Skip to content

Access & Security

What kind of permissions does Tecton need?

When choosing a deployment model, you may opt for a design that gives Tecton acess to a dedicated VPC within your account. This is done to give Tecton permissions to deploy/maintain the system in your account, while ensuring that your data never leaves your environment. The sub-account allows us to have these privileges in a way that does affect any of your other accounts. To see the specific requirements per deployment model, please refer to the deployment options section of our documentation.

Will my data have to be stored outside the cloud infrastructure that I already own?

We have two deployment models. The most common is our SaaS deployment model. We also provide a VPC deployment model.

With the SaaS Deployment model, your Tecton cluster is split between an AWS account managed by Tecton and an AWS account managed by your company. All data processing and feature data at rest, including materialized views, will live and stay in your AWS account. Only Tecton's metadata and core services live in Tecton's account.

With VPC Deployment, your Tecton cluster runs in an AWS sub-account owned by you. All of the data processing and storage stays within this account. You grant Tecton administrative access to an AWS sub-account that you own. Tecton accesses this sub-account to manage the provisioning of the right infrastructure components (VPCs, instances, etc.). Software upgrades are taken care of by Tecton.

What SSO support do you provide (eg, Microsoft Office 365)?

Tecton integrates with Okta and Okta can integrate with any SSO provider.

What is the access control mechanism for Tecton CLI and the web interface?

The access pattern for both is via Okta.

How are API tokens granted for service accounts?

It is possible to create a bot account or manually issue a token. Users with admin access are able to create/delete tokens via the CLI.