Wiz Permissions Reference
This section outlines the access scopes and justifications for the Wiz–SailPoint Entro integration.
Navigation Path
Management → Accounts & Integrations → Wiz
Required Permissions
The Wiz Service Account must have the following permissions for SailPoint Entro to retrieve and generate reports securely:
| Permission | Type | Purpose |
|---|---|---|
| read:data_findings | Read | Retrieve sensitive data classification and context |
| create:reports | Write | Generate new DSPM report jobs for NHI exposure correlation |
| read:reports | Read | Access completed report data for ingestion into SailPoint Entro |
Permissions Justification
-
SailPoint Entro generates Data Findings Reports to identify all cloud assets and their related data risks.
-
The create:reports permission is required to initiate this report within Wiz.
-
The read:data_findings and read:reports scopes allow SailPoint Entro to access only DATA_SCAN report types — no configuration, user, or secret data is retrieved.
Access Summary
-
Authentication uses Service Account Client ID and Client Secret
-
All requests performed via the Wiz REST API
-
All operations are read-only and executed over TLS 1.2+
-
Tokens are stored encrypted in SailPoint Entro’s Worker Group environment (AES-256)