# Permissions ### Overview This page describes the permissions and access model for the **GSA Reporting & Assignment Agent**.\ The agent uses **read-only access** to Entra Private Access and Entra ID data through the **Microsoft Graph API** and **Security Copilot Plugins**.\ It is designed to collect and analyze connector health metrics, network traffic reports, and user-to-target assignment data **without modifying any configurations** in your environment. *** ### How It Works The agent securely connects to your tenant through Microsoft Graph API endpoints to gather configuration and telemetry data related to **Global Secure Access (Entra Private Access)**.\ It correlates connector performance, IP range utilization, and user access assignments to evaluate network efficiency and identify operational or security gaps. All interactions follow these principles: * **Read-only access:** The agent never modifies, creates, or deletes configurations. * **Least privilege:** Only the minimal permissions required to read network and directory data are requested. * **Transparency:** All data retrieval occurs through documented Microsoft Graph API endpoints and can be fully audited in Microsoft Entra. *** ### Required Entra ID and Graph Roles Assign the following roles and API permissions to the administrator account or managed identity running the agent: | Role | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | **Global Secure Access Reader** *(via NetworkAccess.Read.All)* | Enables read-only visibility into Entra Private Access connector groups, policies, and configurations. | | **Security Reader** | Provides read-only access to security and audit insights related to network operations. | | **Directory Reader** | Grants visibility into user, group, and device information for assignment correlation. | | **Reports Reader** | Allows the agent to read usage and traffic activity reports for trend analysis. | These roles comply with the **principle of least privilege** and can be scoped to specific applications or network access resources if needed. *** ### Data Access Transparency The table below describes the data types accessed by the agent and their purpose: | Data Type | Access Level | Purpose | | ---------------------------------------------- | ------------ | ------------------------------------------------------------------------ | | Global Secure Access connector and policy data | Read-only | To analyze connector configuration, redundancy, and health metrics. | | Network traffic and performance logs | Read-only | To identify anomalies, latency issues, and failed connection attempts. | | IP ranges and port coverage | Read-only | To detect stale IP ranges, missing firewall rules, and conflicts. | | User and group directory data | Read-only | To correlate user access assignments with network destinations. | | Audit and usage reports | Read-only | To trace configuration changes, access trends, and utilization patterns. | **Data handling:** * The agent does not alter or export customer data outside your tenant boundary. * All data access is limited to Microsoft Graph and Security Copilot Plugin endpoints. * Every access event is logged in **Microsoft Entra audit logs** for traceability and compliance assurance. *** ### Agent Settings The agent includes configurable parameters to control scope, lookback period, and reporting depth: | Setting | Options | Description | | ---------------- | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | **Scope** | `connectors`, `traffic`, `assignments`, `ports` | Defines which network areas are included in the analysis. | | **LookbackDays** | 30, 60, 90 | Determines the time window for network traffic and connector activity evaluation. | | **Mode** | `quick`, `standard`, `deep` | Specifies analysis depth and reporting detail. | | | • **quick** – High-level overview of connector health and assignments. | | | | • **standard** – Comprehensive analysis of connector, traffic, and user-to-target data. *(recommended)* | | | | • **deep** – Full diagnostic mode with advanced anomaly detection and optimization recommendations. | | Ensure that all required permissions are granted before running the agent to avoid incomplete reports. *** ### Security and Compliance Considerations * All communication between the agent and Microsoft Graph is encrypted using **HTTPS** and authenticated via **Microsoft identity services**. * The agent operates within the **Zero Trust** and **least privilege** principles. * Access can be reviewed, modified, or revoked at any time using **Microsoft Entra role-based access control (RBAC)** or application consent management. * The agent does not make any configuration changes, ensuring full operational safety during assessments. *** ### Next Steps 1. Confirm that the administrator or managed identity running the agent has the required roles and Graph permissions assigned. 2. Validate access to Entra Private Access connectors and network access reports through Microsoft Graph. 3. Review your organization’s role assignment and governance policies before enabling automated reporting. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/gsa-reporting-and-assignment-agent/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.