Understand Sprinto permissions and resource access
Learn how Sprinto uses read-only permissions from your integrated services to run compliance checks securely and transparently.
Sprinto relies on permissions from your integrated services to evaluate automated checks and collect evidence for your compliance programme. These permissions allow Sprinto to:
Assess and monitor system configurations
Collect evidence for compliance frameworks
Provide additional functionality, such as sending notifications through Slack or Teams, or pushing tasks to Jira
In some cases, Sprinto uses trusted partners such as Merge or Truto to streamline data mapping via their API endpoints.
Does Sprinto access or modify data?
By default, Sprinto requests read-only access to integrated services. This ensures Sprinto can monitor configurations and run compliance checks without modifying your data.
In limited cases, Sprinto requires additional permissions. Examples include:
Sending notifications on Slack or Teams
Creating Jira tasks
Creating CloudWatch alarms in AWS
Sprinto does not store or modify customer data. We comply with leading industry standards such as SOC 2 Type II, ISO 27001, and GDPR. For details, visit the Sprinto Trust Centre.
Permissions access and usage
The following sections describe the permissions Sprinto requests from commonly used integrations. Each table lists:
Permission: The authorisation Sprinto requires
Resources: The endpoints Sprinto uses
Purpose: Why Sprinto requires access
Sprinto checks: The checks mapped to each permission
You can view all available checks on your account in the Check configuration page.
Google Cloud Platform (GCP)
Sprinto requests read-only access to GCP resources to monitor configurations. Sprinto does not read any stored or processed data.
Security Reviewer
Service accounts, users, Firestore, projects, Cloud Storage buckets, Cloud SQL instances, GKE clusters, BigQuery datasets, KMS keys, log sinks, essential contacts
Fetch resources and monitor vulnerabilities
• Cloud SQL should be encrypted • Firestore read/write frequency monitored • VPC subnet flow logs captured • Service account keys rotated • Offboarded user access removed
Compute Viewer
Compute instances, VPC networks, firewalls, instance groups
Manage infrastructure and compute resources
• VPC subnet flow logs captured • Compute instance CPU monitored • Compute instance protected from direct internet traffic
Amazon Web Services (AWS)
Sprinto requests read-only access to AWS resources. Sprinto does not read data from AWS databases.
SecurityAudit
Security groups, EC2, RDS, S3, IAM users/groups, CloudTrail, GuardDuty, load balancers, VPCs
Monitor compliance and vulnerabilities
• CloudTrail enabled • S3 buckets encrypted and versioned • MFA enabled for root and users • GuardDuty enabled • Offboarded user access removed
CloudWatchFullAccess
CloudWatch
Monitor service health
• RDS CPU/memory utilisation monitored • DynamoDB latency monitored • EC2 instance CPU monitored • Load balancer latency monitored
AWSSSODirectoryReadOnly / AWSSSOReadOnly
SSO users and permissions
Manage user access
• Offboarded user access removed
LightsailFullAccess (user created)
Lightsail instances, disks, alarms
Manage compute/storage
• Lightsail disk encrypted • Lightsail instance CPU monitored
Microsoft Azure DevOps
Sprinto requests read-only access to Azure DevOps resources. Sprinto does not read code from repositories.
Vso.code
Repositories, policies
Manage change management
• Code changes peer-reviewed • Peer review enforced
Vso.build
Pull requests, builds, artefacts
Manage build and vulnerability checks
• Peer review enforced • Dependency scanner SLScan running
Vso.memberentitlementmanagement
User entitlements, projects
Manage user access
• User identified • Offboarded user access removed
Microsoft Azure
Sprinto requests read-only access to Azure resources. Sprinto does not read stored data.
Directory.ReadAll
Users, groups, apps, SQL databases, Cosmos DB, AKS, Key Vaults, storage accounts, Redis cache, Databricks, Defender alerts
Monitor vulnerabilities and user access
• SQL database encrypted • Storage account TLS ≥1.2 • Web app redirects HTTP → HTTPS • Offboarded user access removed
Admin consent
Users, metric alerts
Fetch data at org level
• All Directory.ReadAll checks apply
Bitbucket
Sprinto requests read-only access to Bitbucket resources. Sprinto does not read stored code.
Team
Workspaces, members, groups
Manage user access
• User identified • MFA enabled • Offboarded user access removed
Pullrequest
Pull requests, activities, artefacts
Monitor change management
• Peer review enforced
Repository
Repositories, branches
Classify code repositories
• Dependency scanner SLScan running
Repository:admin
Branch restrictions
Enforce protections
• Branch protection rules enforced
GitLab
Sprinto requests read-only access to GitLab resources. Sprinto does not read stored code.
Read_api
Groups, repositories, merge requests, approval rules
Manage change management and access
• Repo classified • Peer review enforced • MFA enabled
Read_repository
Job artefacts
Vulnerability management
• Dependency scanner SLScan running
Read_user
Projects, groups
Validate user profiles
• Supports other checks
Profile
User profile data (OpenID)
Supports compliance
• Supports other checks
Google Workspace (GSuite) – Identity provider
Sprinto requests read-only access to Workspace resources. Sprinto does not read sensitive user details.
Admin.directory.user.readonly
Users, tokens
Manage access
• User identified • MFA enabled • Offboarded user access removed
Admin.directory.customer.readonly
Customer details
Validate connections
• Supports other checks
Microsoft Office 365 – Identity provider
User.Read.All
User profiles
Manage access
• User identified • Offboarded user access removed
Organization.Read.All
Organisation details
Validate connections
• Supports other checks
Reports.Read.All
Usage reports
Monitor compliance
• MFA enabled
Access-management integrations
Sprinto uses trusted partners (e.g., Truto) for identity and access management integrations.
Figma
Authorisation: SCIM
Access: Users
Checks: User identified, offboarded user access removed
Typeform
Authorisation: OAuth 2.0
Access: Users, workspaces
Checks: User identified, offboarded user access removed
Grafana
Authorisation: API token
Access: Users
Checks: User identified, offboarded user access removed
OpenVPN
Authorisation: OAuth client credentials
Access: Users, groups
Checks: User identified, offboarded user access removed
Jira
Authorisation: OAuth 2.0
Access: Users, groups, project roles
Checks: User identified, offboarded user access removed
Confluence
Authorisation: OAuth 2.0
Access: Users, groups
Checks: User identified, offboarded user access removed
Support
If you need help granting permissions or have questions about specific integrations, contact Sprinto Support.
Last updated