Search documentation...

K
ChangelogBook a demoSign up

Role-Based access control

Role-based access control is only available on Business tier plans.

Hightouch provides out-of-the-box role-based access control (RBAC) to govern what actions a user can take on workspace resources. All accounts come with the default Admin role. Business-tier customers can access the additional default roles and create custom roles as needed.

Users can be only assigned one role. When a user doesn't have sufficient privileges to a resource, the resource is grayed out in the UI.

What is a role?

A role consists of a set of policies defining access to resources in the workspace. A policy is a set of actions, resources, and conditions.

  • Actions represent the operations that specific roles can perform, for example, create, read, update, delete, etc.
  • Actions are performed on resources—sources, destinations, models, syncs, audiences, account management features, etc.
  • (Optional) Conditions determine how policies are applied, for example, you may restrict a policy to resources labeled project:marketing.

Default roles

All Hightouch workspaces come with the Admin role. These additional predefined roles are available on Business tier plans:

  • Admin: This role has unrestricted access to all resources in the workspace. Admins can also manage the workspace itself, including managing user membership and roles, creating new API keys, setting up custom storage, and configuring extensions with external services like Slack and PagerDuty.
  • Workspace editor: This role is for advanced business users who need full access to the workspace except for workspace settings, such as user membership and roles. The role has full read and write access to core resources in the workspace. This includes sources, destinations, models, audiences, and syncs. However, the role can't perform any workspace management.
  • Model + sync editor: This role is for users, such as business analysts, who regularly manage syncs and modify data. The role has read and write access to models, audiences, and syncs, but can't edit sources and destinations.
  • Sync editor: This role is for users, such as growth marketers, who regularly manage syncs, but don't need to modify data. The role has read and write access to syncs (including enabling syncs), but can't edit sources, destinations, and models.
  • Audience editor: This role is for users, such as lifecycle marketers, who regularly work with audiences. The role has read and write access to audiences and syncs, but can't edit sources, destinations, models, parent models, and non-audience syncs. It also can't enable syncs or trigger sync runs.
  • Source admin: This role is for users, such as data analysts, who need to set up data systems. The role has read and write access to sources and models, but can't edit destinations and syncs.
  • Destination admin: This role is for users, such as SaaS administrators, who need to set up downstream business systems. The role has read and write access to destinations, but can't edit sources, models, and syncs.
  • Workspace viewer: This role has read-only access to core resources in the workspace. This includes sources, destinations, models, audiences, and syncs. The role can't manage the workspace itself, such as changing workspace configurations.
  • Workspace draft contributor: This role is similar to a Workspace editor, except that they can edit sources. However, any edits they make to sources or models require approval before they can go live. Read about approval flows to learn more.
SourceModelDest.SyncAudienceAccount
AdminFullFullFullFullFullFull
Workspace editorFullFullFullFullFullNo Access
Model + sync editorReadFullReadFullFullNo Access
Sync editorReadReadReadFullFullNo Access
Audience editorReadReadReadLimitedFullNo Access
Source adminFullFullReadReadReadNo Access
Destination adminReadReadFullReadReadFull
Workspace viewerReadReadReadReadReadNo Access
Workspace draft contributorFullFull*FullFull*FullNo Access
  • Full permission indicates that this role can edit resources without approval.
  • Full* permission indicates that this role can edit resources but require approval before changes can go live.
  • Limited permission indicates that this role has read and write access to view and edit syncs, but it can't enable syncs or trigger sync runs.

Refer to the default role policies for a JSON description of each role.

The Workspace editor and Workspace viewer roles were previously named Editor and Viewer, respectively. You may noticed Editor and Viewer roles in workspaces created before September 2022.

Using roles with approval flows

Approval flows let Business tier customers stage new resources (models and syncs) and changes to existing resources in draft mode until an approver reviews them. Only Workspace Draft Contributors' changes require approval and all roles except Workspace Draft Contributor and Workspace Viewer can grant approval.

If you use approval flows, we recommend using the following roles only:

  • Admin - can grant approvals and handle account management
  • Workspace editor - can grant approvals
  • Workspace draft contributor - can author changes but requires approval

To learn more about how approval flows work, read the approval flows documentation.

Custom roles

For advanced Business tier customers, Hightouch exposes a custom role builder for workspace owners to create their own roles. Custom roles can reference resource labels, and are often used with label-based access control (LBAC).

LBAC combined with custom roles is geared for workspaces with especially sensitive data sets, companies that want finer control of their production syncs, or auditors who want to ensure that SOC2 compliance is maintained.

Customizing roles

To create a custom role in your workspace, go to the Roles tab in the Settings page.

Once there, you can create a new role by clicking on Add Role. You can also edit existing custom roles by clicking on the role name.

