ConductorOne product terms glossary

This page provides short definitions for terms used in ConductorOne's product and documentation.

Access conflict

An access conflict occurs when two entitlements assigned to the same user violate a separation of duties (SoD) policy or other regulation. See Conflict monitor.

Access profile

A group of resources and entitlements curated for their applicability to a certain audience and only visible to that audience. Access profiles limit what resources and entitlements each user can see and request, so only relevant access is visible and available. An access profile can be set up so that users can request each app or permission it contains individually (in their app catalog), or so that the entire bundle of access is requestable as a unit (also called a profile). See App catalog.

Account

A unique record associated with a specific actor (such as a human, a system account, or a service account) within an application. An account in an application is granted permissions and roles in that app.

Account owner

The human user known to ConductorOne who is associated with an account in an application. See User.

App catalog

The list of applications (and permissions within them) that are available for a specific end user to request, based on all the access profiles that user has access to. See Access profile.

Application

Within ConductorOne, an application is a mirrored record of the access, account, and user data within a tool or service your organization uses. See Connector.

Attribute value

A custom risk level or compliance framework tag that you create and apply to entitlements, such as “SOC2” or “High risk”.

Baton

The open-source code framework that powers connectors. Named for an orchestra conductor’s baton, which focuses and directs the musicians, and for the baton transferred from one runner to the next (like data!) in a relay race. We like a double meaning around here.

Binding

A relationship between two entitlements, so that being granted access to entitlement A automatically also grants the user access to entitlement B. See Linked entitlement and Virtual entitlement.

C1

Shortened form of “ConductorOne”, used informally and for faster typing.

ConductorOne app

A special application that models ConductorOne within ConductorOne. Allows you to review and manage access to ConductorOne using ConductorOne’s tools. Very meta, very useful.

ConductorOne group

ConductorOne groups are collections of ConductorOne users that you create and use within ConductorOne. They can be useful for organizing groups of employees as access recipients or assignees to tasks.

Campaign (UAR)

User access review (UAR) campaigns are a framework for periodically reviewing user access. A campaign has a scope (the access to be reviewed) and a timeframe (the start and end dates of the campaign).

CEL

Common Expression Language (CEL) was developed by Google and is used in ConductorOne to write conditional expressions that use variables and user data known to ConductorOne.

Cone

ConductorOne’s command-line interface (CLI) tool. Allows you to interact with ConductorOne from the comfort of your terminal window. Named in reference to ConductorOne’s nickname “C1”, with the “one” spelled out. Pronounced like the ice cream holder or traffic diverter of the same name.

Conflict monitor

A conflict monitor watches for a certain access conflict in any user’s requested or assigned access and notifies admins if a conflict is found so the access can be evaluated. See Access conflict.

Connector

Integration code that connects ConductorOne to another software tool or service. Used as the source of data for applications in ConductorOne. All connectors can read (sync) data, and some can also write (provision) to the connected software. See Application.

Copilot

ConductorOne’s AI-powered assistant, which provides insights, help, and guidance throughout ConductorOne to help you make informed choices and get work done efficiently.

Deprovision

The process of removing previously assigned permissions or shutting down user accounts in connected systems after a revocation proposal is confirmed. In ConductorOne, deprovisioning tasks are assigned to users when manual deprovisioning of access is required. See Revoke / Revocation.

Digest

A personalized email sent to ConductorOne users that includes an overview of open tasks, connector sync errors, expiring access, and more. Sometimes called “daily digest”, but can be set by your organization for daily or weekly delivery.

Delegate

A designated user who will receive and complete the ConductorOne tasks that would otherwise be assigned to a user who cannot (or should not) complete them, such as an executive or an employee on extended leave.

Enrollment

A user is enrolled in an access profile when they are automatically granted the full contents of an access profile due to meeting the criteria set for that access. See Access profile.

Entitlement

A specific permission that can be requested and reviewed in ConductorOne. Entitlements are how users gain access to resources, and designate the type of access granted. For instance, a resource called “revolution-hall-repo” might have two entitlements called “admin” and “member”. See Resource.

External data source

A designated file system or S3 bucket that ConductorOne can read from and write to. These are useful for managing access data from systems and tools that cannot use a connector.

External ticketing system

An integration with your organization’s IT ticketing system, such as Jira or ServiceNow. Once configured, when manual provisioning of new access is required, ConductorOne automatically creates a ticket in the connected external ticketing system. ConductorOne will monitor the status of the ticket and mark the provisioning step complete in ConductorOne once the ticket is closed.

Linked entitlement

An existing relationship between an entitlement in an IdP and one in a standalone application. Linked entitlements commonly connect IdP resources with the apps the IdP controls access to.

