Integration Reference
Complete setup documentation for every Tenurex integration. Each integration section covers the connection method, required permissions, which compliance controls are covered, and common troubleshooting scenarios.
All integrations use read-only access scopes. Tenurex never requests write permissions to any connected system.
Cloud Infrastructure
AWS
Tenurex connects to AWS using a cross-account IAM role with a read-only policy. This is the most secure connection method — no long-lived credentials are stored.
Required IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:GetTrailStatus",
"cloudtrail:DescribeTrails",
"cloudtrail:ListTrails",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:GetAccountPasswordPolicy",
"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"config:DescribeConfigRules",
"inspector2:ListFindings",
"s3:GetBucketEncryption",
"s3:GetBucketLogging",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
Controls covered: CC6.1, CC6.3, CC6.6, CC6.8, CC7.2, CC7.3, A.12.6.1, HIPAA §164.312(a)(1)
Google Cloud Platform
Tenurex uses a GCP Service Account with the built-in roles/viewer role plus specific audit logging permissions. Generate a service account key in the GCP console and upload it during integration setup.
Required roles: roles/viewer, roles/logging.viewer, roles/iam.securityReviewer
Controls covered: CC6.1, CC6.3, CC7.2, A.9.4.1, A.12.6.1
Microsoft Azure
Tenurex connects via Azure Active Directory app registration with read-only Microsoft Graph and Azure RBAC permissions. Register an app in the Azure portal, grant the required API permissions, and enter the client ID and secret during setup.
Required permissions: Directory.Read.All, AuditLog.Read.All, Policy.Read.All
Controls covered: CC6.1, CC6.3, CC7.2, A.9.2.1, A.12.6.1
Identity & Access
Identity Provider (SCIM)
If your identity provider supports SCIM 2.0, Tenurex can connect directly to the SCIM endpoint using a SCIM API token. This provides the cleanest access to user provisioning and deprovisioning records.
Required: SCIM API token with read access to Users and Groups endpoints.
Controls covered: CC6.1, CC6.2, CC6.3, A.9.2.1, A.9.2.6, HIPAA §164.312(a)(2)(i)
Identity Provider (OIDC/OAuth)
For identity providers that don't support SCIM, Tenurex can connect via OAuth 2.0 with read-only scopes for user and group management.
Required OAuth scopes: openid, profile, email, read:users, read:groups
Source Control
GitHub
Tenurex connects to GitHub using a GitHub App installation with read-only repository permissions. Install the Tenurex GitHub App on your organization and select the repositories to include in evidence collection.
Required permissions: contents: read, actions: read, members: read, administration: read
Controls covered: CC8.1 (change management), A.14.2.2, A.14.2.7
GitLab
Tenurex connects to GitLab using a personal access token or project access token with Reporter-level access. Group tokens are recommended for organization-wide evidence collection.
Required token scope: read_api, read_repository
Ticketing & Change Management
Jira
Tenurex connects to Jira using OAuth 2.0 (Jira Cloud) or an API token (Jira Server/Data Center). The integration reads issue data to verify change management workflows and risk assessment records.
Required Jira permission: Browse Projects on the relevant projects. No write permissions required.
Controls covered: CC8.1, A.12.1.2, A.14.2.2
HR Systems
HR system integrations provide employee lifecycle evidence — onboarding completion, security training acknowledgements, and offboarding confirmations.
Tenurex supports generic HRIS integration via webhook push (your HRIS system sends events to a Tenurex endpoint) or scheduled API pull if your HRIS provides a read-only API.
Setup instructions vary by HRIS provider. Contact [email protected] for a setup walkthrough for your specific HRIS.
Controls covered: CC1.4, CC6.3, A.7.1.1, A.7.3.1
Troubleshooting connection issues
If an integration shows as disconnected or collection runs are failing, check the following:
- Token expiration — OAuth tokens and some API tokens expire. Re-authorize the integration from the Integrations page.
- Permission scope changes — If someone reduced the permissions on a service account or OAuth app, the integration may fail for specific evidence types.
- Network egress restrictions — Tenurex collection endpoints use static IPs. If your systems restrict outbound connections, add Tenurex IPs to your allowlist. Contact us for the current IP range.
- Rate limiting — Some integrations rate-limit API access. Tenurex implements exponential backoff but very aggressive rate limits can cause collection delays.
If none of the above resolve the issue, send the integration name and error message to [email protected].