Announcing Identity Lifecycle Management

ConductorOne docs

Work with the ConductorOne app

The ConductorOne app is a special application where you can see and manage ConductorOne access within ConductorOne. Yes, it's very meta.

The ConductorOne application

The ConductorOne application contains current data on user access to ConductorOne and user permissions within ConductorOne. It lets you review and manage access to ConductorOne … with ConductorOne. It’s more than a bit self-referential, true, but we promise it’s useful.

You’ll find the ConductorOne app on the Applications page’s Managed apps tab. Note that it’s the one with the purple logo.

A screenshot of the ConductorOne app showing the Roles tab.

If you create another application named “ConductorOne”, this is given a white logo.

What can I do with the ConductorOne app?

Key uses for the ConductorOne app include:

  • Review ConductorOne user roles in an access review campaign. ConductorOne user roles are shown as roles in the ConductorOne app. You can add these roles to an access review campaign to audit whether ConductorOne users have the appropriate level of permissions in the app.

  • Allow users to request new ConductorOne roles. You can add ConductorOne user roles to request catalogs and bundles, allowing users to request new permissions in ConductorOne.

    You cannot set app-level access configuration rules on the ConductorOne app, but you can configure access request settings on an individual entitlement.

  • Manage users’ enrollment in catalog access bundles. Catalogs are a resource type in the ConductorOne app. Grant users the enrollment entitlement to give them access to the catalog’s entire bundle of access.

What are the limitations of the ConductorOne app?

Because of the special, self-referential nature of the ConductorOne app, it lacks some functionality that’s present on all other apps:

  • You cannot rename the ConductorOne app or its roles. You can rename ConductorOne groups (see below) and catalogs.

  • The ConductorOne app does not support linked entitlements.

  • You cannot bind entitlements in the ConductorOne app to entitlements in other apps.

  • There are no provisioning settings for the ConductorOne app’s entitlements, as provisioning and deprovisioning is completed by ConductorOne itself.

Groups in the ConductorOne app

You can create custom groups in the ConductorOne app that dynamically adjust their membership based on adherence to a membership rule. Create these special groups on the Groups page, then use them throughout ConductorOne.

A screenshot of the ConductorOne app showing a sample ConductorOne group.

What can I do with a ConductorOne group?

Key uses for these special groups include:

  • Organizing employees without creating custom IdP groups. ConductorOne groups make it easy to create groups of employees who share key profile attributes or combinations of access.

  • Specifying who can request a catalog’s contents. A catalog or full bundle can be requestable by a ConductorOne group.

  • Assigning a group as reviewer on a policy step. A ConductorOne group can be set as a policy step reviewer.

Create a new ConductorOne group

Create a ConductorOne group by setting a rule for membership. ConductorOne will dynamically add or remove members from the group based on their adherence to the rule.

  1. Navigate to Admin > Groups and click Create group.

  2. Give your new group a name and add a description. Click Create group.

  3. In the Membership rule section of the page, click Configure.

  4. Choose how to form your membership rule:

    • Use the Basic condition builder to construct a membership rule from a combination of entitlements and profile attributes, with the option to add and and or statements to refine the rule.

    • Use the Expression field to to compose a CEL expression that describes the membership rule.

  5. Click Preview to check the syntax of your membership rule.

    Note that not all users who match the membership rule will be shown immediately when you click Preview.

  6. Optional. In the Excluding field, add the names of any users who should be excluded from this group, even if they match the membership rule.

  7. When you’re satisfied, click Save. The Membership rule section syncs and update the list of matching users.

    Depending on the number of users in your ConductorOne installation, syncing might take some time. When syncing is complete, the Syncing label will be replaced by a Last sync timestamp.

That’s it! Your ConductorOne group is now ready for use elsewhere in the app. The group will re-sync every hour to check which ConductorOne users match the rule you set, and will add or remove group members accordingly.

Frequently asked questions about ConductorOne groups

How often does the membership rule sync? A new sync is kicked off each hour.

Can users request access to a ConductorOne group? No, currently ConductorOne groups cannot be added to request catalogs. Membership in ConductorOne groups is solely determined by matching the membership rule.