See how Ramp uses ConductorOne
ConductorOne

Baton Docs

Welcome to Baton

Welcome to Baton by ConductorOne, an open-source project. In this guide you will find all the basic information for working with the Baton project, which includes a CLI, connectors for popular SaaS and IaaS apps, and an SDK for using Baton with any application.

What is Baton by ConductorOne?

Baton comprises three major components:

The Baton CLI: a command line interface that provides a set of commands to extract, compare, and explore identity, resource, and permission data in an app.

The Baton SDK: a toolkit that makes building a connector for any application seamless. These connectors generate data that the CLI consumes and/or they can connect directly to ConductorOne.

Baton connectors: these pre-built and supported integrations work with common SaaS and IaaS apps to sync identity and permission data.

As a toolkit, Baton allows you to easily gain unified visibility into all identity, resource, and permission data in an application and to create workflows that manage identity and access.

Why did ConductorOne build Baton?

ConductorOne is an identity security company that helps companies automate user access control and governance. Our software provides real-time visibility into all accounts in your Saas, IaaS, on-prem, and HR environments and allows customers to automate access control on users, groups, roles, and permissions.

ConductorOne uses Baton as the integration layer to connect our control plane to any application. This unified interface means that ConductorOne can work with any app, regardless of whether that app has modern APIs and/or where it is deployed (on prem or cloud). Baton, as an interface, creates a connective layer and unified view of all identity, resource, and access data within an application, and allows ConductorOne to execute workflows against those applications (such as just in time provisioning, visibility into identities, user access reviews, and more). The Baton SDK allows ConductorOne to connect to any application, even if ConductorOne does not maintain a native connector for that app.

Why did ConductorOne open source Baton?

ConductorOne open sourced the Baton project because:

  • There are a lot of hacky Python scripts out there doing the same thing: extracting and munging identity and access data.
  • Every app has a bespoke identity and authorization management scheme, but the world needs a unified interface for orchestrating access control.
  • We wanted to give back to the security engineering community by providing a valuable tool that can help users accomplish their identity security or governance project goals.

We have been building connectors to orchestrate identity and access control for more than two years. The initial launch of Baton includes a handful of those apps (Github, Amazon Web Services, Okta, MySQL, and PostgreSQL), but we will be steadily releasing more from our private repos over time.

How do I start using Baton?

There are two ways to work with Baton:

The Baton command-line interface (CLI): the CLI allows you to work with data extracted from a Baton integration. For example, after syncing data from GitHub using the baton-github connector, you can use the Baton CLI to query all of the GitHub repo admins in an org.

The Baton software development kit (SDK): use the SDK to create a connector for ANY application or technology. Once implemented, the connector can be used for gaining visibility into identity and authorization data and for managing access in the app.

Let’s take a look at both options:

Use the Command Line Interface

The Baton CLI allows you to interface with data extracted from a Baton connector.

This is what the CLI looks like:

baton is a utility for working with the output of a baton-based connector

Usage:
  baton [command]

Available Commands:
  access         List effective access for a user
  completion     Generate the autocompletion script for the specified shell
  diff           Perform a diff between sync runs
  entitlements   List entitlements
  export         Export data from the C1Z for upload
  grants         List grants
  help           Help about any command
  principals     List principals
  resource-types List resource types for the latest (or current) sync
  resources      List resources for the latest sync
  stats          Simple stats about the c1z

Flags:
  -f, --file string            The path to the c1z file to work with. (default "sync.c1z")
  -h, --help                   help for baton
  -o, --output-format string   The format to output results in: (console, json) (default "console")
  -v, --version                version for baton

Use "baton [command] --help" for more information about a command.

Implement the Baton SDK to create a connector for your app

The Baton SDK can be implemented to support any application or technology. By using the Baton SDK, you create a unified interface that the Baton CLI can interface with and/or you can connect the app directly to ConductorOne to use with our modern governance and access management control plane. The SDK can be implemented to support backoffice portals, homegrown apps, legacy on-prem systems, and SaaS tools that aren’t supported by ConductorOne.

What’s next?

We have two guides that explain how to use the Baton CLI and how to integrate the SDK into your application:

Or see the list of the open-source connectors we’ve built with Baton:

But it doesn’t stop there! Check out our Baton tutorials for practical examples of Baton in action: