Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Tonic Structural uses permissions and permission sets to manage role-based access (RBAC) to Structural features and functions.
A permission grants access to a specific feature or function.
A permission set is a collection of permissions that can be assigned to a user or an SSO group.
Structural provides a set of built-in permission sets that you cannot edit or delete.
The Enterprise license plan also allows you to create custom permission sets.
Global permission sets control access to features and functions that are outside of the context of a specific workspace. For example, global permission control who can manage users and configure environment settings.
For the lists of built-in global permission sets and available permissions, go to #permission-sets-builtin-global and #permissions-global.
For information on how to assign global permission sets, go to Configuring access to global permission sets and Setting initial access to all global permissions.
You can also select a default global permission set to assign to all new users.
Workspace permission sets provide access to specific workspace management features and functions.
Workspace permission sets are assigned to users and groups within the context of a specific workspace. For example, a user might have the Editor permission set in one workspace and the Viewer permission set in another workspace.
For the lists of built-in workspace permission sets and available permissions, go to #permission-sets-builtin-workspace and #available-workspace-permissions.
For information on how to assign workspace permission sets, go to Assigning workspace permission sets.
You can also select a default workspace permission set to assign to workspace owners.
The following tables list the available global permissions, and indicates how the permissions apply to the built-in global permission sets.
| Permission | General User | Admin and Admin (Environment) | Account Admin |
|---|---|---|---|
| Permission | General User | Admin and Admin (Environment) | Account Admin |
|---|---|---|---|
| Permission | General User | Admin and Admin (Environment) | Account Admin |
|---|---|---|---|
The following table lists the available workspace permissions, and indicates how the permissions apply to the built-in workspace permission sets.
Required license: Enterprise
Required global permission:
Manage access to Tonic Structural and to any workspace
View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
From the Global Permission Sets list, you can grant or revoke access to a global permission set. Global permission sets can be assigned to individual users and to SSO groups.
Access to workspace permission sets is managed from Workspaces view. For more information, go to Assigning workspace permission sets.
You cannot change the assignment of the following global permission sets:
The global permission set that is assigned to all Structural users. Initially, this is the General User permission set, but it can be changed to a different permission set.
The built-in Admin (Environment) global permission set
Before you assign a global permission set to an SSO group, make sure that you are aware of who is in the group. The permissions that are granted to an SSO group automatically are granted to all of the users in the group. For information on how to configure Structural to filter the allowed SSO groups, go to Synchronizing SSO groups with Tonic Structural.
To manage the permission set assignment:
On the Global Permission Sets list, for the permission set to manage, click Manage Access.
To grant access to a user or group:
Begin to type the user or group name.
In the list of matching users or groups, click the user or group name.
To remove access from a user or group, click Undo for that user or group.
To save the changes to the permission set access, click Save.
Required license: Enterprise
Required global permission: Create and manage custom permission sets
Custom permission sets are not supported on Structural Cloud.
You can create custom global and workspace permission sets.
A custom permission set allows you to have more precise control over global and workspace permissions.
For example, you might want a workspace permission set that allows a user to configure the workspace but not run data generation. Or you might want to limit the types of workspace configuration that a user can change.
For global permissions, you might want a global permission set that allows a user to configure Tonic Structural data encryption and generator presets, but not manage Structural users.
To create a custom permission set:
On the workspace or global permission sets list, click the create permission set button.
On the permission set details panel, in the Permission Set Name field, type the name for the new permission set. Permission set names must be unique.
To base the permission set on an existing permission set, from Create from existing permission set, select the existing permission set to use. When you base the permission set on an existing permission set, Structural copies the permissions from the existing permission set to the new permission set. You can then update the selected permissions as needed. For example, you might want to create a workspace permission set that is nearly identical to the built-in Editor permission set, but that removes the option to generate data. You can base the new permission set on the Editor permission set, then remove the data generation permission. After you save the new permission set, it is not connected to the permission set that you used to obtain the initial set of permissions.
Select the permissions to grant to the permission set. If a permission checkbox is checked, then the permission is granted to the permission set. If a permission checkbox is not checked, then the permission is not granted to the permission set.
To save the new permission set, click Save.
For a global permission set, Structural prompts you to configure access to the new permission set. To display the access management panel for the permission set, click Manage User Access. To not manage access at that time, click Skip.
You cannot make any changes to a built-in permission set.
For a custom permission set, you can change the permission set name and adjust the assigned permissions.
To edit an existing custom permission set:
On the workspace or global permission sets list, click Settings.
On the permission set details panel, update the permission set configuration.
Click Save.
You can delete a custom permission set. You cannot delete a built-in permission set.
You cannot delete a permission set that is assigned to any users or groups. Before you can delete the permission set, you must remove the assignment.
