Connected access requirements

Before requesting connected access

Use this page only when a fix task needs connected remediation and ticket-only or customer-applied evidence is not enough. Connected access must be scoped to one project, one provider mode and one customer-approved purpose. Connected access is not a general credential request. It should describe what WebRiskOps can read, draft, request or verify without giving broad repository, CMS, Shopify, GTM or CMP control.

Confirm connected access requirements

Follow the path `Fix task → Connected access request → Scope review → Customer approval → Review-only or connected action`.

1. Open /reports/{report} or /fix-tasks/{fixTask} and confirm connected access is the supported delivery mode. Result: the task explains why ticket-only or customer-applied evidence is not enough.
2. Open /projects/{project} and review the project access area before requesting anything. Result: current access model, provider state and approval status are visible.
3. Choose only the provider and access type that matches the fix: repository branch, CMS theme, Shopify configuration, GTM container or CMP configuration. Result: unrelated systems stay outside scope.
4. Review requested scopes, read-only limits and write or publish boundaries before approval. Result: the customer sees exactly what WebRiskOps can read, draft or request.
5. Ask the customer or admin with the correct account role to approve the scoped request. Result: approval is attributable and tied to the project, provider and task.
6. Continue only when connected_access_status is granted or reviewable. Result: WebRiskOps can draft, review or request changes without broad credentials or hidden manual work.

Access-ready states

Continue only when the access state matches the requested action.

• Review-only ready means WebRiskOps can inspect context or draft guidance, but cannot publish or merge changes.
• Scoped write request ready means the customer can approve a specific PR, CMS, Shopify, GTM or CMP action without granting unrelated control.
• Connected access granted means provider, scope, approver and project are recorded together.
• Revocable access means the customer can stop the connection when the task no longer needs it.

Blocked or unsafe states

Do not request or use connected access when scope is unclear.

• Missing approval means continue with ticket-only fallback until the right account owner or admin approves.
• Too broad scope means reject the request and choose a narrower access mode.
• Unsupported provider means use ticket-only fallback instead of asking for another credential path.
• Expired or revoked access means reconnect with the same scoped process or use a safe fallback.
• Private network blocked means do not ask for secrets in chat, email or notes; use the supported platform access flow.

Continue to platform access

Continue with the related Access modes and required scopes page when the provider, scope or approval boundary is unclear. Use the related Safe fallback paths and Ticket-only fallback pages whenever connected access is unavailable, unsafe or wider than the task requires.