--- title: "On-premises Connection Permissions" slug: "fortanix-key-insight-on-premises-connection-permissions" updated: 2026-05-26T11:12:47Z published: 2026-05-26T11:12:47Z canonical: "support.fortanix.com/fortanix-key-insight-on-premises-connection-permissions" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # On-premises Connection Permissions ## 1.0 Introduction This article describes the minimum permissions required for Fortanix Key Insight to scan an on-premises connection. These permissions enable secure and accurate discovery of keys, cryptographic assets, and other resources within supported infrastructures such as databases, source code repositories, containers, networks, and file systems. > [!NOTE] > NOTE > > Fortanix Key Insight does **not**have access to customer data. The permissions outlined in the article are exclusively for cryptographic operations and security enforcement. ## 2.0 Database Permissions To successfully integrate and scan an on-premises database in Fortanix Key Insight, the database user must have the following permissions: - **Read**access to catalog table views in the target database. - **Server-level permissions** to: - View any definition - View server state *For more information on how to provide these permissions in Microsoft SQL Server, refer to*[*Section 2.1: Database Permissions in Microsoft SQL Server*](/v1/docs/fortanix-key-insight-on-premises-connection-permissions#21-database-permissions-in-microsoft-sql-server)*.* ### 2.1 Database Permissions in Microsoft SQL Server If a new user has been added to the Microsoft SQL Server, ensure that the minimum required permissions are granted to support integration with Fortanix Key Insight for an on-premises connection. Perform the following steps to provide the necessary permissions: 1. Open **Microsoft SQL Server Management Studio (SSMS)**. 2. Navigate to **Security → Logins.** 3. Select the appropriate user. 4. Right click the user and select **Properties**. 5. In the **Login Properties** page, go to **User Mapping** and select the required databases with read permissions. 6. In the **Securables** section, enable the following permissions: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_On-premises Minimum Permissions.png) **Figure 1: Assign minimum user permissions** - View any definition - View server state 7. Click **OK** to save the changes. ## 3.0 Source Code Permissions To successfully integrate and scan an on-premises source code repository (repo) in Fortanix Key Insight, the repository user must have **Read** access (permission to clone) to the source code repository, including all branches to be scanned. For example, if you are using GitHub or Bitbucket repositories, the following permissions are required: ### 3.1 GitHub Fortanix Key Insight supports both **GitHub Personal Access Token (Classic)** and **GitHub** **Fine-grained Personal Access Token** authentication methods for integrating and scanning GitHub repositories. To integrate and scan GitHub repositories in Fortanix Key Insight, the access token must provide read access to repository contents (files, branches, commits). This allows Fortanix Key Insight to clone repositories and retrieve source code for scanning. #### 3.1.1 Personal Access Token (Classic) For Classic Tokens, the `repo` scope must be selected. - `repo`: Grants access to repositories, including the ability to clone and read repository contents required for scanning. > [!NOTE] > NOTE > > For GitHub Classic Personal Access Tokens, the `repo` scope must be enabled. GitHub does not provide a separate read-only option for this scope. *For more information on Personal Access Tokens (classic) and associated scopes,**refer to the*[*GitHub official documentation*](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps)*.* #### 3.1.2 Fine-grained Personal Access Token When configuring a Fine-grained Personal Access Token: 1. Select the repositories that need to be scanned by Fortanix Key Insight. 2. Grant the following repository permissions with **Read-only** access: - **Contents** - **Metadata** These permissions allow Fortanix Key Insight to clone repositories and retrieve metadata required for repository scanning. > [!NOTE] > NOTE > > For Fine-grained Personal Access Tokens: > > - Repository access must be granted by explicitly selecting repositories to be scanned or for all repositories. > - Both **Contents (Read-only)** and **Metadata (Read-only)** permissions are required for successful repository scanning. *For more information on**Fine-grained Personal Access Token**and associated permissions, refer to the*[*GitHub official documentation*](https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens)*.* ### 3.2 Bitbucket To integrate and scan Bitbucket repositories in Fortanix Key Insight, the access token must have **Read** access to repository contents (files, branches, commits). This includes the ability to clone repositories so Fortanix Key Insight can retrieve code for scanning. Additionally, the following token scope is required: - `repository`: Grants read access to repositories (files, branches, commits, metadata). *For more information on access tokens and token scopes, refer to the*[*Bitbucket official documentation*](https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication)*.* ## 4.0 File System Permissions To successfully integrate and scan the file system and network resources with the Fortanix Key Insight on-premises connection, the following are the required permissions: - **Fortanix On-premises Scanner:** - Read access to certificate and key files. - Read and write access to the datastore path, if the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) is enabled. - Permission to bind to configured IPs and ports, with firewall rules allowing inbound File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) connections if File System scanning is enabled. - **File System Scanner Agent (Windows)** or **File System and Network Scanner Agent (Linux) (scanner agents)**: > [!NOTE] > NOTE > > Running the scanner agents as **root** is **optional**. > > Root access is required in the following situations to ensure that all necessary files can be scanned: > > - The dedicated scanner user (for example, `fortanix`) does not have permission to read certain files or directories. > - Private key files or other sensitive files are restricted to a specific user (For example, readable only by root or an application owner), making them inaccessible to the `fortanix` user. - **Recommended (Least-Privilege Model):**Run the scanner agent as a dedicated non-privileged user (for example, `fortanix`). This user can be granted only the following minimum permissions required to scan the desired file paths: - Read-only access to all included root paths with execute permission on parent directories to allow traversal. - Outbound network access to the `fortanix-scanner` HTTPS server (IP and port). ## 5.0 Container Permissions To integrate and scan container images in Fortanix Key Insight, the platform must be able to pull the images from the specified container image repositories. This requires that the credentials used for integration have **Read (pull) access** to all container image repositories and tags included in the scan. Fortanix Key Insight retrieves container artifacts by pulling image layers and metadata, so the user (or service account) must have permissions allowing them to: - Read image metadata - Pull image layers - Access the container image repositories and tags defined for scanning The permissions required for a Docker-based repository are explained in [*Section 5.1: Docker Container Image Permissions*](/v1/docs/fortanix-key-insight-on-premises-connection-permissions#51-docker-container-image-permissions). ### 5.1 Docker Container Image Permissions To scan container images from Docker Hub or private Docker registries in Fortanix Key Insight, ensure the **daemon** is configured with **read (pull) access** to the repository and all relevant image tags. This includes permission to pull image layers and metadata so that Fortanix Key Insight can retrieve and analyze the image contents. The required permissions include: - **Pull access** to the container image repository - **Read access** to all tags included in the scan (for example: `vault:1.13.3` or `ghcr.io/linuxserver/nginx:latest`) *For more information on repository access and permissions, refer to the*[*Docker official documentation*](https://docs.docker.com/docker-hub/repos/)*.* The File System Scanner Agent is installed on servers that require scanning. It navigates through local file systems to detect and extract metadata related to cryptographic materials, such as keys and certificates. The scanner securely collects this data and shares it with the Fortanix On-premises Scanner, which aggregates and analyzes the findings within Fortanix Key Insight. This process provides centralized visibility and facilitates effective compliance management.