ConductorOne Docs

Add entitlement bindings

Entitlement bindings represent relationships between applications. Some bindings are created automatically by ConductorOne connectors, while others are set up manually. Bindings help you to: Show implicit grants that are created from other entitlements. For example, when a user is made a member of the Engineering group, they also receive Pull permissions on a GitHub repository.
Add users

Add users from Okta Users added to the application in Okta are synced from the cloud directory to ConductorOne. You must be an Administrator in Okta to add users to the application. Log into the Okta tenant used to set up ConductorOne. Choose a method of assigning users: To assign individuals to ConductorOne: Click Directory > People.
Adjust campaign scope

To create custom parameters that you can use to adjust the scope of your campaign, you first need to create the custom profile attributes that will be used in your parameters. Profile attributes are key/value pairs of data sourced from identities in applications. Set up user key mappings to pull additional profile attributes from your application identities and use this information to narrow the scope of your campaign.
Amazon Web Services (AWS) connector

Overview Amazon Web Services (AWS) is a popular infrastructure cloud service provider. Given the nature of cloud infrastructure, AWS often contains sensitive data about customers, and is running infrastructure used for critical applications. ConductorOne connects to your AWS account to manage IAM Users, Roles, and Policies. Availability ✅ General availability. The AWS integration is available to all ConductorOne users.
AWS S3 bucket data storage

Overview ConductorOne automatically syncs with the connected S3 bucket every hour, so data updated in the S3 bucket is reflected in the ConductorOne application. Availability ✅ General availability. The AWS S3 data source integration is available to all ConductorOne users. Requirements When connecting to your AWS environment, you will need:
Azure Active Directory connector

Overview Azure Active Directory (Azure AD) is a Microsoft cloud-based identity and access management service. ConductorOne integrates with your Azure AD account to provide visibility and permission management on users, groups, application, and roles. Availability ✅ General availability. The Azure Active Directory integration is available to all ConductorOne users. Capabilities Sync users from Azure AD to ConductorOne Entitlements Supported: Azure AD Groups Azure AD User Roles Azure AD Application Roles Requirements When connecting to your Azure AD environment, you will need:
BambooHR connector

Overview BambooHR is a popular HR solution for organizations. ConductorOne integrates with your BambooHR account to provide visibility on users, and manager attributes. Availability ✅ General availability. The BambooHR connector is available to all ConductorOne users. Capabilities Sync users from BambooHR to ConductorOne Sync users' manager information from BambooHR to ConductorOne Requirements When connecting to your BambooHR environment you will need:
Buildkite connector

Overview Buildkite is a platform for running fast, secure, and scalable continuous integration pipelines on your own infrastructure. ConductorOne connects to your Buildkite instance to manage team access. Availability ✅ General availability. The Buildkite integration is available to all ConductorOne users. Capabilities Sync team members from Buildkite to ConductorOne Entitlements Supported: Team Requirements When connecting to your Buildkite environment, you will need:
Cloudflare connector

Overview Cloudflare is a popular content delivery network that offers people numerous products to increase the security and performance of their websites and services. ConductorOne integrates with your Cloudflare account to provide visibility and permission management on users and roles. Availability ✅ General availability. The Cloudflare integration is available to all ConductorOne users.
Complete your tasks

Step 1: Receive a notification ConductorOne will send you notifications by email and Slack (if enabled) whenever a task is assigned to you. To ensure that notification emails are delivered to your primary inbox, add no-reply@conductorone.com to your email contacts list. Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.
Completeness and accuracy

How do application integrations work in ConductorOne? Application data is synced every 1-2 hours (exact duration depends on the size of your tenant). Applications are connected using the required authentication method as described in the integration documentation. How the data is categorized is determined by the application’s API. This page provides clarification on how to match up the data and any known limitations to application APIs.
ConductorOne release notes

February 3, 2023 Data value mappings for imported data. When you import application data using a CSV file or an Excel spreadsheet, ConductorOne attempts to match the data values in your file to the data values the system expects. We’re pleased to introduce a new mapping interface that’s designed to make it easier to reconcile the data output by your application and the data model used by ConductorOne.
Confluence connector

Overview Confluence is a hosted software offering for documentation, decisions, project collaboration, and Jira integrations to plan, track, and release software. ConductorOne integrates with your Confluence account to provide visibility and permission management on critical roles and data access. Availability ✅ General availability. The Confluence integration is available to all ConductorOne users.
Coupa connector

Overview Coupa Software is a global technology platform for Business Spend Management. ConductorOne integrates with your Coupa account to provide visibility and permission management on users, groups, and roles. Availability ✅ General availability. The Coupa integration is available to all ConductorOne users. Capabilities Sync users from Coupa to ConductorOne Entitlements supported: Coupa Groups Coupa Roles Coupa Licenses Requirements To connect to your Coupa environment, you will need:
Create a campaign Slack channel

Before you begin: A Slack administrator at your company must integrate Slack with ConductorOne by visiting the ConductorOne Integrations page and clicking Slack. Navigate to the campaign’s Configuration tab. If you haven’t yet started the campaign, the Configuration tab is shown before you prepare the campaign and again before you start the campaign.
Create an access review campaign

Periodic use of access review campaigns help Security and IT teams to securely control and monitor what users can access while making sure employees can also successfully manage their operations. Access review campaigns also help you to achieve compliance with security standards and audit requirements. Step 1: Create a new campaign Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaigns.
Create an account and sign in with SSO

Before you begin: A ConductorOne invite code is required to complete the account setup process. If you do not have an invite code, contact us at support@conductorone.com. Navigate to https://accounts.conductor.one/accounts/signup. In the Domain field, enter the domain you want to use for your ConductorOne instance. This will form the URL at which your users access ConductorOne.
Create applications

Application types There are three types of applications in ConductorOne: Applications created by individual integrations. These applications are created when ConductorOne is integrated directly with a third-party tool. Applications created via integration with your identity provider (IdP). When ConductorOne is integrated with IdPs such as Okta, which are in turn integrated with third-party tools, those integrations are passed through the IdP to ConductorOne, creating applications of this type.
Create review policies

View available review policies ConductorOne provides a default review policy to get you started. To view this and all other review policies currently saved in your ConductorOne instance: In the navigation panel, click Policies. Use the Type filter and select Review to view all available review policies. Create a new review policy If the existing policies don’t match the workflow you need to perform during an access review campaign, create a new review policy.
Create review policies

View available review policies ConductorOne provides a default review policy to get you started. To view this and all other review policies currently saved in your ConductorOne instance: In the navigation panel, click Policies. Use the Type filter and select Review to view all available review policies. Create a new review policy If the existing policies don’t match the workflow you need to perform during an access review campaign, create a new review policy.
Datadog connector

Overview Datadog is a popular observability and security tool for infrastructure. Given the nature of observability and logging, many times Datadog has sensitive data about customers, environments, and infrastructure. ConductorOne connects to your Datadog instance to manage entitlements for access. Availability ✅ General availability. The Datadog integration is available to all ConductorOne users.
Displaying the ConductorOne app on the Okta dashboard

To display the ConductorOne app on the Okta end user dashboard: Log into the Okta portal as an Admin. Navigate to Okta admin > Applications > ConductorOne. Click the General tab. Scroll to General Settings and click Edit. In the Grant type area, check Implicit (hybrid). Leave Allow ID Token with implicit grant type checked.
DocuSign connector

Overview DocuSign is a popular document signing solution. DocuSign allows organizations to collaborate on documents, and enables virtual signatures. Availability ✅ General availability. The DocuSign connector is available to all ConductorOne users. Capabilities Sync identities from DocuSign to ConductorOne Entitlements Supported: DocuSign Groups DocuSign Signing Groups DocuSign Permission Profiles Requirements When connecting to your DocuSign environment, you will need:
Five things to do first when you start using ConductorOne

1. Adjust user roles Determine who in your organization should have Administrator-level access to ConductorOne and adjust their role accordingly. If you haven’t already done so, follow the directions to Create an account and Add users. In the ConductorOne navigation panel, click Users. Click on the name of the user whose role you want to change.
Frequently asked questions

FAQ If we use Okta as our directory, how often will changes made in Okta sync to ConductorOne? Changes made in Okta will typically sync within 1-2 hours. The range in time depends on the size of your Okta tenant. What’s ConductorOne’s IP address? ConductorOne has these associated IP addresses: 35.
Generate population reports

Proving data integrity between ConductorOne and your applications is a key component of auditing procedures. Generate reports to prove accuracy of grant counts and related data to auditors and other necessary parties. Depending on the size of the data set, generating a report might take several minutes. In the navigation panel, click Applications.
Generate reports

