> For the complete documentation index, see [llms.txt](https://docs.kosmoslabs.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kosmoslabs.ai/integration-permissions.md). # Integration Permissions *** Kosmos uses read-only API connections to analyze your data. We never install code in your environment or modify your systems. ### Our Security Approach **Zero-Install Architecture** Kosmos operates entirely outside your infrastructure. We connect via standard OAuth APIs—the same secure method used by thousands of enterprise integrations. **Read-Only Access** We request only the minimum permissions needed to analyze your data. Kosmos cannot create, update, or delete records in your systems. **No Code Deployment** Nothing is installed in your Salesforce org, Jira instance, GitHub repos, or GitLab instance. This means: * No security reviews of deployed packages * No impact on your system performance * No maintenance burden on your team *** ### Permissions by Integration #### Salesforce Service Cloud **Setup Required:** Salesforce requires installing our managed package before connecting. See [Connecting Salesforce](/connecting-salesforce.md) for step-by-step instructions. | Permission | Why We Need It | | ------------------ | ---------------------------------------------------- | | Read Cases | Analyze incident and support ticket patterns | | Read Case Comments | Understand resolution context | | Read Case History | Reconstruct incident timelines | | Read Incidents | ITSM correlation (if Service Cloud Incident enabled) | | Read Users | Attribute incidents to teams | **What we DON'T access:** Opportunities, financial data, custom objects (unless mapped), attachments, or files. *** #### Jira | Permission | Why We Need It | | ----------------------- | ----------------------------------------- | | Read Issues | Analyze bugs, incidents, and tasks | | Read Projects | Understand team structure | | Read Comments | Context for root cause analysis | | Write Issues (optional) | Create follow-up tickets from RCA Reports | **What we DON'T access:** Confluence pages, admin settings, user passwords, or billing information. **Note:** Write access is only used when you explicitly click "Create Jira Ticket" from an RCA. Kosmos never creates tickets automatically. *** #### GitHub | Permission | Why We Need It | | ---------------------------- | ------------------------------------ | | Read Commits | Correlate deployments with incidents | | Read Pull Requests | Identify changes linked to issues | | Read Repositories (metadata) | Understand codebase structure | **What we DON'T access:** Source code contents, secrets, Actions logs, or admin settings. *** #### Bitbucket | Permission | Why We Need It | | ---------------------------- | ------------------------------------ | | Read Commits | Correlate deployments with incidents | | Read Pull Requests | Identify changes linked to issues | | Read Repositories (metadata) | Understand codebase structure | **What we DON'T access:** Source code contents, pipeline secrets, or admin settings. *** #### GitLab **Setup Guide:** See [Connecting GitLab](/connecting-gitlab.md) for step-by-step instructions. Kosmos supports both GitLab.com and self-managed GitLab instances. | Permission | Why We Need It | | ---------------------------- | ----------------------------------------- | | Read Issues | Analyze issues as signals for correlation | | Read Merge Requests | Identify changes linked to incidents | | Read Commits | Correlate deployments with incidents | | Read Pipelines | Correlate pipeline runs with incidents | | Read Deployments | Track deployment events tied to incidents | | Read Repositories (metadata) | Understand project structure | **What we DON'T access:** Source code contents, secrets, CI/CD variables, or admin settings. **Authentication:** OAuth 2.0. GitLab tokens expire every 2 hours; Kosmos refreshes them automatically in the background. **Self-managed support:** You can connect a self-managed GitLab instance by providing your instance URL during setup. HTTPS is required; private IP addresses are not accepted. *** #### ServiceNow | Permission | Why We Need It | | -------------------- | -------------------------------- | | Read Incidents | Analyze ITSM incident patterns | | Read Change Requests | Correlate changes with incidents | **What we DON'T access:** CMDB data, knowledge articles, admin settings, or user credentials. **Field Mapping:** After connecting, you can map your custom ServiceNow fields to Kosmos. This ensures RCAs include context from your