Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Required license: Professional or Enterprise
Required global permission - Either:
Create and manage custom permission sets
Manager user access to Tonic and to any workspace
The Access Management tab of Tonic Settings view includes the lists of global and workspace permission sets.
In the Tonic Structural heading, click Tonic Settings.
On Tonic Settings view, click Access Management.
On the Access Management tab:
Global Permission Sets contains the list of global permission sets.
Workspace Permission Sets contains the list of workspace permission sets.
The lists include:
The permission set name
Whether the permission set is built-in or custom
For custom permission sets, when it was most recently modified, and the user who modified it
On the Global Permission Sets list, the permission set that is assigned to all users is marked with Assigned to all users.
On the Workspace Permission Sets list, the permission set that is assigned to all workspace owners is marked with Always assigned to owner.
To view the details for a permission set, in the permission sets list, click Settings.
The details panel for a permission set includes:
The name of the permission set.
The permission configuration.
The following tables list the available global permissions, and indicates how the permissions apply to the built-in global permission sets.
The following table lists the available workspace permissions, and indicates how the permissions apply to the built-in workspace permission sets.
Permission | General User | Admin and Admin (Environment) | Account Admin |
---|---|---|---|
Permission | General User | Admin and Admin (Environment) | Account Admin |
---|---|---|---|
Permission | General User | Admin and Admin (Environment) | Account Admin |
---|---|---|---|
Permission | General User | Admin and Admin (Environment) | Account Admin |
---|---|---|---|
Permission | Manager | Editor | Auditor | Viewer |
---|---|---|---|---|
Permission | Manager | Editor | Auditor | Viewer |
---|---|---|---|---|
Permission | Manager | Editor | Auditor | Viewer |
---|---|---|---|---|
Permission | Manager | Editor | Auditor | Viewer |
---|---|---|---|---|
Permission | Manager | Editor | Auditor | Viewer |
---|---|---|---|---|
Create and manage custom permission sets
✔️
Manage user access to Tonic and to any workspace
✔️
✔️
Reset Tonic user passwords
✔️
✔️
Create workspaces
✔️
✔️
✔️
View organization users
✔️
✔️
✔️
Copy any workspace
✔️
✔️
Update the Tonic license key
✔️
Update Tonic
✔️
View summary usage metrics
✔️
✔️
Enable diagnostic logging
✔️
✔️
Create and manage generator presets
✔️
Configure Tonic data encryption
✔️
Manage environment settings
✔️
Configure workspace settings
✔️
View workspace settings
(Automatically granted with Configure workspace settings)
✔️
✔️
✔️
✔️
Copy workspace
✔️
Export and import workspace
✔️
✔️
Delete workspace
✔️
Manage file connector file groups
✔️
✔️
Create child workspaces
✔️
Share workspace access
✔️
✔️
Transfer workspace ownership
✔️
Preview source data
✔️
✔️
✔️
Preview destination data
✔️
✔️
✔️
Configure column generators
✔️
✔️
Configure column sensitivity
✔️
✔️
Assign table modes
✔️
✔️
Resolve schema change warnings
✔️
✔️
Configure, train, and export models
✔️
✔️
Run data generation
✔️
✔️
Run sensitivity scan
✔️
✔️
Run collection scan
✔️
✔️
Download job logs
✔️
✔️
✔️
Download Privacy Report
✔️
✔️
✔️
View the Protection Audit Trail
✔️
✔️
✔️
Download SqlLdr Files
✔️
✔️
Decrypt data API
✔️
Configure subsetting
✔️
✔️
Configure virtual foreign keys
✔️
✔️
Configure post-job scripts and webhooks
✔️
✔️
Tonic Structural comes with a set of built-in global and workspace permission sets. You cannot edit or delete the built-in permission sets.
When a new permission is added to Structural, it is also added to the appropriate built-in permission sets.
Structural comes with the following built-in global permission sets:
Admin - For self-hosted only. Provides complete access to all global permissions. The Admin permission set automatically receives any new global permissions.
Admin (Environment) - For self-hosted only. Identical to the Admin permission set. Only assigned to users and groups listed in the value of the environment variable TONIC_ADMINISTRATORS
.
General User - Allows users to create workspaces. Also allows them to see other users in the organization, which is needed for workspace sharing and transfer, and to configure access to global permission sets. By default, the General User permission set is assigned to all Structural users and SSO groups.
Account Admin - For Structural Cloud only. An Account Admin is associated with a Structural Cloud organization. An Account Admin can remove and reset user passwords for the users in the organization. They can also manage access to any workspace for the organization, and download the usage report.
Structural comes with the following built-in workspace permission sets:
Manager - Provides complete access to all workspace permissions. The Manager permission set automatically receives all new workspace permissions. For instances with a Basic license, this is the only workspace permission set. By default, the Manager workspace permission set is assigned to workspace owners.
Editor - Requires a Professional or Enterprise license. An editor can view and update nearly every aspect of a workspace. The Editor permission set automatically receives appropriate new workspace permissions. They cannot rename or delete the workspace, change the connection information, or copy the workspace.
Auditor - Requires an Enterprise license. An auditor can view the workspace configuration, but cannot make any changes at all to it.
Viewer - Requires an Enterprise license. Similar to an auditor, a viewer can view but not edit the workspace configuration. However, they are further restricted in that they cannot:
View any of the data
View the Protection Audit Trail
Download the Privacy Report
Download job logs
Tonic Structural uses permissions and permission sets to manage role-based access (RBAC) to Structural features and functions.