In the navigation panel, click Campaigns. Click the name of the campaign you’re interested in. Click Reports > Generate Report and confirm your action. The report is compiled for you. Depending on the size of the campaign, this might take several minutes, so please be patient. When the report is ready, click Download to receive the report in Excel format.
Get ready for access review campaigns

Why should I run an access review campaign with ConductorOne? Periodic access reviews are mandated by SOC2, PCI, SOX, and various other compliance programs. Furthermore, from a least privilege and security perspective, ensuring that users only have the access they need, for as long as they need it, reduces the access footprint of your company for sensitive systems and data.
GitHub connector

Overview GitHub is a very popular development tool and Git repository hosting service. Because GitHub touches the entire software development lifecycle, it often has sensitive data about customers, environments, and infrastructure. ConductorOne connects to your GitHub instance to manage entitlements for access. Availability ✅ General availability. The GitHub integration is available to all ConductorOne users.
GitLab connector

Overview GitLab is a collaboration tool for developers and DevOps teams. GitLab spans the entire software development lifecycle, and often holds sensitive data about customers, environments, and infrastructure. ConductorOne connects to your GitLab instance to manage entitlements for access. Availability ✅ General availability. The GitLab integration is available to all ConductorOne users.
Glossary

Access Reviews: Enable organizations to efficiently control and manage users' access to critical applications and role assignments. Access Reviews allow an ADMIN of ConductorOne to assign a task to designated employees (reviewers). A reviewer can then Approve or Deny the request for Access. Account Type: User or Service Account.
Google Cloud Platform connector

Overview Google Cloud Platform is a popular cloud platform for enterprises. ConductorOne connects with your Google Cloud Platform instance to provide visibility and permission management on users, projects, and roles. Availability ✅ General availability. The Google Cloud Platform connector is available to all ConductorOne users. Capabilities Sync identities from Google Cloud Platform to ConductorOne Entitlements supported: Google Cloud Platform projects Google Cloud Platform roles Requirements To connect your Google Cloud Platform environment, you will need:
Google Workspace connector

Overview Google Workspace is a popular cloud directory and SSO solution for enterprises. Google Workspace stores identity and group information for your organization. ConductorOne connects with your Google Workspace instance to sync identities and entitlements. Availability ✅ General availability. The Google Workspace integration is available to all ConductorOne users. Capabilities Sync identities from Google Workspace to ConductorOne Entitlements Supported: Google Workspace Groups Google Workspace Roles Requirements To connect your Google Workspace environment, you will need:
Import data

Prepare data for import Many companies use home-grown or custom software not natively supported by ConductorOne integrations. You can import the key data from this software, then use ConductorOne to conduct access reviews and manage permissions. Accepted data formats ConductorOne accepts custom CSV files, our templates (linked below), or a custom spreadsheet.
Interact with ConductorOne via Slack

Set up the ConductorOne Slack app Before you begin: A Slack administrator at your company must integrate Slack with ConductorOne by visiting the ConductorOne Integrations page and clicking Slack. In Slack, navigate to the Apps section of the navigation bar. Click Add apps and search for ConductorOne. Click the ConductorOne app and follow the prompts to add it to your Slack workspace.
Introducing ConductorOne

What is ConductorOne? Identity security has become increasingly dynamic and complex with the explosion of SaaS apps and cloud infrastructure. ConductorOne is an automation platform that enables security, compliance, and IT teams to manage the lifecycle of permissions and access seamlessly across your environment. Our goal is to remove the friction from access management while improving your security and compliance.
Introduction to access reviews

Periodic access reviews are mandated by SOC2, PCI, SOX, and various other compliance programs. Furthermore, from a least privilege and security perspective, ensuring that users only have the access they need, for as long as they need it, reduces the access footprint of your company for sensitive systems and data.
Jira Cloud connector

Overview Jira Cloud is a hosted software offering enabling members of your team to plan, track, and release software. ConductorOne integrates with your Jira Cloud account to provide visibility and permission management on critical roles and data access. Availability ✅ General availability. The Jira Cloud integration is available to all ConductorOne users.
Manage an active campaign

Monitor progress On the Access Review tab of any campaign, view a dashboard summarizing the campaign’s progress and outstanding tasks. View and manage individual reviews On the campaign’s Tasks tab, open individual access reviews, view details, and take action: See the status of the access review (completed, open, etc) See the outcome of the access review (approved, denied) Reassign the review, if necessary Restart the review, if necessary Send the assigned reviewer a reminder notification Add comments View audit log history View related tasks Generate reports ConductorOne makes it very simple to generate reports on the campaign, which you can pass to auditors or other stakeholders.
Manage entitlements