To delete a custom permission set:
On the workspace or global permission sets list, click Settings.
On the permission set details panel, click Delete Permission Set.
On the confirmation panel, click Confirm.
| Permission | General User | Admin and Admin (Environment) | Account Admin |
|---|---|---|---|
| Permission | Manager | Editor | Auditor | Viewer |
|---|---|---|---|---|
| Permission | Manager | Editor | Auditor | Viewer |
|---|---|---|---|---|
| Permission | Manager | Editor | Auditor | Viewer |
|---|---|---|---|---|
| Permission | Manager | Editor | Auditor | Viewer |
|---|---|---|---|---|
| Permission | Manager | Editor | Auditor | Viewer |
|---|---|---|---|---|
Create and manage custom permission sets
✔️
Manage user access to Tonic Structural and to any workspace
✔️
✔️
Reset Tonic user passwords
✔️
✔️
Create workspaces
✔️
✔️
✔️
View organization users
✔️
✔️
✔️
Copy any workspace
✔️
✔️
Update the Tonic Structural license key
✔️
Update Tonic Structural
✔️
View summary usage metrics
✔️
✔️
Enable diagnostic logging
✔️
✔️
Create and manage generator presets
✔️
Create and manage sensitivity rules
✔️
Configure Tonic Structural data encryption
✔️
Manage environment settings
✔️
Configure workspace settings
✔️
View workspace settings
(Automatically granted with Configure workspace settings)
✔️
✔️
✔️
✔️
Copy workspace
✔️
Export and import workspace
✔️
✔️
Delete workspace
✔️
Manage file connector file groups
✔️
✔️
Create child workspaces
✔️
Share workspace access
✔️
✔️
Transfer workspace ownership
✔️
Preview source data
✔️
✔️
✔️
Preview destination data
✔️
✔️
✔️
Configure column generators
✔️
✔️
Configure column sensitivity
✔️
✔️
Assign table modes
✔️
✔️
Resolve schema change warnings
✔️
✔️
Run data generation
✔️
✔️
Run sensitivity scan
✔️
✔️
Run collection scan
✔️
✔️
Download job logs
✔️
✔️
✔️
Download Privacy Report
✔️
✔️
✔️
View the Protection Audit Trail
✔️
✔️
✔️
Download SqlLdr Files
✔️
✔️
Decrypt data API
✔️
Configure subsetting
✔️
✔️
Configure virtual foreign keys
✔️
✔️
Configure post-job scripts and webhooks
✔️
✔️
About permission sets
Overview of how permissions work in Structural
Built-in permission sets
Permission sets that are built into every Structural instance
Available permissions
Available global and workspace permissions
View permission set lists and details
View the lists and permission assignments for workspace and global permission sets
Configure custom permission sets
Create and manage custom global and workspace permission sets
Select default permission sets
Select the global permission set for all Structural users, and the workspace permission set for all workspace owners
Assign global permission sets
Determine the users and groups that have access to global permission sets
Set initial admin access
Identify the initial users who are granted the Admin permission set on a a new self-hosted instance
Select Account Admins on Structural Cloud
Grant administrator access for an organization on Structural Cloud
Assign workspace permission sets
Grant workspace access to additional users
Tonic Structural comes with a set of built-in global and workspace permission sets. You cannot edit or delete the built-in permission sets.
When a new permission is added to Structural, it is also added to the appropriate built-in permission sets.
Structural comes with the following built-in global permission sets:
Admin - For self-hosted only. Provides complete access to all global permissions. The Admin permission set automatically receives any new global permissions.
Admin (Environment) - For self-hosted only. Identical to the Admin permission set. Only assigned to users and groups listed in the value of the environment variable TONIC_ADMINISTRATORS.
General User - Allows users to create workspaces. Also allows them to see other users in the organization, which is needed for workspace sharing and transfer, and to configure access to global permission sets. By default, the General User permission set is assigned to all Structural users and SSO groups.
Account Admin - For Structural Cloud only. An Account Admin is associated with a Structural Cloud organization. An Account Admin can remove and reset user passwords for the users in the organization. They can also manage access to any workspace for the organization, and download the usage report.
For information on the assigned global permissions for the built-in global permission sets, go to #permissions-global.
Structural comes with the following built-in workspace permission sets:
Manager - Provides complete access to all workspace permissions. The Manager permission set automatically receives all new workspace permissions. For instances with a Basic license, this is the only workspace permission set. By default, the Manager workspace permission set is assigned to workspace owners.
Editor - Requires a Professional or Enterprise license. An editor can view and update nearly every aspect of a workspace. The Editor permission set automatically receives appropriate new workspace permissions. They cannot rename or delete the workspace, change the connection information, or copy the workspace.
