Diff access rights from two SaaS systems with Baton
After reading this guide, you will be able to:
- Understand how to set up the Baton connectors
- Understand how the
- Understand how to compare access rights between two GitHub organizations
Before you start
Before you begin, make sure you have everything set up from the list below:
- GitHub account
Part one: Set up the Baton SDK
Use this commands to install the Baton SDK and Baton GitHub connector:
$ brew install conductorone/baton/baton conductorone/baton/baton-github
If you don’t have Homebrew installed yet, follow this guide.
batonutility by using this command:
$ baton --help
baton --help, you will see a console with all available commands. You can find a list of all the commands in our getting started guide, where we explain them in detail.
Now you have the Baton SDK ready to use. It’s time to show you how to use
baton-github to create a
c1zfiles contain all of the information that the connector has collected as part of a synchronization process. Using the Baton CLI, you can browse the contents of the
sync.c1zfile and export that data to a .csv or .xlsx file.
Part two: Connect GitHub connector and run comparison
The Github connector allows you to manage access rights for all users across all repositories. Setting up the connector is very simple, so let’s take a look at how to do it.
Create a new Github Personal Access Token with the following permissions:
Area Scope of access repo All admin:org All user All
Create a new file called
Insert this code into the
#!/bin/bash set -e # Set your tokens here! BATON_TOKEN="<your GitHub token>" ORG1="<github org 1>" ORG2="<github org 2>" # Set what do you want to compare between 2 apps entitlementId="team" # org/team/repository entitlementName="<name of your team>" # display name of the entitlement (e.g. name of a team) entitlementType="member" # type of a permission (admin/maintainer/member) # Set the output filenames now=$(date +"%Y%m%d%H%M%S") c1zFileSaaS1="baton-saas1-comparison.c1z" c1zFileSaaS2="baton-saas2-comparison.c1z" # Run sync to produce c1z for 1st SaaS BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG1" -f "$c1zFileSaaS1" # Run sync to produce c1z for 2nd SaaS BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG2" -f "$c1zFileSaaS2" # Find an id of the entitlement with given entitlement type by its name in 1st SaaS idInSaaS1=$(baton entitlements -f "$c1zFileSaaS1" -o json | jq -r '[.entitlements.entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")] | .id.resourceType + ":" + .id.resource') # Find an id of the entitlement with given entitlement type by its name in 2nd SaaS idInSaaS2=$(baton entitlements -f "$c1zFileSaaS2" -o json | jq -r '[.entitlements.entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")] | .id.resourceType + ":" + .id.resource') # Compare two principals in 2 c1z files baton principals compare -f "$c1zFileSaaS1" --entitlement "$idInSaaS1:$entitlementType" --compare-entitlement "$idInSaaS2:$entitlementType" --compare-file "$c1zFileSaaS2"
Insert your GitHub access token and GitHub org into the code shown above. Simply copy&paste into it.
chmod +x github-compare.sh
- Run the script to compare your files by:
Now that you have a good overview of the access rights from different Software-as-a-Service with Baton, you can look into its other features. ConductorOne provides export capabilities to help administrators take control of user access and security. The Baton SDK also integrates with Amazon Web Services for a full suite of cloud services for your organization. With these tools, you can easily customize access rights for users and more efficiently manage security across all systems.
Check out our other tutorials to discover the full potential of Baton: