Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Tonic Textual respects the access control policy of your single sign-on (SSO) provider. To access Textual, users must be granted access to the Textual application within your SSO provider.
Self-hosted instances can use any of the available SSO options. Textual Cloud organizations can enable Okta SSO.
To enable SSO, you first complete the required configuration in the SSO provider. You then configure Textual to connect to it. For self-hosted instances, you use Textual environment variables for the configuration. For a Textual Cloud organization, you use the Single Sign-On tab on the Permission Settings page.
After you enable SSO, users can use SSO to create an account in Textual.
For self-hosted instances, to only allow SSO authentication, set the environment variable REQUIRE_SSO_AUTH to true. For Textual Cloud, this is configured in the application. When SSO is required, Textual disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA.
You can .
Tonic Textual supports the following SSO providers:
In Tonic Textual, each user belongs to an organization. Organizations are used to determine the company or customer that a Textual user belongs to.
A self-hosted instance of Textual contains a single organization. All users belong to that organization.
Textual Cloud hosts multiple organizations. The organizations are kept completely separate. Users from one Textual Cloud organization do not have any access to the users or datasets that belong to a different Textual Cloud organization.
The displays the organization that the user account belongs to.
A Textual organization is created:
If your company has a self-hosted Textual instance that is installed on-premises, then you navigate to the Textual URL for that instance.
Your self-hosted instance might be configured to use single sign-on for Textual access. If so, then from the Textual login page, to create your Textual user account, click the single sign-on option.
Otherwise, to create your Textual user account, click Sign Up.
Your administrator can provide the URL for your Textual instance and confirm the instructions for creating your user account.
If your Textual license is on Textual Cloud, then new users that have a matching email domain are automatically added to your Textual Cloud organization.
For a Textual Cloud license other than a pay-as-you-go license, the license agreement specifies the included email domains. When a user with a matching email domain signs up for a Structural account, they are added to that Textual Cloud organization.
For a pay-as-you-go Textual Cloud license, when a user with the same corporate email domain as the subscribed user signs up for a Textual account, they are added to that Textual Cloud organization.
To create your Textual user account, on the Textual Cloud login page, click Sign Up.
For a standard Textual license, both self-hosted and Textual Cloud, when the first user signs up for a Textual account.
When a user signs up for a free trial or pay-as-you go Textual Cloud license with a unique corporate email domain.
When a user signs up for a free trial or pay-as-you-go Textual Cloud license with a public email domain, such as Gmail or Yahoo. Every user with a public email domain is in a separate organization.
A self-hosted instance has a single organization. Every user who signs up for an account on that instance is added to the organization.
For companies with an annual Textual Cloud license, the license includes the email domains that are included in the license.
When a user with one of the included email domains signs up for a Textual account, they are automatically added to that organization.
For a pay-as-you-go license, when a user with the same corporate email domain signs up for a Textual account, they are automatically added to that organization.
Users with public email domains are always in separate organizations.
If you use SSO to manage Tonic Textual groups, then Textual displays the list of groups for which at least one user has logged in to Textual.
To display the SSO group list:
Click the user image at the top right.
In the user menu, click Permission Settings.
On the Permission Settings page, click Groups.
If no users from a group have logged in to Textual, then the group does not display in the list.
The list only displays the group names and indicates the SSO provider. To manage the group permissions:
To assign global permission sets, go to the Global Permission Sets list. For more information, go to .
To assign dataset permission sets, go to the Datasets page. For more information, go to .
Tonic Textual provides the following options to manage access to Textual and its features.
On Textual Cloud, after you complete the configuration in Okta, you configure the Textual connection to Okta from the Single Sign-On tab on the Permission Settings page.
To enable Okta SSO, check the Enable Okta SSO checkbox.
In the SSO Client ID field, enter the client identifier of the application.
In the SSO Domain field, enter the Okta domain.
If you use a third-party provider, then in the Identity Provider ID field, provide the provider identifier. If you do not use a third-party provider, then you can skip this field.
If you created a custom authorization server, then in the Authorization Server field, provide the server identifier. If you did not create a custom authorization server, then you can skip this field.
