Access and Security
What kind of permissions does Tecton need?​
When choosing a deployment model, you may opt for a design that gives Tecton access to a dedicated VPC within your account. This is done to give Tecton permissions to deploy/maintain the system in your account, while ensuring that your data never leaves your environment. The sub-account allows us to have these privileges in a way that does affect any of your other accounts. To see the specific requirements per deployment model, please refer to the deployment options section of our documentation.
Will my data have to be stored outside the cloud infrastructure that I already own?​
We have two deployment models. The most common is our SaaS deployment model. We also provide a VPC deployment model.
With the SaaS Deployment model, your Tecton cluster is split between a control plane account managed by Tecton and a data plane account managed by your company. All data processing and feature data at rest, including materialized views, will live and stay in your account. Tecton's metadata storage and services to manage job orchestration and real-time serving live in Tecton's account.
With VPC Deployment, your Tecton control and data plane both run in an account owned by you. All of the data processing and storage stays within this account. You grant Tecton administrative access to this account. Tecton will access this account to manage the provisioning of the right infrastructure components (VPCs, instances, etc.). Software upgrades are taken care of by Tecton.
What SSO support do you provide (eg, Microsoft Office 365)?​
Tecton supports integrating with SAML 2.0 or OpenID Connect (OIDC) compliant SSO providers (this includes Azure AD, Google, Okta, Microsoft, and others). Please open a support case to request setting up SSO.
What is the access control mechanism for Tecton CLI and the web interface?​
The access pattern for both is via Okta.
How are API tokens granted for service accounts?​
It is possible to create a bot account or manually issue a token. Users with admin access are able to create/delete tokens via the CLI.