CMP and config access

Before requesting CMP or config access

Use this page when a report finding may need consent-management platform, cookie banner, privacy policy or configuration context. CMP/config access should verify authority before any banner, cookie, policy, consent tag or production configuration change is requested. Do not request production write access as the default. The product flow should keep configuration_changes blocked_until_explicit_authorization and route to ticket_only_fallback when provider, property, environment or consent authority is unclear.

Request scoped consent config access

Follow the path `GTM access → CMP/config scope → Consent authority check → Customer-approved config change → Fallback or access modes`.

1. Open /reports/{report} and review the automated fix workflow platform access options. Result: cmp_config appears only when the finding may need consent, cookie banner, policy or configuration context.
2. Choose the CMP/config access option for the customer-owned consent or configuration surface. Result: platform_access_mode and config_scope identify the exact provider, property and environment boundary.
3. Confirm cmp_provider, property or environment and consent authority before requesting access. Result: cmp_access_status describes whether structured request can continue.
4. Review connector_status and configuration_changes before sharing instructions. Result: blocked_until_explicit_authorization prevents unapproved config changes.
5. Keep publish_boundary customer_approved for banner, cookie, policy and consent-tag changes. Result: production write scope cannot be used before customer approval.
6. Use ticket_only_fallback when unknown CMP, missing authority, production write scope or unsafe config blocks access. Result: customer-applied CMP/config instructions continue without unsafe access.

Ready CMP/config states

Continue only when the product shows a scoped and customer-safe state.

• Structured request ready means platform_access_mode is cmp_config and config_scope describes the exact consent or configuration surface.
• Provider identified means cmp_provider and cmp_access_status match the customer-owned CMP, property and environment.
• Authorization blocked by default means configuration_changes is blocked_until_explicit_authorization until the customer approves the exact change.
• Publish boundary set means publish_boundary is customer_approved for production banner, cookie, policy and consent-tag changes.
• Fallback available means ticket_only_fallback can carry customer-applied CMP/config instructions when connected access is unsafe.

Blocked or unsafe config states

Do not work around unsafe CMP/config access. Use fallback or a narrower scope before requesting configuration capability.

• Unknown CMP means use ticket_only_fallback until the provider and property are clear.
• Production write scope without approval means stop and require customer approval for the exact config change.
• Missing consent authority means do not modify banner, cookie or policy settings until the customer confirms authority.
• Wrong environment means stop before staging, production or regional policy settings are changed.
• Expired access means reconnect through the product flow or use Safe fallback paths.
• Secret boundary risk means use Secret handling or Revoke and no-secret boundaries before private keys, snippets or configuration secrets enter artifacts.

Continue from CMP/config access

Continue to Access modes and required scopes when the customer needs to compare CMP/config access against GTM, CMS, Shopify or ticket-only fallback. Use Safe fallback paths when provider identity, consent authority, environment, production write approval or secret boundaries cannot be confirmed safely.