To require your organization users to use Okta SSO to log in to Textual, check the Require SSO for login checkbox.
To display the list of Textual users:
Click the user icon at the top right.
In the user menu, click Permission Settings.
In a self-hosted instance of Tonic Textual, the default global permission set for Textual users does not include the ability to manage or assign global permissions.
Until you set the initial access to all global permissions, there is no way to manage or assign global permissions.
To set the initial access to all global permissions, you set the list of users or groups as the value of the SOLAR_ADMINISTRATORS.
The users and groups are assigned the built-in Admin (Environment) permission set.
From the Global Permission Sets list:
You cannot revoke the built-in Admin (Environment) permission set from those users or groups.
On the Permission Settings page, click Users.
Okta configuration Required configuration within Okta.
Textual configuration (self-hosted) Required configuration to enable Okta on a self-hosted instance.
Textual configuration (Textual Cloud) Configuring Textual Cloud to use Okta SSO for an organization.
You cannot assign the Admin (Environment) permission set to other users or groups.
To change the assigned users and groups, you update the value of SOLAR_ADMINISTRATORS.
The Permission Settings page contains the lists of global and dataset permissions.
To display the Permission Settings page:
Click the user icon at the top right.
In the user menu, click Permission Settings.
On the Permission Settings page:
Global Permission Sets contains the list of global permission sets.
Dataset Permission Sets contains the list of dataset permission sets.
The lists include:
The permission set name.
Whether the permission set is built-in or custom.
For custom permission sets, when it was most recently modified, and the user who modified it.
To view the details for a permission set, in the permission sets list, click Settings.
The details panel for a permission set includes:
The name of the permission set.
The permission configuration.
Register Textual and create a new web redirect URI that points to your Textual instance's address and the path /sso/callback/azure.
Take note of the values for client ID and tenant ID. You will need them later.
Click Add a certificate or secret, and then create a new client secret. Take note of the secret value. You will need this later.
Navigate to the API permissions page. Add the following permissions for the Microsoft Graph API:
OpenId permissions
openid
profile
GroupMember
GroupMember.Read.All
User
User.Read
Click Grant admin consent for Tonic AI. This allows the application to read the user and group information from your organization. When permissions have been granted, the status should change to Granted for Tonic AI.
Navigate to Enterprise applications and then select Textual. From here, you can assign the users or groups that should have access to Textual.
After you complete the configuration in Azure, you uncomment and configure the required environment variables in Textual.
For Kubernetes, in values.yaml:
For Docker, in .env:
oktaClientId - The client identifier of the application.
oktaDomain - The Okta domain.
oktaIdentityProviderId - If you use a third-party provider, the provider identifier.
If you do not use a third-party provider, you can omit this.
For Docker, the settings are in .env:
SOLAR_SSO_OKTA_CLIENT_ID - The client identifier of the application.
SOLAR_SSO_OKTA_DOMAIN - The Okta domain.
SOLAR_SSO_OKTA_IDENTITY_PROVIDER_ID - If you use a third-party provider, the provider identifier.
If you do not use a third-party provider, then you can omit this.
For Homepage URL, enter https://textual.tonic.ai.
For Authorization callback URL, enter https://your-textual-url/sso/callback/github.
Replace your-textual-url with the URL of your Textual instance.
After you create the application, to create a new secret, click Generate a new client secret.
You use the client ID and the client secret in the Textual configuration.
After you complete the configuration in GitHub, you uncomment and configure the required environment variables in Textual.
