# Understand Sprinto permissions and resource access Sprinto relies on permissions from your integrated services to evaluate automated checks and collect evidence for your compliance programme. These permissions allow Sprinto to: * Assess and monitor system configurations * Collect evidence for compliance frameworks * Provide additional functionality, such as sending notifications through Slack or Teams, or pushing tasks to Jira In some cases, Sprinto uses trusted partners such as Merge or Truto to streamline data mapping via their API endpoints. ### Does Sprinto access or modify data? By default, Sprinto requests **read-only access** to integrated services. This ensures Sprinto can monitor configurations and run compliance checks without modifying your data. In limited cases, Sprinto requires additional permissions. Examples include: * Sending notifications on Slack or Teams * Creating Jira tasks * Creating CloudWatch alarms in AWS Sprinto does not store or modify customer data. We comply with leading industry standards such as SOC 2 Type II, ISO 27001, and GDPR. For details, visit the [Sprinto Trust Centre](https://chatgpt.com/g/g-p-682c1aeced3481919aef33cebb2d490f-sprinto-documentation-overhaul/c/68c83997-fd04-832b-a9ed-6e14e4648618#). ### Permissions access and usage The following sections describe the permissions Sprinto requests from commonly used integrations. Each table lists: * **Permission**: The authorisation Sprinto requires * **Resources**: The endpoints Sprinto uses * **Purpose**: Why Sprinto requires access * **Sprinto checks**: The checks mapped to each permission You can view all available checks on your account in the **Check configuration** page. *** ### Google Cloud Platform (GCP) Sprinto requests read-only access to GCP resources to monitor configurations. Sprinto does not read any stored or processed data.
PermissionResourcesPurposeSprinto checks (examples)
Security ReviewerService accounts, users, Firestore, projects, Cloud Storage buckets, Cloud SQL instances, GKE clusters, BigQuery datasets, KMS keys, log sinks, essential contactsFetch resources and monitor vulnerabilities• Cloud SQL should be encrypted • Firestore read/write frequency monitored • VPC subnet flow logs captured • Service account keys rotated • Offboarded user access removed
Compute ViewerCompute instances, VPC networks, firewalls, instance groupsManage infrastructure and compute resources• VPC subnet flow logs captured • Compute instance CPU monitored • Compute instance protected from direct internet traffic
*** ### Amazon Web Services (AWS) Sprinto requests read-only access to AWS resources. Sprinto does not read data from AWS databases.
PermissionResourcesPurposeSprinto checks (examples)
SecurityAuditSecurity groups, EC2, RDS, S3, IAM users/groups, CloudTrail, GuardDuty, load balancers, VPCsMonitor compliance and vulnerabilities• CloudTrail enabled • S3 buckets encrypted and versioned • MFA enabled for root and users • GuardDuty enabled • Offboarded user access removed
CloudWatch (Read Only) & PutMetricAlarm (Write)CloudWatchMonitor service health• RDS CPU/memory utilisation monitored • DynamoDB latency monitored • EC2 instance CPU monitored • Load balancer latency monitored
AWSSSODirectoryReadOnly / AWSSSOReadOnlySSO users and permissionsManage user access• Offboarded user access removed
Lightsail (Read Only)Lightsail instances, disks, alarmsManage compute/storage• Lightsail disk encrypted • Lightsail instance CPU monitored
*** ### Microsoft Azure DevOps Sprinto requests read-only access to Azure DevOps resources. Sprinto does not read code from repositories. | Permission | Resources | Purpose | Sprinto checks (examples) | | ------------------------------- | -------------------------------- | ------------------------------------- | ---------------------------------------------------------- | | Vso.code | Repositories, policies | Manage change management | • Code changes peer-reviewed • Peer review enforced | | Vso.build | Pull requests, builds, artefacts | Manage build and vulnerability checks | • Peer review enforced • Dependency scanner SLScan running | | Vso.memberentitlementmanagement | User entitlements, projects | Manage user access | • User identified • Offboarded user access removed | *** ### Microsoft Azure Sprinto requests read-only access to Azure resources. Sprinto does not read stored data. | Permission | Resources | Purpose | Sprinto checks (examples) | | ----------------- | -------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | Directory.ReadAll | Users, groups, apps, SQL databases, Cosmos DB, AKS, Key Vaults, storage accounts, Redis cache, Databricks, Defender alerts | Monitor vulnerabilities and user access | • SQL database encrypted • Storage account TLS ≥1.2 • Web app redirects HTTP → HTTPS • Offboarded user access removed | | Admin consent | Users, metric alerts | Fetch data at org level | • All Directory.ReadAll checks apply | *** ### Bitbucket Sprinto requests read-only access to Bitbucket resources. Sprinto does not read stored code. | Permission | Resources | Purpose | Sprinto checks (examples) | | ---------------- | ------------------------------------ | -------------------------- | ---------------------------------------------------------------- | | Team | Workspaces, members, groups | Manage user access | • User identified • MFA enabled • Offboarded user access removed | | Pullrequest | Pull requests, activities, artefacts | Monitor change management | • Peer review enforced | | Repository | Repositories, branches | Classify code repositories | • Dependency scanner SLScan running | | Repository:admin | Branch restrictions | Enforce protections | • Branch protection rules enforced | *** ### GitLab Sprinto requests read-only access to GitLab resources. Sprinto does not read stored code. | Permission | Resources | Purpose | Sprinto checks (examples) | | ---------------- | ---------------------------------------------------- | ----------------------------------- | ------------------------------------------------------ | | Read\_api | Groups, repositories, merge requests, approval rules | Manage change management and access | • Repo classified • Peer review enforced • MFA enabled | | Read\_repository | Job artefacts | Vulnerability management | • Dependency scanner SLScan running | | Read\_user | Projects, groups | Validate user profiles | • Supports other checks | | Profile | User profile data (OpenID) | Supports compliance | • Supports other checks | *** ### Google Workspace (GSuite) – Identity provider Sprinto requests read-only access to Workspace resources. Sprinto does not read sensitive user details. | Permission | Resources | Purpose | Sprinto checks (examples) | | --------------------------------- | ---------------- | -------------------- | ---------------------------------------------------------------- | | Admin.directory.user.readonly | Users, tokens | Manage access | • User identified • MFA enabled • Offboarded user access removed | | Admin.directory.customer.readonly | Customer details | Validate connections | • Supports other checks | *** ### Microsoft Office 365 – Identity provider | Permission | Resources | Purpose | Sprinto checks (examples) | | --------------------- | -------------------- | -------------------- | -------------------------------------------------- | | User.Read.All | User profiles | Manage access | • User identified • Offboarded user access removed | | Organization.Read.All | Organisation details | Validate connections | • Supports other checks | | Reports.Read.All | Usage reports | Monitor compliance | • MFA enabled | *** ### Access-management integrations Sprinto uses trusted partners (e.g., Truto) for identity and access management integrations. #### Figma * Authorisation: SCIM * Access: Users * Checks: User identified, offboarded user access removed #### Typeform * Authorisation: OAuth 2.0 * Access: Users, workspaces * Checks: User identified, offboarded user access removed #### Grafana * Authorisation: API token * Access: Users * Checks: User identified, offboarded user access removed #### OpenVPN * Authorisation: OAuth client credentials * Access: Users, groups * Checks: User identified, offboarded user access removed #### Jira * Authorisation: OAuth 2.0 * Access: Users, groups, project roles * Checks: User identified, offboarded user access removed #### Confluence * Authorisation: OAuth 2.0 * Access: Users, groups * Checks: User identified, offboarded user access removed *** ### Support If you need help granting permissions or have questions about specific integrations, contact [Sprinto Support](https://chatgpt.com/g/g-p-682c1aeced3481919aef33cebb2d490f-sprinto-documentation-overhaul/c/68c83997-fd04-832b-a9ed-6e14e4648618#). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sprinto.com/data-library/understand-sprinto-permissions-and-resource-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.