On-premises Connection Permissions

1.0 Introduction

This article describes the minimum permissions required for Fortanix Key Insight to scan an on-premises connection. These permissions enable secure and accurate discovery of keys, cryptographic assets, and other resources within supported infrastructures such as databases, source code repositories, and file systems.

NOTE

Fortanix Key Insight does not have access to customer data. The permissions outlined in the article are exclusively for cryptographic operations and security enforcement.

2.0 Database Permissions

To successfully integrate and scan an on-premises database in Fortanix Key Insight, the database user must have the following permissions:

• Read access to catalog table views in the target database.

• Server-level permissions to:

  • View any definition

  • View server state

For more information on how to provide these permissions in Microsoft SQL Server, refer to Section 2.1: Database Permissions in Microsoft SQL Server.

2.1 Database Permissions in Microsoft SQL Server

If a new user has been added to the Microsoft SQL Server, ensure that the minimum required permissions are granted to support integration with Fortanix Key Insight for an on-premises connection.

Perform the following steps to provide the necessary permissions:

1. Open Microsoft SQL Server Management Studio (SSMS).

2. Navigate to Security → Logins.

3. Select the appropriate user.

4. Right click the user and select Properties.

5. In the Login Properties page, go to User Mapping and select the required databases with read permissions.

6. In the Securables section, enable the following permissions:

   • View any definition

   • View server state

   

7. Click OK to save the changes.

3.0 Source Code Permissions

To successfully integrate and scan an on-premises source code repository (repo) in Fortanix Key Insight, the repository user must have Read access (permission to clone) to the source code repository, including all branches to be scanned.

For example, if you are using GitHub or Bitbucket repositories, the following permissions are required:

3.1 GitHub

To integrate and scan GitHub repositories in Fortanix Key Insight, the access token must have Read access to repository contents (files, branches, commits). This includes the ability to clone repositories so Fortanix Key Insight can retrieve code for scanning.

Additionally, the following token scope is required:

• repo: Grants read or write access to code. For scanning purposes, configure it with read-only permissions.

For more information on access tokens and token scopes, refer to Scopes for OAuth apps.

3.2 Bitbucket

To integrate and scan Bitbucket repositories in Fortanix Key Insight, the access token must have Read access to repository contents (files, branches, commits). This includes the ability to clone repositories so Fortanix Key Insight can retrieve code for scanning.

Additionally, the following token scope is required:

• repository: Grants read access to repositories (files, branches, commits, metadata).

For more information on access tokens and token scopes, refer to Authentication methods.

4.0 File System Permissions

To successfully integrate and scan the file system resources with the Fortanix Key Insight on-premises connection, the following are the required permissions:

• On-premises scanner (fortanix-scanner):

  • Read access to certificate and key files.

  • Read and write access to the datastore path, if the File System scanner is enabled.

  • Permission to bind to configured IPs and ports, with firewall rules allowing inbound File System Agent connections if File System scanning is enabled.

• File System Agent scanner (fortanix-fs-scanner):

  • Root or Administrator access is recommended to maximize the ability to read all files.

  • Read-only access to all included root paths with the ability to traverse directories.

  • Outbound network access to the fortanix-scanner HTTPS server (IP and port).