For Kubernetes, in values.yaml:
For Docker, in .env:
# Github SSO Config
# -----------------
#githubClientId: <client-id>
#githubClientSecret: <client-secret># Azure SSO Config
# -----------------
#azureClientId: <client-id>
#azureTenantId: <tenant-id>
#azureClientSecret: <client-secret>
#azureGroupFilterRegex: <regular expression to identify allowed groups>#SOLAR_SSO_AZURE_CLIENT_ID=#<client ID>
#SOLAR_SSO_AZURE_TENANT_ID=#<tenant ID>
#SOLAR_SSO_AZURE_CLIENT_SECRET=#<client secret>
#SOLAR_SSO_AZURE_GROUP_FILTER_REGEX=#"<regular expression to identify allowed groups># Okta SSO Config
# -----------------
#oktaAuthServerId: <customer auth server if you have one>
#oktaClientId: <client-id>
#oktaDomain: <sso-domain>
#oktaIdentityProviderId: <identity-provider-id>
#oktaGroupFilterRegex: <regular expression to identify allowed groups>#SOLAR_SSO_OKTA_CLIENT_ID=#<client ID>
#SOLAR_SSO_OKTA_DOMAIN=#<SSO domain>
#SOLAR_SSO_OKTA_IDENTITY_PROVIDER_ID=#<third-party provider identifier>
#SOLAR_SSO_OKTA_GROUP_FILTER_REGEX="<regular expression to identify allowed groups>#SOLAR_SSO_GITHUB_CLIENT_ID=#<client ID>
#SOLAR_SSO_GITHUB_CLIENT_SECRET=#<client secret>You can create custom global and dataset permission sets.
A custom permission set allows you to have more precise control over global and dataset permissions.
For example, you might want a dataset permission set that allows a user to manage the files but not share or delete the dataset.
For global permissions, you might want a global permission set that allows a user to manage access to any dataset, but not manage Textual users.
To create a custom permission set:
On the global or dataset permission sets list, click the create permission set button.
On the permission set details panel, in the Permission Set Name field, type the name for the new permission set. Permission set names must be unique for that permission set type (global, dataset).
Select the permissions to grant to the permission set. If a permission checkbox is checked, then the permission is granted to the permission set. If a permission checkbox is not checked, then the permission is not granted to the permission set.
To save the new permission set, click
You cannot make any changes to a built-in permission set.
For a custom permission set, you can change the permission set name and adjust the assigned permissions.
To edit an existing custom permission set:
On the global or datasets permission sets list, click Settings.
On the permission set details panel, update the permission set configuration.
Click Save.
You can delete a custom permission set. You cannot delete a built-in permission set.
You cannot delete a permission set that is assigned to any users or groups. Before you can delete the permission set, you must remove the assignment.
To delete a custom permission set:
On the global or dataset permission sets list, click Settings.
On the permission set details panel, click Delete Permission Set.
On the confirmation panel, click Confirm.
Tonic Textual uses permissions and permission sets to manage role-based access (RBAC) to Textual features and functions.
A permission grants access to a specific feature or function.
A permission set is a collection of permissions that can be assigned to a user or an SSO group.
Textual provides a set of built-in permission sets that you cannot edit or delete.
You can also create custom permission sets.
For a global permission set, Textual prompts you to configure access to the new permission set. To display the access management panel for the permission set, click Manage User Access. To not manage access at that time, click Skip.
Global permission sets control access to features and functions that are outside of the context of a specific dataset. For example, global permission control who can manage users and configure custom entity types.
You can also select a default global permission set to assign to all new users.
For the list of global permission sets and available permissions, go to Built-in permission sets and available permissions.
For information on how to assign global permission sets, go to Configuring access to global permission sets.
Dataset permission sets provide access to specific dataset management features and functions.
Dataset permission sets are assigned to users and groups within the context of a specific dataset. For example, a user might have the Editor permission set in one dataset and the Viewer permission set in another dataset.
For the lists of built-in dataset permission sets and available permissions, go to Built-in permission sets and available permissions.
For information on how to assign dataset permission sets, go to Sharing dataset access.
Guided redaction permission sets provide access to specific guided redaction management features and functions.
Guided redaction permission sets are assigned to users and groups within the context of a specific project. For example, a user might have the Editor permission set in one project and the Viewer permission set in another project.
For the lists of built-in guided redaction permission sets and available permissions, go to Available guided redaction permissions.
For information on how to assign guided redaction permission sets, go to Sharing access to a guided redaction project.
About permissions and permission sets Learn how user access works in Textual.
Built-in permission sets and permissions Lists of the global and dataset permission sets and permissions that come with Textual.
