes:

The column name and table
A sample value from the source data. To see the sample source value, you must have the Preview source data permission for the workspace.
A sample replacement value, based on the selected generator preset for the sensitivity rule. To see the sample replacement value, you must have the Preview destination data permission for the workspace.

Deleting a sensitivity rule

To delete a sensitivity rule, on the Sensitivity Rules view, click the delete icon for the rule.

Note that existing generator recommendations for the rule remain in place until the next sensitivity scan.

Generator reference

This generator reference provides the details for each of the the supported generators in Tonic Structural.

Information provided for each generator

For each generator, the reference provides:

Overview description
A table that contains:
- Generator characteristics that you might want to take into account when you select the generator.
- The generator privacy ranking, which indicates the level of protection that the generator provides.
- The generator ID to use in the Structural API. The generator ID is linked to the API details for the generator.
Instructions for how to configure the generator

The generator characteristics include:

Consistency - Whether you configure the generator to base the the destination values on the source values.
Linking - Whether you can link columns that use the generator to indicate that there is a relationship between them.
Differential privacy - Whether the generator supports differential privacy, which ensures that the source value cannot be reverse engineered from the output value.
Data-free - Whether the generator is data-free, meaning that the output data is completely unrelated to the source data.
Allowed for primary keys - Whether you can assign the generator to primary key columns.
Allowed for unique columns - Whether you can assign the generator to columns that require unique values.
Uses format-preserving encryption (FPE) - Whether the generator uses FPE to encrypt the values.

The generators are in alphabetical order by the generator name.

Here are some groupings to help to identify generators that are used for different types of values. Generator hints and tips also provides some suggestions for generators to use for specific uses cases.

Composite generators

Transform data that uses complex formats or based on a condition. For more information, go to Composite generators.