ChangelogBook a demoSign up

Workspace management

This page covers core concepts. For prescriptive guidance on when to use each control and how to structure your organization, see Governance in Hightouch.

Hightouch's permission model is built around four concepts: organizations, workspaces, user groups, and roles. Understanding how they relate to each other is the foundation for configuring access correctly.

Organizational structure showing the relationship between organizations, workspaces, user groups, and roles

Organizations

An organization is the top-level entity in Hightouch. It represents your entire company and is the container for billing, SSO configuration, and user management. All workspaces belong to a single organization.

Workspaces

A workspace is a fully isolated partition within an organization. Each workspace has its own sources, destinations, models, syncs, audiences, and user roster. By design, nothing is shared across workspace boundaries — not even the connection to your data source.

Workspaces are commonly used to:

  • Separate staging and production environments
  • Isolate business units or regions that must not share resources or configuration

For most enterprise customers, a single production workspace is sufficient. Hightouch's internal governance controls — including user groups, roles, subsets, and Spaces — allow different teams, regions, or brands to operate within a shared workspace without interfering with each other.

User groups

A user group is a collection of users who share the same permissions. Access control in Hightouch is managed at the group level, not for individual users. This makes it easier to keep permissions consistent and to update access as team structures change.

User groups are created within an organization and can be granted access to one or more workspaces. Users can belong to multiple groups and inherit the combined permissions from all of their assigned groups.

In most cases, user-to-group mappings are managed through your identity provider via SSO and SCIM. If SSO is not configured, user groups and memberships can be managed manually in the Hightouch app.

See: User groups

Roles

A role defines what actions a user group can perform within a workspace. User groups aggregate users; roles define the scope of what those users can do.

Hightouch offers two types of roles:

  • Pre-built roles — apply broadly to all resources in a workspace. These are the right starting point for most teams.

    • Admin — full grants across the workspace, typically assigned to data or IT teams
    • Editor — can create and configure resources, but cannot delete or update existing source and destination configurations
    • Viewer — read-only access across the workspace
    • Draft Contributor — can create and propose changes, but cannot publish; all changes require approval before going live

  • Custom roles — provide granular, per-resource control. Custom roles let you define specific permissions for individual sources, destinations, and Customer Studio parent models. Useful when pre-built roles are not flexible enough for a large or complex workspace.

See: Roles

Next steps

Ready to get started?

Jump right in or a book a demo. Your first destination is always free.

Book a demoSign upBook a demo

Need help?

Our team is relentlessly focused on your success. Don't hesitate to reach out!

Feature requests?

We'd love to hear your suggestions for integrations and other features.

Privacy PolicyTerms of Service

Last updated: Mar 11, 2026

On this page
  • Organizations
  • Workspaces
  • User groups
  • Roles
  • Next steps

Was this page helpful?