Use these instructions to set up an OpenID Connect SSO provider for Tonic Textual.
When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.
You must also make note of the client_id. You must provide the client ID when you complete the configuration for Textual.
In your SSO provider, configure the following redirect URI:
Sign-in redirect URI: <textual-base-url>/sso/callback/oidc
After you set up the SSO provider, you uncomment and configure the required in Textual.
The application client identifier
For HTTP basic authentication (client_secret_basic), the client secret
The base URL of the provider. This is the location of /.well-known/openid-configuration
For Kubernetes, in values. yaml:
For Docker, in .env:
You can optionally uncomment and configure the following optional environment variables:
A space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Textual to capture group information, a custom scope must be configured.
The name of the claim that contains the user's first name.
The name of the claim that contains the user's last name.
The name of the claim that contains the user's email address or username.
Textual has default values for these settings:
For Kubernetes, in values.yaml:
For Docker, in .env:
Use these instructions to set up Google as your SSO provider for Tonic Textual.
Click Create credentials, located near the top.
Select OAuth client ID.
Select Web application as the application type.
Choose a name.
Under Authorized redirect URIs, add the URL of the Textual server with the endpoint /sso/callback/google.
For example, a local Textual server at http://localhost:3000 would need http://localhost:3000/sso/callback/google to be set as the redirect URI.
Also note that internal URLs might not work.
On the confirmation page, note the client ID and client secret. You will need to provide them to Textual.
After you complete the configuration in Google, you uncomment and configure the required in Textual.
The client ID
The client secret
For Kubernetes, in values.yaml:
For Docker, in .env:
From the Global Permission Sets list, you can grant or revoke access to a global permission set. Global permission sets can be assigned to individual users and to SSO groups.
Access to dataset permission sets is managed from the Datasets page. For more information, go to .
You cannot change the assignment of the following global permission sets:
The global permission set that is assigned to all Textual users. Initially, this is the General User permission set, but it can be changed to a different permission set.
The built-in Admin (Environment) global permission set.
Before you assign a global permission set to an SSO group, make sure that you are aware of who is in the group. The permissions that are granted to an SSO group automatically are granted to all of the users in the group.
To manage the permission set assignment:
On the Global Permission Sets list, for the permission set to manage, click Manage Access.
To grant access to a user or group:
Begin to type the user or group name.
In the list of matching users or groups, click the user or group name.
To remove access from a user or group, click Revoke for that user or group.
To save the changes to the permission set access, click Save.
The name of the claim that contains the user's group membership.
# OIDC SSO Config
# -----------------
#oidcClientId: <application client ID>
#oidcClientSecret: <client secret for HTTP basic authentication>
#oidcAuthority: <base URL of the provider>
#oidcGroupFilterRegex: <regular expression to identify allowed groups>#SOLAR_SSO_OIDC_CLIENT_ID=#<application client ID>
#SOLAR_SSO_OIDC_CLIENT_SECRET=#<client secret for HTTP basic authentication>
#SOLAR_SSO_OIDC_AUTHORITY=#<base URL of the provider>
#SOLAR_SSO_OIDC_GROUP_FILTER_REGEX=#<regular expression to identify allowed groups>#oidcScopes: openid profile email
#oidcFirstNameClaimName: given_name
#oidcLastNameClaimName: family_name
#oidcEmailClaimName: email
#oidcGroupsClaimName: groups#SOLAR_SSO_OIDC_SCOPES=#openid profile email
#SOLAR_SSO_OIDC_FIRST_NAME_CLAIM_NAME=#given_name
#SOLAR_SSO_OIDC_LAST_NAME_CLAIM_NAME=#family_name
#SOLAR_SSO_OIDC_EMAIL_CLAIM_NAME=#email
#SOLAR_SSO_OIDC_GROUPS_CLAIM_NAME=#groups# Google SSO Config
# -----------------
#googleClientId: <client-id>
#googleClientSecret: <client-secret>
#googleGroupFilterRegex: <regular expression to identify allowed groups>#SOLAR_SSO_GOOGLE_CLIENT_ID=#<client ID>
#SOLAR_SSO_GOOGLE_CLIENT_SECRET=#<client secret>
#SOLAR_SSO_GOOGLE_GROUP_FILTER_REGEX=#<regular expression to identify allowed groups>Use these instructions to set up Keycloak as your SSO provider for Tonic Textual.
