FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Connections
Connections

Least-privilege permissions for each connector

1 views

title: Least-privilege permissions for each connector category: Connections tags: permissions, least privilege, app registration, service account priority: Normal

Least-privilege permissions for each connector

Certification Center is cloud SaaS that connects to your directories to read who has access, so you can certify it. This article summarizes the least-privilege permissions each connector needs. The guiding principle is the same for every connector: read-first, write-back-optional. Every connector starts read-only, and write-back stays off until you deliberately enable it for a specific action.

This is the reference companion to the individual connect guides. For step-by-step setup, follow the linked article for your directory.

Directory and identity connectors

Certification Center connects to the major directory and identity sources, including Active Directory, Entra ID, Google Workspace, AWS, and SCIM. The permission guidance below covers those connectors:

Connector Reads over Guide
Active Directory Directory reads from your AD Active Directory connection guides
Entra ID Microsoft Graph API Connecting to Entra ID
Google Workspace Admin SDK Directory API Connect Google Workspace
AWS (IAM) Assumed IAM role Connect AWS IAM
SCIM 2.0 SCIM 2.0 endpoint Connect a directory over SCIM 2.0

Comparison: what each connector needs

Connector Identity used Least-privilege read access Credential Write-back (optional)
Active Directory A service account Read directory (users, groups, membership) Service account credentials Write requires an account with rights to modify the objects you act on
Entra ID An app registration Application permissions to read the directory (read users, groups, directory) Client secret or, preferred, a certificate Add read-write directory scopes only when enabling write-back
Google Workspace A service account with domain-wide delegation The admin.directory.*.readonly scopes for users, groups, org units Service account JSON key Add the matching read-write scope only when enabling write-back
AWS (IAM) A cross-account IAM role you own Read-only IAM (list and get users, groups, policies) Short-lived assumed-role sessions plus an external ID Add IAM write actions only when enabling write-back
SCIM 2.0 A bearer token from your source Read the SCIM /Users and /Groups resources Bearer token A token with write rights, only if the source supports SCIM writes

Principles that apply to every connector

  • Read-only first. Grant only read access for the first sync. Certification's job is to see who has access; that is a read operation.
  • Write-back is opt-in. Suspending, disabling, or removing access in the source directory is a separate, explicit step you enable per connection. Do not grant write permissions until you turn write-back on.
  • Narrow the scope. Prefer scoped read permissions (read users, read groups) over broad administrative roles. On AWS, prefer IAMReadOnlyAccess or a list/get-only policy over an admin policy.
  • Prefer stronger credential shapes. For Entra ID, a certificate is preferable to a client secret. For AWS, assumed-role sessions avoid long-lived keys entirely. For SCIM, scope the bearer token as tightly as your source allows.
  • Protect against confused-deputy. The AWS connector uses an external ID so that knowing the role ARN alone is not enough to assume it.
  • Rotate credentials. Client secrets and bearer tokens expire; set a reminder to rotate them before they lapse, because an expired credential silently breaks sync.

What Certification Center does not need

  • It does not need domain administrator or global administrator rights to do its job. Read scopes are enough for certification.
  • It does not need standing write access. Enable write-back only for the specific actions you want reviewers to trigger.
  • It does not require anything installed inside your network. Its connectors are outbound authorizations from your isolated cloud workspace to your directory.

Important: If a connector's credential expires or its permissions are reduced below the read scopes above, syncs will fail and your certification data will go stale. Treat connector credentials as production secrets.

Troubleshooting permissions

  • Insufficient privileges after setup — A required read scope or the admin consent step was skipped. Re-check the connector's setup guide.
  • Works then stops — A client secret or bearer token likely expired. Rotate it and update the connection.
  • Write-back action does nothing — Write-back is off or the credential lacks write rights. Enable write-back and grant the matching write scope.
  • For symptoms and fixes across connectors, see Troubleshooting cloud directory connections.

Next steps

Was this article helpful?

Related articles

Connections Overview
Creating a Connection
Connect Google Workspace