Companies working to modernize their identity and access management (IAM) processes and improve identity security often run up against a common and frustrating reality: a lot of critical identity and access data lives in systems that aren’t easily integrated with identity solutions.
This is especially true for larger enterprises operating a hybrid mix of new and legacy applications—the natural result of expansion, evolving technologies, limited budgets, M&A activity, and more.
We recently ran headfirst into this challenge while helping one of our enterprise customers transfer their systems from a legacy IGA provider over to ConductorOne. The customer had dozens of internal applications running on Oracle databases. These systems contained business-critical identity and access data, but they lacked APIs, which would have offered a clear integration path.
We could have opted to build a custom connector for each of the apps, but the time and effort this would have demanded runs counter to what we consider a core tenant of modern identity security: swift integration with any system. We knew we could do better and set out to find a more efficient, scalable solution for extracting identity data buried in SQL tables.
The result is Baton-SQL, an innovative generic connector that pulls identity and access data directly from relational databases and the apps running on them, no APIs or custom code required.
The problem: siloed data and no standard protocol
Our customer’s database integration challenge is part of a larger data problem plaguing identity security. To secure workforce identity, companies must be able to centralize identity and access data from across their environment. But there are thousands of SaaS, IaaS, and PaaS providers, not to mention legacy on-prem and custom-built applications—and the authorization and identity layer for every one of these apps is unique.
When we designed ConductorOne, we knew the platform needed to bridge this identity data protocol divide so it could connect to any technology, anywhere. We took a new approach to integration, creating a powerful connector ecosystem called Baton that serves as the foundational layer connecting ConductorOne to any application.
Baton is both an SDK and our platform’s connective tissue, creating a unified view of all identity, resource, and access data and orchestrating access changes for connected applications. We use the Baton SDK to write both API-based and non-API-based connectors that can be hosted in ConductorOne’s platform, in a customer’s private cloud, or alongside on-prem apps.
Because we built Baton to serve as a standard protocol for identity data ingestion and orchestration, we opted to make the project open source—so the security engineering community at large could take advantage of the Baton framework to accomplish their identity security and governance goals, regardless of whether or not they use ConductorOne.
The next step: Baton-SQL
We now have hundreds of ready-to-deploy connectors built using the Baton SDK. However, the majority of these connectors are API-driven, written for applications with public, well-documented APIs.
Like most of the enterprise customers we work with, many companies are running homegrown internal and legacy applications that don’t have public APIs, or APIs at all. The Baton SDK enables us to write custom connectors for these apps, but we’re always looking for additional ways to empower our customers to integrate their systems with minimal effort and time investment.
So we created Baton-SQL, a general-purpose connector that allows security and IT teams to extract identity and access data directly from any SQL database and map it to Baton’s schema. There’s no need to write or maintain code—anyone familiar with an application’s schema and basic SQL can quickly build a Baton-SQL connector.
With Baton-SQL, we can now provide a connector that’s easily configured to integrate any number of apps. No waiting for developers. No rigid integration parameters that limit connectivity or functionality.
How it works
The core innovation lies in the Baton-SQL’s configuration-driven approach. Instead of requiring custom code, everything is defined using YAML and CEL (Common Expression Language). SQL queries are defined to extract resource (user, group, role), entitlement, and grant data, and the results are then transformed using CEL expressions to fit the Baton schema. This approach puts the power in the hands of those who understand an app’s data structure, giving them precise control over the integration logic.
Baton-SQL runs in read-only mode by default, but provisioning can be enabled where needed by defining the provisioning sections in the configuration. In practice, our customers typically run Baton-SQL connectors locally in secure environments. However, the connectors can be run however best suits a customer’s needs and environment.
Baton-SQL supports major SQL databases out of the box, including Oracle, MySQL / MariaDB, SQL Server, and PostgreSQL. So whether data lives in a legacy Oracle system, a modern PostgreSQL deployment, or something in between, if it’s queryable, it can be integrated.
The ConductorOne customer whose Oracle databases inspired Baton-SQL’s creation now runs over 20 Baton-SQL configurations: one for each of their internal database apps, and another for managing access to the Oracle databases themselves. Each connector is tailored to a unique app’s schema but uses the same underlying Baton-SQL engine. Because Baton-SQL is entirely configuration-based, the customer’s DBAs were able to build and maintain the integrations themselves—there was no need to involve application developers.
Baton-SQL effectively turns any database into an integration point, bridging the API gap to bring previously inaccessible identity data into scope. For companies, this means enhanced visibility, improved governance, and reduced risk. As enterprises continue to grapple with the complexity of hybrid environments, tools like Baton-SQL that simplify and improve integration will be essential for ensuring comprehensive identity governance and securing the modern workforce.
Like other connectors built on the open-source Baton framework, Baton-SQL is now available to the community on GitHub, complete with sample configurations, documentation, and examples. See below for how to get started with it. And we welcome feedback, contributions, and community input. If you build something interesting with Baton-SQL, we’d love to hear about it!
Getting started with Baton-SQL
Baton-SQL is open source and ready to use today.
Repository:https://github.com/conductorone/baton-sql
The repo includes:
Sample configurations for common apps (e.g., WordPress)
Documentation on supported resource types
Examples of query mapping and CEL transformations
To get started, write a configuration file, point it at your database, and run the connector. You’ll see your users, roles, entitlements, and grants listed, just like any other integration.