Use custom entitlement attributes Entitlements have implications across access, security, and compliance. Often, this context is lost, or at best stored away in a separate database or spreadsheet. In ConductorOne, you can create custom risk levels and compliance framework tags, and apply these tags to entitlements. You can then sort and select entitlements for access reviews by compliance framework or risk level.
Matching data in ConductorOne and Okta

Example user counts in ConductorOne and Okta ConductorOne Okta identities count Okta People dashboard User identity count comparison and explanation User Title Okta ConductorOne Explanation Everyone [User + Service Accounts] 6 6 [(User + Service Account) - Okta Deactivated Users] Okta includes Deactivated users under Everyone, but ConductorOne will not.
Okta connector

Overview Okta is a popular cloud directory and SSO solution for enterprises. Okta stores identity, group, and application information for your organization. ConductorOne connects with your Okta cloud instance to sync identities and entitlements. Availability ✅ General availability. The Okta integration is available to all ConductorOne users. Capabilities Sync identities from Okta to ConductorOne Promote identities from application users to ConductorOne users Entitlements Supported: Groups Org Roles Application Assignments Depending on the permissions of the Okta API Token, ConductorOne has different functionality that it can provide.
OneLogin connector

Overview OneLogin is a popular cloud directory and SSO solution for enterprises. OneLogin stores identity, role, and application information for your organization. ConductorOne connects with your OneLogin instance to sync identities and entitlements. Availability ✅ General availability. The OneLogin integration is available to all ConductorOne users. Capabilities Sync identities from OneLogin to ConductorOne Entitlements Supported: OneLogin Roles OneLogin Application Assignments Requirements Connecting to your OneLogin instance, you will need:
Opsgenie connector

Overview Opsgenie is a modern incident management platform that ensures critical incidents are never missed, and actions are taken by the right people in the shortest possible time. Opsgenie receives alerts from your monitoring systems and custom applications and categorizes each alert based on importance and timing. Availability ✅ General availability.
Ramp connector

Overview Ramp provides finance tools – from corporate cards and expense management, to bill payments and accounting. ConductorOne integrates with your Ramp account to provide visibility and permission management on users and roles. Availability ✅ General availability. The Ramp integration is available to all ConductorOne users. Capabilities Sync users from Ramp to ConductorOne Entitlements Supported: Ramp Roles Requirements When connecting to your Ramp environment, you will need:
Salesforce connector

Overview Salesforce provides customer relationship management software and applications focused on sales, customer service, marketing automation, analytics, and application development. ConductorOne integrates with your Salesforce account to provide visibility and permission management on users, groups, permission sets, and roles. Availability ✅ General availability. The Salesforce integration is available to all ConductorOne users.
Security architecture

Security at ConductorOne At ConductorOne, our team is composed of long-time experts in security, identity, and infrastructure, who have built products from the ground up with highly secure environments. We understand that our own security and privacy practices are mission-critical to our ability to provide modern privileged access and governance for our customers.
Send campaign notifications

To ensure that notification emails are delivered to your primary inbox, add no-reply@conductorone.com to your email contacts list. Automatic notifications If the Campaign Owner has enabled campaign notifications, these notifications are sent automatically: Notification Time sent Notes Campaign kickoff When the campaign starts Sent to all users currently assigned access reviews for the campaign.
Set up ConductorOne using Google SSO

Step 1: Create a ConductorOne account Follow the instructions in Create an account. Click Sign up with Google. Step 2: Authenticate with Google When prompted to authenticate with Google, click your corporate account and continue logging in. That’s it! Google will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.
Set up ConductorOne using Microsoft SSO

Step 1: Create a ConductorOne account Follow the instructions in Create an account. Click Sign up with Microsoft. Step 2: Authenticate with Microsoft When prompted to authenticate with Microsoft, select your corporate account. Review the permissions requested by ConductorOne. These permissions are needed to establish the SSO link between Microsoft and ConductorOne.
Set up ConductorOne using Okta SSO

Step 1: Create a ConductorOne account Follow the instructions in Create an account. Click Sign up with Okta. A new paged titled Setting up Okta to work with ConductorOne opens. Leave this page open, and open a new browser tab to create your ConductorOne OIDC application in Okta. Once the Okta application is set up, you’ll return to this registration page to complete ConductorOne signup.
Set up ConductorOne using OneLogin SSO

Step 1: Create a ConductorOne account Follow the instructions in Create an account. Click Sign up with OneLogin. A new paged titled Setting up OneLogin to work with ConductorOne opens. Leave this page open, and open a new browser tab to create your ConductorOne OIDC application in OneLogin. Once the application is set up, you’ll return to this registration page to complete ConductorOne signup.
Snowflake connector

Snowflake integration Overview Snowflake is a popular cloud hosted data lake and analysis tool for data scientists, data analysts, and developers. Snowflake frequently contains sensitive customer information. Availability ✅ General availability. The Snowflake integration is available to all ConductorOne users. Capabilities Sync identities from Snowflake to ConductorOne Entitlements Supported: Snowflake Roles Requirements When connecting to your Snowflake environment, you will need:
Tailscale connector

Overview Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. Availability ✅ General availability. The Tailscale integration is available to all ConductorOne users. Capabilities Sync identities from Tailscale to ConductorOne Entitlements Supported: Tailscale Groups Tailscale ACL Rules Tailscale SSH Rules Requirements Integrating with Tailscale requires:
Twingate connector

Overview Twingate provides secure access to private resources for distributed workforces under a zero trust networking model. Availability ✅ General availability. The Twingate integration is available to all ConductorOne users. Capabilities Sync identities from Twingate to ConductorOne Provisioning supported: Locally created Twingate groups Entitlements supported:
User roles

Change a user’s role Change a user’s role if their responsibilities in ConductorOne change. Some users might need temporary access to an elevated permission set, such as while running an access review campaign. You must be a Super Administrator to change or add user roles. In the navigation panel, click Users.
Zendesk connector

Overview Zendesk is a popular customer support platform that offers numerous customer relationship management tools. ConductorOne integrates with your Zendesk account to provide visibility and permission management on users, groups, and organizations. Capabilities ✅ General availability. The Zendesk integration is available to all ConductorOne users. Capabilities Sync users from Zendesk to ConductorOne Entitlements Supported: Zendesk Groups Zendesk Organizations Requirements When connecting to your Zendesk environment, you will need:
🔐 Cloudflare Zero Trust connector

Overview Cloudflare Zero Trust is a popular zero trust application that works to reduce data loss, malware and phishing, and secure users, applications, and devices. ConductorOne integrates with your Cloudflare Zero Trust account to provide visibility and permission management on users, and access groups. Availability 🔐 Limited availability. The Cloudflare Zero Trust integration is currently in limited availability as we gather more feedback from users.
🔐 Sentry connector

Overview Sentry is a performance and error monitoring software platform that helps developers to diagnose, fix, and optimize the performance of their code. Availability 🔐 Limited availability. The Sentry connector is currently in limited availability as we gather more feedback from users. Reach out to support@conductorone.com if you’d like to add Sentry to your Integrations page.

ConductorOne Docs

Add entitlement bindings

Add users

Adjust campaign scope

Amazon Web Services (AWS) connector

AWS S3 bucket data storage

Azure Active Directory connector

BambooHR connector

Buildkite connector

Cloudflare connector

Complete your tasks

Completeness and accuracy

ConductorOne release notes

Confluence connector

Coupa connector

Create a campaign Slack channel

Create an access review campaign

Create an account and sign in with SSO

Create applications

Create review policies

Create review policies

Datadog connector

Displaying the ConductorOne app on the Okta dashboard

DocuSign connector

Five things to do first when you start using ConductorOne

Frequently asked questions

Generate population reports

Generate reports

Get ready for access review campaigns

GitHub connector

GitLab connector

Glossary

Google Cloud Platform connector

Google Workspace connector

Import data

Interact with ConductorOne via Slack

Introducing ConductorOne

Introduction to access reviews

Jira Cloud connector

Manage an active campaign

Manage entitlements

Matching data in ConductorOne and Okta

Okta connector

OneLogin connector

Opsgenie connector

Ramp connector

Salesforce connector

Security architecture

Send campaign notifications

Set up ConductorOne using Google SSO

Set up ConductorOne using Microsoft SSO

Set up ConductorOne using Okta SSO

Set up ConductorOne using OneLogin SSO

Snowflake connector

Tailscale connector

Twingate connector

User roles

Zendesk connector

🔐 Cloudflare Zero Trust connector

🔐 Sentry connector