GTM access

Before requesting GTM access

Use this page when a report finding may need Google Tag Manager container context for tracking, consent or tag remediation. GTM access should separate read-only review from publish requests so no tag or consent change goes live without explicit customer approval. Do not request publish permission as the default. Start with read_only_review where possible, and use ticket_only_fallback when container ownership, consent authority or publish boundaries are unclear.

Request scoped GTM container access

Follow the path `Report fix workflow → Platform access option → GTM container scope → Read-only review or publish request → Fallback or CMP config`.

1. Open /reports/{report} and review the automated fix workflow platform access options. Result: gtm_container appears only when the finding may need tag, consent or container context.
2. Choose the GTM access option for the customer-owned container. Result: platform_access_mode and gtm_scope identify read_only_review or write_publish_request boundaries.
3. Confirm the GTM account, container and workspace before requesting access. Result: gtm_container_id and gtm_access_status describe the exact container boundary.
4. Review connector_status, allowed_modes and read_only_status before sharing instructions. Result: read_only_review can inspect evidence and draft recommendations without publishing.
5. Keep write_publish_request blocked until explicit customer approval. Result: publish_boundary remains customer_approved and changes do not go live automatically.
6. Use ticket_only_fallback when wrong container, missing consent authority, publish scope or unsafe tags block access. Result: customer-applied GTM instructions continue without unsafe access.

Ready GTM states

Continue only when the product shows a scoped and customer-safe state.

• Read-only review ready means gtm_scope allows evidence review and recommendation drafting without publishing.
• Container matched means gtm_container_id and gtm_access_status point to the customer-owned GTM container tied to the report.
• Allowed modes clear means allowed_modes separates read_only_review from write_publish_request.
• Publish boundary set means write_publish_request stays blocked until explicit customer approval.
• Fallback available means ticket_only_fallback can carry customer-applied GTM instructions when connected access is unsafe.

Blocked or unsafe GTM states

Do not work around unsafe GTM access. Use fallback, CMP/config review or a narrower scope before requesting publish capability.

• Publish permission requested too early means reject the scope and start with read_only_review or ticket_only_fallback.
• Wrong container means stop and confirm the account, workspace and gtm_container_id before reviewing tags.
• Missing consent authority means continue to CMP and config access before recommending tag or consent changes.
• Unsafe tag change means keep the recommendation in review until the customer approves the exact publish action.
• Expired access means reconnect through the product flow or use Safe fallback paths.
• Secret boundary risk means use Revoke and no-secret boundaries before tokens, snippets or private tag values enter artifacts.

Continue from GTM access

Continue to CMP and config access when the next step depends on consent-platform configuration. Continue to Access modes and required scopes when the customer needs to compare GTM read-only review, publish request and ticket-only fallback. Use Safe fallback paths when container ownership, publish approval, consent authority or workspace access cannot be confirmed safely.