Overview

Spendflo assigns an 'access risk' level to any application in your inventory that your users are accessing via OAuth (e.g. 'Sign in with Google', if you're using Google Workspace). You can find this access risk in the list view of your inventory, in the access risk report, and on individual application profiles.

Access risk is just one way of looking at the risk in your SaaS inventory and can help you make decisions about the apps Spendflo is discovering. For instance, an app that is predominantly for non-business use and that has high access risk might be something you want to address

The Access Risk Report holds significant importance, as it provides a clear overview of apps and their associated permission levels. It effectively identifies apps with low or no risk as well as those carrying a high access risk. This metric is of utmost importance for information security teams tasked with upholding their organization's security standards.

How we're defining risk

Our access risk grading is based on OAuth Scopes i.e. the permissions your users are granting to third party apps. Google and Microsoft support hundreds of OAuth Scopes,ranging from basic, low risk permissions that grant the user access to an app, through to permissions that give a third party app complete access to a user’s email account or cloud file storage.

Google’s sensitive OAuth Scope list 

Google flags 46 OAuth Scopes as being sensitive and requires vendors of apps using these scopes to undergo additional verification when registering for Google Sign-in . Our ‘high risk’ category is based on these sensitive scopes i.e. any app using any one of these scopes is categorised as high risk. 

Occasionally an app might provide multiple routes of access via OAuth, so a simple login vs an add-on that integrates data from a Google Sheet. One route of access may be categorised as low risk, with the other high risk. In this situation, if any single user has authenticated with the high risk scopes the whole app is categorised as high risk. 

There isn't a direct equivalent for Microsoft's OAuth scopes. To grade access risk for Azure AD based OAuth we've mapped Google's sensitive scopes list to Microsoft's

Steps to get Access Risk Report

To get the report, follow the steps below.

1. Open the Reports tab from the Navigation menu

2. Once you've landed on the Reports page, the initial screen that appears will be the Buying Hub Reports. The navigation menu for accessing different reports is located on the left side of the screen. Navigate to the Management Hub section. Locate and click on the Access Risk

3. Once you click on Access Risk, you'll see the report populated. Here all your SaaS apps will be listed down with details oftheir user count, their access risk, classification and the Permissions. You can scroll horizontally and vertically to view more details.

4. You also have the option to click on the report name to expand and view it in full screen. 

When in expanded mode, you can conveniently export the report by clicking on the download icon, and selecting your preferred download format, and your download will be prepared promptly.

Filter

In this report you can sort the table columns by clicking on the columns name, you can change the list based on alphabatical order of apps, access risk type user count etc.