In the modal that appears, enter the Name for the custom role.

You can then choose to create role by toggling on the JSON Builder and entering JSON or selecting the role's permissions via checkboxes. If using the UI role builder, don't forget to click Add once you've selected all the role's permissions.

Using the UI role builder to create a new Marketing role

You can only add conditions using the JSON builder, not using the UI role builder.

JSON builder

When using the JSON builder, recall that each role is made of an array of policy objects described in JSON.

Each policy consists of:

  • An effect: either allow or deny
  • Actions: operations that users assigned to the role are able to complete
  • Resources: resources that those actions apply to
  • (Optional) Conditions: limitations on when to apply actions

This is an example of a custom role that allows full access to destinations, sources, models, and syncs that have been labeled project:marketing.

Refer to the label-based access control documentation to learn more about how to create roles with conditions.

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "destination",
        "source",
        "model",
        "sync"
      ],
      "conditions": {
        "labels.project": {
          "equals": "marketing"
        }
      }
    }
  ]
}

By default, all permissions are set to deny. An empty policies array means that all actions are denied.

Make sure to not edit the "version" date when creating a custom role.

Actions

Actions are operations that users are allowed to make. Hightouch supports permissions on basic CRUD actions for all resources and a set of granular actions for specific resources.

ActionDescriptionApplicable Resources
createPermission to add new resourcesAll
readPermission to view and use existing resourcesAll
updatePermission to edit existing resourcesAll
deletePermission to delete existing resourcesAll
previewPermission to view results of a modelSources and models
startPermission to trigger a manual syncSync only
enablePermission to trigger enable a syncSync only
debuggerPermission to view results of an existing syncSync only
testrowPermission to test a row in a syncSync only
approvePermission to approve changesSyncs and models
*Denotes all actionsAll

The read permission on a resource is required when another resource needs to use it, similar to access permissions in database systems. For example, for a role to create syncs, the role also needs read permission on sources and models.

Resources

ResourceDescription
workspaceCatch-all for workspace-level features like extensions
workspace_membershipPermission to invite users
sourceAccess to sources
destinationAccess to destinations
modelAccess to models
syncAccess to syncs
alertAccess to alerts on syncs
audienceAccess to individual audiences
audience_schemaAccess to audience setup, including parent models, event models, and related models
sync_templatesAccess to sync templates

Default role policies

Admin

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": "*"
    }
  ]
}

Workspace editor

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "destination",
        "source",
        "model",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "workspace_membership",
        "alert"
      ]
    }
  ]
}

Model and sync editor

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": [
        "read",
        "preview"
      ],
      "resource": [
        "source",
        "destination"
      ]
    },
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "model",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "alert"
      ]
    }
  ]
}

Sync editor

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "read",
      "resource": [
        "source",
        "destination",
        "model"
      ]
    },
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "alert"
      ]
    }
  ]
}

Audience editor

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "read",
      "resource": [
        "source",
        "destination",
        "model",
        "audience_schema",
        "sync_template",
        "alert"
      ]
    },
    {
      "effect": "allow",
      "actions": [
        "create",
        "read",
        "update"
      ],
      "resource": [
        "sync"
      ]
    },
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "audience"
      ]
    }
  ]
}

Source admin

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "source",
        "model"
      ]
    },
    {
      "effect": "allow",
      "actions": "read",
      "resource": [
        "destination",
        "sync",
        "sync_template",
        "audience",
        "workspace_membership",
        "workspace"
      ]
    }
  ]
}

Destination admin

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": "read",
      "resource": [
        "source",
        "model"
      ]
    },
    {
      "effect": "allow",
      "actions": "*",
      "resource": [
        "destination",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "alert",
        "workspace_membership",
        "workspace"
      ]
    }
  ]
}

Workspace viewer

{
  "version": "2022-04-26",
  "policies": [
    {
      "effect": "allow",
      "actions": [
        "read"
      ],
      "resource": [
        "source",
        "destination",
        "model",
        "sync",
        "audience",
        "audience_schema",
        "sync_template",
        "workspace_membership",
        "alert"
      ]
    }
  ]
}

Ready to get started?

Jump right in or a book a demo. Your first destination is always free.

Book a demoSign upBook a demo

Need help?

Our team is relentlessly focused on your success. Don't hesitate to reach out!

Feature requests?

We'd love to hear your suggestions for integrations and other features.

Last updated: Sep 17, 2024

On this page

What is a role?Default rolesUsing roles with approval flowsCustom rolesCustomizing rolesDefault role policiesAdminWorkspace editorModel and sync editorSync editorAudience editorSource adminDestination adminWorkspace viewer

Was this page helpful?