Within Keycloak, select the realm to use for your Textual client. Under Clients, click Create client.
On the Create client page, under General Settings:
From the Client type dropdown list, select OpenID Connect.
Enter a Client ID and Name.
Click Next.
On the Capability Config tab, click Save. The details page for the new client displays.
On the Settings tab, under Access settings, enter your Textual URL information.
Click Client scopes. Each client has a dedicated scope named <client-id>-dedicated. To configure the scope, click the scope name.
On the Mappers tab, to add a property mapper to the scope, click Configure a new mapper.
In the list of mapper types, click Group Membership.
Under Add mapper, set both Name and Token Claim Name to groups.
The Full group path toggle affects how child groups appear in Tonic:
When on, child groups display as parent group/child group.
When off, child groups display as child group.
To save the new group membership mapper, click Save.
After you complete the configuration in Keycloak, you uncomment and configure the required in Textual.
The realm URL
The client identifier
The client secret, if client authentication is enabled
For Kubernetes, in values.yaml:
For Docker, in .env:
The environment variable SOLAR_SSO_KEYCLOAK_DISABLE_PUSHED_AUTHORIZATION determines whether to disable Keycloak pushed authorization requests.
By default, this is false.
You would set this to true to troubleshoot Keycloak authentication issues.
You can configure:
The global permission set that is assigned to all Tonic Textual users.
The dataset permission set to assign to a user who creates a dataset.
By default, all Textual users are assigned the built-in General User global permission set. You can configure a different global permission set to assign to all Textual users.
The permission set cannot be removed.
When you choose a different permission set to assign to all users, unless they were otherwise assigned the previous permission set, they lose access to it.
To set the default global permission set to assign to all Textual users:
Click the user icon at the top right.
In the user menu, click Permission Settings.
On the Permission Settings page, click Global Permission Sets. The current permission set for all users is marked as Assigned to all users.
To select a different permission set, hover over the permission set row, then click Assign to all users
The confirmation panel explains the risks of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
By default, when a user creates a dataset, they are assigned the built-in Editor dataset permission set. You can configure a different dataset permission set to assign when a database is created.
Changing the selected permission set does not affect existing datasets. It only applies to datasets that are created after the change.
To select a different permission set for dataset creation:
Click the user icon at the top right.
In the user menu, click Permission Settings.
On the Permission Settings page, click Dataset Permission Sets. The current permission set for database creators is marked Assigned on dataset creation.
To select a different permission set, hover over the permission set row, then click
Default permission set for users who create projects.
By default, when a user creates a guided redaction project, they are assigned the built-in Editor guided redaction permission set. You can configure a different guided redaction permission set to assign to the user who creates a project.
Changing the selected permission set does not affect existing projects. It only applies to projects that are created after the change.
To select a different permission set for guided redaction project creation:
Click the user icon at the top right.
In the user menu, click Permission Settings.
On the Permission Settings page, click Guided Redaction Permission Sets. The current permission set for project creators is marked Assigned on project creation.
To select a different permission set, hover over the permission set row, then click
# Keycloak SSO Config
# -----------------
#keycloakClientId: <client-id>
#keycloakClientSecret: <client-secret>
#keycloakAuthority: <authority-url>
#keycloakGroupFilterRegex: <regular expression to identify allowed groups>#SOLAR_SSO_KEYCLOAK_AUTHORITY=#<keycloak_url_with_scheme>/realms/<realm_name>
#SOLAR_SSO_KEYCLOAK_CLIENT_ID=#<client identifier>
#SOLAR_SSO_KEYCLOAK_CLIENT_SECRET=#<client secret>
#SOLAR_SSO_KEYCLOAK_GROUP_FILTER_REGEX=#<regex to identify allowed groups>The confirmation panel explains the risk of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
The confirmation panel explains the risk of making this change. To confirm the change:
Check I have read and understand the risks.
