Configuration

Connectors

Per-integration configuration — authorization, discovery scope, classification behavior, egress rules.

Connectors are how Lattix participates in the data flows of systems your organization already runs. Each connector is configured individually in the Mesh Dashboard. See Products → Connectors for the list of currently supported integrations.

Per-connector configuration

Each connector exposes a consistent set of settings:

Authorization

OAuth grant. A tenant administrator authorizes the connector against the source system. The grant is scoped to the minimum permissions the connector requires — typically read-access to metadata, read-access to content for objects within the configured discovery scope, and write-access for classification tagging.

Service account. Where OAuth user grants are not appropriate, connectors can use source-system service accounts or application credentials. The trade-offs — stability vs. personal attribution — should be discussed with your account team and with your source-system administrators.

Revocation. Revoking the grant at the source system is the authoritative way to disconnect the connector. Disabling it in the Mesh Dashboard is a softer operation; disabling and revoking together is the complete disconnect.

Discovery scope

Most source systems have more data than needs to be brought under Lattix's protection. The discovery scope narrows what the connector sees:

  • Sites, drives, or spaces. Enumerate the specific collections the connector can access.
  • Folder paths. Within collections, narrow to specific paths. Useful for making a connector responsible for, say, the /Confidential folder tree but not the entire SharePoint site.
  • File type filters. Restrict to specific MIME types. A connector responsible for documents might exclude media files.
  • Size limits. Skip objects above a configurable size, typically to keep ingestion predictable.

Changes to discovery scope are visible immediately — the connector recomputes its view on the next sync cycle and the dashboard shows the new object count.

Classification behavior

How the connector applies tags to objects it ingests:

  • Inherit from source context. Use the source location, the source author, and any existing source metadata to derive default tags. A document in /Legal/Contracts/ might inherit business-domain=legal automatically.
  • Run automated classification. Pass objects through the tenant's configured automated classifier. Useful when the source doesn't carry enough context for a reliable default.
  • Require author confirmation. Ingest objects as pending-classification. They are visible in the dashboard but cannot be shared or referenced by policies until an authorized principal applies final tags.
  • Hybrid. Apply a default from source context, flag for review if the automated classifier disagrees.

The right mode depends on the source. For a well-organized SharePoint site where folder structure already reflects classification, inheritance is reliable. For an ad-hoc shared Drive with uncertain authorship, require confirmation.

Sync cadence

Real-time where the source supports webhooks. Changes in the source trigger connector actions within seconds.

Periodic where the source doesn't support webhooks. The connector reconciles on a configurable schedule — hourly, every few hours, daily.

Faster sync means faster detection of new content and of classification drift. Slower sync means less load on the source system's API quotas. Choose based on the source system's characteristics.

Egress policy

By default, data ingested through a connector is subject to the tenant's baseline egress policy. Per-connector overrides let a tenant:

  • Permit or forbid egress of objects ingested by this connector to specific destinations.
  • Require additional reviewer approval for cross-boundary shares of objects from this connector.
  • Enforce that objects ingested from a regulated-data source never leave a specified region.

Egress policies are attribute-based like any other policy; the connector's identity becomes a source attribute that policies can reference.

Operational monitoring

For each connector the dashboard surfaces:

  • Health. Whether the OAuth grant is still valid, whether the last sync succeeded, whether there are any authorization errors.
  • Volume. Objects ingested per period, size totals, failed ingests by reason.
  • Classification outcomes. How many objects were auto-classified, how many required review, how many are still pending.
  • Access events. Decisions (allow/deny) on connector-ingested objects, highlighting any patterns of denied access that may indicate misconfigured discovery scope or tagging.

Troubleshooting connector issues

A connector that stops ingesting is almost always:

  • Authorization expired. Re-authorize at the source.
  • Scope changed. The source-system administrator changed the location or permissions of the configured scope.
  • Rate-limited. The connector is hitting source-system API quotas; reduce sync frequency or narrow scope.
  • Policy change. A new tenant policy is denying ingestion of some objects; review recent policy changes.

The dashboard presents the most recent error from the source system verbatim, plus the connector's last successful operation timestamp.

Relationship to products and concepts

Encryption Profiles

KMS backend selection, algorithm policy per classification, rotation cadence, and post-quantum transition controls.

Audit and Retention

Ledger retention, evidence export, event streaming destinations.

On this page

Per-connector configurationAuthorizationDiscovery scopeClassification behaviorSync cadenceEgress policyOperational monitoringTroubleshooting connector issuesRelationship to products and concepts