Managed app

An application that you’re actively managing with ConductorOne. A managed application has an active connector or other data source. See Application, Connector, and “Unmanaged app”.

Mapping

The process of matching how key data points are labeled in an integrated software or service with how they’re labeled in ConductorOne, so data can be pulled in and used correctly across sources.

Policy

A reusable rule set that defines a process for requesting, reviewing, or revoking access. Policies can contain instructions such as who a certain task should be routed to, as well as instructions on sending notifications, triggering webhooks, conditional routing, and much more.

Profile attribute

A piece of information about an application account that is pulled in from an application, and that can be used to scope UAR campaigns or build policies. See Account.

Provision

The process of creating new user accounts and the assignment of permissions in connected systems after an access request is approved. In ConductorOne, provisioning tasks are assigned to users when manual provisioning of new access is required. See Request.

Request

Broadly, when a user asks for a new permission, this is a request (or more formally, an access request). In ConductorOne, the user submits the request and a request task is created, which is governed by a request policy. See Task and Policy.

Requestor

The person making a request for access. This is most commonly the user who will be granted the access, but it can be a manager or other admin making the request on the user’s behalf.

Resource

A named object within an application, such as a specific role, group, repository, or license. A resource contains entitlements, which are the specific permissions that are reviewed and requested in ConductorOne. See Entitlement.

Resource type

A general categorization of the resource objects found in an application, such as roles, groups, repositories, and licenses.

Review

Broadly, when a user’s access to a certain permission is checked to ensure it is still appropriate and necessary, this is a review (or more formally, an access review, which is part of a user access review (UAR) campaign). In ConductorOne, review tasks are created as part of a campaign, and these tasks are governed by a review policy. See Task and Policy.

Reviewer

The person who is evaluating a request or review task and making a decision about whether new access should be granted, current access should be preserved, or unnecessary access should be removed.

Revoke / Revocation

Broadly, when a permission that was granted to a user is removed, this is a revocation. In ConductorOne, a revocation task is created when the user, their manager, or a reviewer during a UAR campaign recommends that the access be removed. The revocation task is governed by a revoke policy. (“Revoke” and “revocation” are used interchangeably in ConductorOne since unlike “review” and “request”, the noun and verb forms differ.) See Task and Policy.

Scope

The specific user access that will be reviewed in a user access review (UAR) campaign. See Campaign.

Service account

A special type of application account used by a computer program or service that represents a non-human identity. Used to access resources or perform actions in an app or network.

Service desk integration

A special AI-powered integration that allows ConductorOne to automatically create request tasks based on the information entered in a service desk ticketing system such as Jira.

Shadow app

Shadow apps are applications and cloud services not managed or approved by an organization’s IT department that employees sign into using their corporate email.

Sync

The process of reaching out to an integrated software tool or service via a connector to read new data or to write data to the tool or service based on changes and decisions made in ConductorOne. Based on the type and configuration of the connector, syncs can happen automatically on a schedule, or can be triggered manually. See Connector.

System account

A special type of application account used by an operating system that represents a non-human identity. Used to perform system-level operations.

Task

A discrete task to be performed in ConductorOne, such as reviewing a user’s access to a specific entitlement as part of a UAR campaign, approving or denying a user’s request for new access, or manually provisioning new access. See Request, Review, Revoke / Revocation, Provision, and Deprovision.

Template

A pre-configured, reusable framework for creating recurring UAR campaigns. Templates make it faster and easier to set up identical or very similar campaign configurations when you need to run a certain campaign on a recurring schedule.

Unmanaged app

The child apps that are discovered by a connector for an app that is an identity provider (IdP), SSO, or federation provider, but that you haven’t yet added a connector or other data source to so you can begin managing them in ConductorOne. See Managed app.

User

A human at your organization whose access data is synced to ConductorOne, and who can be assigned tasks in ConductorOne. ConductorOne user accounts are automatically created when you set directories as sources of user data. See Directory.

User attribute

A specific piece of data about a user that is pulled from a directory app. See Directory.

User role

A group of permissions in ConductorOne that define what a user can and cannot see, create, and modify. User roles are assigned to users and are scoped to the work each user will do in ConductorOne, ranging from Basic User to Super Admin.

Vault

Centralized secure storage within ConductorOne where initial or temporary passwords for application accounts provisioned through the platform are posted. Only the account owner and the vault owner can retrieve and distribute a new account’s password.

Virtual entitlement

A special proxy entitlement that is created in ConductorOne and does not get written back to the source software. Virtual entitlements are ideal for making easy-to-understand user-facing target entitlements that can be bound to more complex existing entitlements in your IdP, SSO, or federation provider.