organization's specific incident data. **Sandbox Support:** You can connect a sandbox instance (dev/test/uat) for evaluation before granting production access. *** #### Zendesk | Permission | Why We Need It | | ------------------ | ------------------------------------------- | | Read Tickets | Analyze support ticket patterns | | Read Custom Fields | Include your organization's ticket metadata | **What we DON'T access:** User passwords, billing information, admin settings, or Guide/Help Center content. *** #### Pylon | Permission | Why We Need It | | ------------------------ | ------------------------------------------------ | | Read Issues | Analyze support issues and tasks | | Read Messages (optional) | Include conversation context for deeper analysis | **Authentication:** Pylon uses API key authentication. You provide your Pylon API key when connecting. **What we DON'T access:** Internal notes marked private, billing data, or admin settings. *** #### Azure DevOps **Setup Guide:** See [Connecting Azure DevOps](/connecting-azure-devops.md) for step-by-step instructions. Kosmos connects to Azure DevOps Boards to sync work items as signals for correlation. | Permission | Why We Need It | | ------------------------ | ----------------------------------------------------- | | Read Work Items | Analyze bugs, tasks, stories, and features as signals | | Read Projects | Understand project structure and filter by project | | Read Work Item Types | Map work item states and priorities correctly | | Read Comments (optional) | Include work item context for deeper correlation | | Read Links (optional) | Surface related work items in correlations | **What we DON'T access:** Repos, pipelines, test plans, artifacts, billing information, or admin settings. **Authentication:** Microsoft Entra ID OAuth 2.0. Access tokens expire approximately every hour; Kosmos refreshes them automatically in the background. *** #### OpenTelemetry (Preview) **Setup Guide:** See [Connecting OpenTelemetry](/connecting-opentelemetry-preview.md) for step-by-step configuration instructions. Kosmos can ingest OpenTelemetry data to correlate observability signals (traces, logs, metrics) with your incidents and deployments. | Data Type | Why We Need It | | --------- | --------------------------------------- | | Traces | Correlate service errors with incidents | | Logs | Identify error patterns and anomalies | | Metrics | Detect performance degradation | **Authentication:** API key authentication. Generate a unique API key from Settings → Integrations → OpenTelemetry. **Setup:** Configure your OpenTelemetry Collector to export to the Kosmos OTLP endpoint. Example configs provided for Grafana Agent, Datadog Agent, and generic OTLP exporters. **Preview Status:** This integration is in Preview. Core functionality is stable, but we're actively refining the experience based on customer feedback. *** #### Slack / Microsoft Teams (Notifications) | Permission | Why We Need It | | ------------- | --------------------------------------------------------- | | Post Messages | Send Risk Event and RCA alerts to your configured channel | **What we DON'T access:** Message history, user data, private channels, or any channel other than the one you configure. **Note:** Notification integrations are optional. You can use Kosmos without connecting Slack or Teams. *** ### Data Handling * **Encryption:** All data encrypted in transit (TLS 1.3) and at rest (AES-256) * **Retention:** Data retained only while your account is active * **Location:** Hosted on Google Cloud Platform (US regions) * **Compliance:** SOC 2 Type II in progress; DPA available upon request ### Revoking Access You can disconnect any integration at any time from Settings → Integrations. Revoking access immediately stops data sync. To request data deletion, contact . ### Questions? If your security team needs additional documentation, we're happy to provide: * Security questionnaire responses * Data Processing Agreement (DPA) * Architecture diagrams Contact your Kosmos team or email . *** ### Questions? If your security team needs additional documentation, we're happy to provide: * Security questionnaire responses * Data Processing Agreement (DPA) * Architecture diagrams Contact your Kosmos team or email . For a full overview of our infrastructure security, encryption, certifications, and SOC 2 path, see [Security Overview](/security-overview.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.kosmoslabs.ai/integration-permissions.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.