Click Confirm.
Tonic Textual comes with a set of built-in global, dataset, and guided redaction permission sets. You cannot edit or delete the built-in permission sets.
Each permission is assigned Textual permissions. When a new permission is added to Textual, it is also added to the appropriate built-in permission sets.
Textual comes with the following built-in global permission sets:
Admin - Provides complete access to all global permissions. The Admin permission set automatically receives any new global permissions.
Admin (Environment) - For self-hosted only. Identical to the Admin permission set. Only assigned to users and groups listed in the value of the TEXTUAL_ADMINISTRATORS.
General User - Allows users to create datasets and custom entity types. Users can also use the Home page and the Request Explorer. By default, the General User permission set is assigned to all Textual users and SSO groups.
The following tables list the available global permissions, and indicate how the permissions apply to the built-in global permission sets.
Textual comes with the following built-in permission sets:
Editor - A dataset Editor has full access to view, edit, and share access to a dataset. When you create a dataset, you are automatically granted the Editor permission set for that dataset.
Viewer - A dataset Viewer only has access to view the configuration and to preview and download the results.
The following tables list the available dataset permissions, and indicate how the permissions apply to the built-in dataset permission sets.
Textual comes with the following built-in guided redaction permission sets:
Editor - An Editor has almost full access to a guided redaction project. The one permission an Editor does not have is the permission to review redactions. When you create a project, you are assigned the Editor permission set.
Viewer - A Viewer can view project settings, change statuses, and review redactions.
The following tables list the available guided redaction permissions, and indicate how the permissions apply to the built-in guided redaction permission sets.
Create redaction reference codes
✔
Edit redaction reference codes
✔
Create guided redaction status values
✔
Edit guided redaction status values
✔
View usage metrics
✔️
Download redacted dataset files
✔️
✔️
Preview project files
✔
✔
Create an API key
✔️
✔️
Use the playground on the Home page
✔️
✔️
Use the API to parse or redact a text string
✔️
✔️
Use the Request Explorer
✔️
Create custom entity types
✔️
✔️
Edit any custom entity type
✔️
Create datasets
✔️
✔️
Manage access to datasets
✔️
View all datasets
✔️
Use guided redaction projects
✔
✔
Create guided redaction projects
✔
✔
Control access to all guided redaction projects
✔
View all guided redaction projects
Manage custom permission sets
✔️
Manage access to global permission sets
✔️
View users and groups
✔️
✔️
Manage users and user groups
View dataset settings
✔️
✔️
Edit dataset settings
✔️
Share dataset access
✔️
Delete a dataset
✔️
Upload files to a dataset
✔️
Start a scan of dataset files
✔️
✔️
Delete files from a dataset
✔️
Preview redacted dataset files
✔️
✔️
View project settings
✔
✔
Edit project settings
✔
Share project access
✔
Delete a project
✔
Upload files to a project
✔
Download project files
✔
✔
Delete files from a project
✔
Edit file redactions
✔
Manage comments
✔
Review redactions
✔
View audit log
✔
✔
✔️
✔
✔️
To enable Okta as your SSO provider for Tonic Textual, you first complete the following configuration steps within Okta:
Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.
Click Next, then fill out the fields with the values below:
App integration name: The name to use for the Textual application. For example, Textual, Textual-Prod, Textual-Dev.
Grant type: Implicit (hybrid)
Sign-in redirect URIs: For self-hosted instances, <base-url>/sso/callback/okta.
For Textual Cloud, on the Permission Settings page, the sign-in redirect URL is displayed on the Single Sign-On tab. Copy the value from there and paste it into the field.
Base URIs: The URL to your Textual instance
Controlled access: Configure as needed to limit Textual access to the appropriate users
After saving the above, navigate to the General Settings page for the application and make the following changes:
Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.
Login initiated by: Either Okta or App
Make a note of the following values that must be provided to Textual:
Client ID of the application:
Your Okta domain (for example, tonic.okta.com)
Application visibility: Check Display application icon to users
Initiate login URI: <base-url>
IdP ID (If you use an outside identity provider):