Auditor - Requires an Enterprise license. An auditor can view the workspace configuration, but cannot make any changes at all to it.
Viewer - Requires an Enterprise license. Similar to an auditor, a viewer can view but not edit the workspace configuration. However, they are further restricted in that they cannot:
View any of the data
View the Protection Audit Trail
Download the Privacy Report
Download job logs
For information on the assigned workspace permissions for the built-in workspace permission sets, go to #available-workspace-permissions.
Required license: Enterprise
Required global permission: Manage access to Tonic Structural and to any workspace
Each new Tonic Structural user is assigned a specific global permission set. Each workspace owner is assigned a specific workspace permission set.
By default, all Structural users are assigned the built-in General User global permission set.
You can also configure a different global permission set to assign to all Structural users.
The permission set cannot be removed.
When you choose a different permission set to assign to all users, unless they were otherwise assigned the previous permission set, they lose access to it.
To set the default global permission set to assign to all Structural users:
In the Structural heading, click Structural Settings.
On Structural Settings view, click Access Management, then click Global Permission Sets. On the Global Permission Sets list, the current permission set for all users is marked as Assigned to all users.
To select a different permission set, hover over the permission set row, then click Assign to all users.
The confirmation panel explains the risks of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
Every workspace has an owner. When a user creates a workspace, they become the first owner. When the workspace is transferred, the selected user becomes the new owner.
All owners are assigned the same workspace permission set. The permission set cannot be removed from the workspace owner. It can be assigned to and removed from other users and SSO groups.
By default, the workspace permission set for owners is the built-in Manager workspace permission set. You can also select a different workspace permission set to assign to all owners.
When you change the permission set to assign to users, all owners are assigned the selected permission set. Unless an owner was otherwise assigned the previously selected permission set, they lose access to that permission set.
To set the workspace permission set to assign to workspace owners:
In the Structural heading, click Structural Settings.
On Structural Settings view, click Access Management, then click Workspace Permission Sets. On the Workspace Permission Sets list, the current permission set for workspace owners is marked by Always assigned to owner.
To select a different permission set, hover over the permission set row, then click Assign to all owners.
The confirmation panel explains the risks of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
In a self-hosted instance of Tonic Structural, the default global permission set for Structural users is limited to creating workspaces.
Until you set the initial access to all global permissions, there is no way to manage or assign global permissions.
To set the initial access to all global permissions, you set the list of users or groups as the value of the environment setting TONIC_ADMINISTRATORS.
The users and groups are assigned the built-in Admin (Environment) permission set.
From the Global Permission Sets list:
You cannot revoke the built-in Admin (Environment) permission set from those users or groups.
You cannot assign the Admin (Environment) permission set to other users or groups.
To change the assigned users and groups, you update the value of TONIC_ADMINISTRATORS.
Update your to include the email addresses or SSO groups the Structural users who should receive administrator access. The value can include both group names and user email addresses.
The should contain the TONIC_ADMINISTRATORS environment setting within the tonic_web_server configuration block. If not, pull the newest version.
In the file, under tonicai.web_server, edit the administrators property to include the email addresses of the Structural users who should receive administrator access.
To verify that you have the required version of the Helm charts, check that values.yaml contains the administrators line.
should contain a block for the TONIC_ADMINISTRATORS environment setting. If not, pull the newest version from our .
The built-in Account Admin global permission set is specific to Tonic Structural Cloud. It allows a user to manage workspaces, remove users, and reset user passwords within their Structural Cloud organization. They can also download the usage report for their Structural Cloud organization.
For information about the global permissions that are granted to the Account Admin permission set, go to #permissions-global.
The first user in a Structural Cloud organization is automatically granted the Account Admin permission set. They can then grant the Account Admin permission set to other users in the organization.
Your organization should have at least one user with the Account Admin permission set.
Required license: Professional or Enterprise
Required global permission - Either:
Create and manage custom permission sets
Manager user access to Tonic Structural and to any workspace
The Access Management tab of Structural Settings view includes the lists of global and workspace permission sets.
In the Tonic Structural heading, click Structural Settings.
On Structural Settings view, click Access Management.
On the Access Management tab:
Global Permission Sets contains the list of global permission sets.
Workspace Permission Sets contains the list of workspace permission sets.
The lists include:
The permission set name
Whether the permission set is built-in or custom
For custom permission sets, when it was most recently modified, and the user who modified it
On the Global Permission Sets list, the permission set that is assigned to all users is marked with Assigned to all users.
On the Workspace Permission Sets list, the permission set that is assigned to all workspace owners is marked with Always assigned to owner.
To view the details for a permission set, in the permission sets list, click Settings.
The details panel for a permission set includes:
The name of the permission set.
The permission configuration.