A permission grants access to a specific feature or function.
A permission set is a collection of permissions that can be assigned to a user or an SSO group.
Global permission sets control access to features and functions that are outside of the context of a specific workspace.
Workspace permission sets provide access to specific workspace management features and functions.
Workspace permission sets are assigned to users and groups within the context of a specific workspace. For example, a user might have the Editor permission set in one workspace and the Viewer permission set in another workspace.
Structural provides a set of built-in permission sets that you cannot edit or delete.
The Enterprise license plan also allows you to create custom permission sets.
Required license: Enterprise
Required global permission:
Manage access to Tonic and to any workspace
View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
From the Global Permission Sets list, you can grant or revoke access to a global permission set. Global permission sets can be assigned to individual users and to SSO groups.
You cannot change the assignment of the following global permission sets:
The built-in Admin (Environment) global permission set
To manage the permission set assignment:
On the Global Permission Sets list, for the permission set to manage, click Manage Access.
To grant access to a user or group:
Begin to type the user or group name.
In the list of matching users or groups, click the user or group name.
To remove access from a user or group, click Undo for that user or group.
To save the changes to the permission set access, click Save.
Required license: Enterprise
Required global permission: Create and manage custom permission sets
You can create custom global and workspace permission sets.
A custom permission set allows you to have more precise control over global and workspace permissions.
For example, you might want a workspace permission set that allows a user to configure the workspace but not run data generation. Or you might want to limit the types of workspace configuration that a user can change.
For global permissions, you might want a global permission set that allows a user to configure Tonic Structural data encryption and generator presets, but not manage Structural users.
To create a custom permission set:
On the workspace or global permission sets list, click the create permission set button.
On the permission set details panel, in the Permission Set Name field, type the name for the new permission set. Permission set names must be unique.
To base the permission set on an existing permission set, from Create from existing permission set, select the existing permission set to use. When you base the permission set on an existing permission set, Structural copies the permissions from the existing permission set to the new permission set. You can then update the selected permissions as needed. For example, you might want to create a workspace permission set that is nearly identical to the built-in Editor permission set, but that removes the option to generate data. You can base the new permission set on the Editor permission set, then remove the data generation permission. After you save the new permission set, it is not connected to the permission set that you used to obtain the initial set of permissions.
Select the permissions to grant to the permission set. If a permission checkbox is checked, then the permission is granted to the permission set. If a permission checkbox is not checked, then the permission is not granted to the permission set.
To save the new permission set, click Save.
For a global permission set, Structural prompts you to configure access to the new permission set. To display the access management panel for the permission set, click Manage User Access. To not manage access at that time, click Skip.
You cannot make any changes to a built-in permission set.
For a custom permission set, you can change the permission set name and adjust the assigned permissions.
To edit an existing custom permission set:
On the workspace or global permission sets list, click Settings.
On the permission set details panel, update the permission set configuration.
Click Save.
You can delete a custom permission set. You cannot delete a built-in permission set.
You cannot delete a permission set that is assigned to any users or groups. Before you can delete the permission set, you must remove the assignment.
To delete a custom permission set:
On the workspace or global permission sets list, click Settings.
On the permission set details panel, click Delete Permission Set.
On the confirmation panel, click Confirm.
Access to workspace permission sets is managed from Workspaces view. For more information, go to .
The global permission set that is assigned to all Structural users. Initially, this is the General User permission set, but .
Before you assign a global permission set to an SSO group, make sure that you are aware of who is in the group. The permissions that are granted to an SSO group automatically are granted to all of the users in the group. For information on how to configure Structural to filter the allowed SSO groups, go to .
Required license: Enterprise
Required global permission: Manage access to Tonic and to any workspace
Each new Tonic Structural user is assigned a specific global permission set. Each workspace owner is assigned a specific workspace permission set.
By default, all Structural users are assigned the built-in General User global permission set.
You can also configure a different global permission set to assign to all Structural users.
The permission set cannot be removed.
When you choose a different permission set to assign to all users, unless they were otherwise assigned the previous permission set, they lose access to it.
To set the default global permission set to assign to all Structural users:
In the Structural heading, click Tonic Settings.
On Tonic Settings view, click Access Management, then click Global Permission Sets. On the Global Permission Sets list, the current permission set for all users is marked as Assigned to all users.
To select a different permission set, hover over the permission set row, then click Assign to all users.
The confirmation panel explains the risks of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
Every workspace has an owner. When a user creates a workspace, they become the first owner. When the workspace is transferred, the selected user becomes the new owner.
All owners are assigned the same workspace permission set. The permission set cannot be removed from the workspace owner. It can be assigned to and removed from other users and SSO groups.
By default, the workspace permission set for owners is the built-in Manager workspace permission set. You can also select a different workspace permission set to assign to all owners.
When you change the permission set to assign to users, all owners are assigned the selected permission set. Unless an owner was otherwise assigned the previously selected permission set, they lose access to that permission set.
To set the workspace permission set to assign to workspace owners:
In the Structural heading, click Tonic Settings.
On Tonic Settings view, click Access Management, then click Workspace Permission Sets. On the Workspace Permission Sets list, the current permission set for workspace owners is marked by Always assigned to owner.
To select a different permission set, hover over the permission set row, then click Assign to all owners.
The confirmation panel explains the risks of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.