Labels are structured as key/value pairs. For example, common keys include project, env, folder, and campaign. Values are attached to keys. Values for an env key could include dev, staging, and prod.
You can apply labels to any top-level resources, including sources, models, syncs, etc. Labels apply across all resources in the same workspace. For example, project labels applied to models can also be used for sources.
When viewing a top-level resource page, for example, the syncs page, you can select to Filter by labels, as well as other options like which user created the resource.
When filtering by label, you can filter all resources that include or exclude particular key/value pairs or keys.
You can restrict access to resources based on labels by creating custom roles. Label-based access is specified through a policy's conditions property. A policy is a JSON object defining the set of actions that users can take on resources. Read the role-based access control documentation to learn more about how a policy is structured.
Once you've specified a reference, you need to write a boolean statement to complete your condition. The boolean statement is also a key/value pair. The key is the boolean operator and the value is the operand.
Hightouch supports the following operators:
Operator
Description
Applicable Resources
in
Label is a member of an array
All
notin
Label is not a member of an array
All
equals
Label exactly matches pattern
All
greaterthan
Label is greater than a value
All
lessthan
Label is less than a value
All
exists
Label refers to a resource that exists
All
The following are some example boolean statements:
"equals": "marketing" evaluates whether the label matches "marketing"
"exists": true evaluates whether the label exists
"in": ["Marketing", "Sales"] evaluates whether the resource's labels matches any of the items in the array
In this example, the Lifecycle Team Collaborator role has access to syncs that connect to destinations that have been the label team:lifecycle.
They can create syncs, but are only allowed read-access to destinations with the team:lifecycle label. Therefore, they can only access syncs connected to destinations with that label. Specifically, they can read, update, start, enable, and debug syncs connected to destinations with the team:lifecycle label. They have full-access to audiences.