We perform only read-only operations on connected orgs:
Due to the way metadata list/retrieve permissions work in Salesforce, we do require Modify Metadata, because there is no read-only equivalent to that permission.
We will never modify client data or metadata.
For the REST calls, we never retrieve transactional data from objects; we only run what's called aggregate count queries. These types of queries simply return a number representing a count of records. We use this to get record counts by object, and we use this to count empty fields to help identify field utilization percentages. If a scanning user does not have Create/Read/Update/Delete (CRUD) or Field Level Security (FLS) permissions on certain objects and fields, we cannot report on them.
.png)
%20greige.svg.png){kind=small}
