Announcing Identity Lifecycle Management

ConductorOne docs

Understanding entitlement provisioning

Learn how entitlement provisioning works in ConductorOne.

Provisioning is hard! (And complicated.) We’re identity people, we’d know.

ConductorOne supports multiple methods for provisioning access. This allows you to add governance and access control to all of your apps and technologies.

On this page, we’ll cover the different methods for provisioning, from simplest to most sophisticated.

Method 1: Connector provisioning

When to use? Direct provisioning is the default provisioning strategy for apps with a connector.

This is the easiest method for provisioning. Our connectors just “take care of” the provisioning directly. This allows ConductorOne to provision fine-grained entitlements and permissions directly in the connected application or infrastructure. By default, ConductorOne will use the connector when provisioning or deprovisioning access. To determine if a connector supports provisioning, see the connector’s setup page.

Method 2: Linked entitlements

When to use? Use linked entitlements if the application is in your SSO directory or identity provider and you need basic access control.

ConductorOne allows you to manage apps from your SSO directory or identity provider. Once these apps are managed, ConductorOne will discover “linked entitlements”. These are entitlements in the SSO directory or identity provider that have a relationship with the application.

Examples of linked entitlements:

  • In Microsoft Entra, several groups are assigned to the application for access control
  • In Okta, several push groups are used to SCIM group memberships to the app
  • In Okta, AWS access is controlled using custom attributes that are added to the SAML assertion at login time

In each example above, access is “controlled” by assigning the user to the entitlement (such as group membership) in the SSO directory or identity provider.

ConductorOne allows you to manage provisioning in the downstream app by creating the linkage between that managed app in ConductorOne and the SSO directory or identity provider.

To use this method, first ensure that app is managed by ConductorOne:

  1. Navigate to the Applications page.
  2. Click the Unmanaged apps tab.
  3. Find the app and click Manage.
  4. Set the app owners and click Manage.

Next, configure the linked entitlements:

  1. On the Managed apps tab, click the app you just managed.
  2. Click the Linked entitlements tab.
  3. Click Set up linked entitlements.
  4. Use the panel to either create new roles or resources in ConductorOne that map to those entitlements OR map those to existing roles or resources (if you’ve already added a connector to the app).

Once set up, ConductorOne will provision the entitlement by provisioning the “linked” entitlement in the SSO directory or identity provider. This is transparent to the end user.

Method 3: Manual provisioning

When to use? Use manual provisioning as a last resort. Nobody likes touching provisioning requests.

Manual provisioning treats the provisioning step as if ConductorOne were a ticketing engine. With manual provisioning, the provisioning task is assigned to one or more users to complete the provisioning.

Manual provisioning can be configured by clicking the provisioning settings on an entitlement.

If there is an error or issue in provisioning, manual provisioning is used as the fallback method. In this scenario, the request is assigned to the application owner to resolve the issue.

Method 4: Ticket-based provisioning

When to use? Use ticket-based provisioning if you need access requests to flow through your helpdesk.

ConductorOne supports helpdesk ticket creation as a method for provisioning access. To use ticket provisioning, you’ll first need to add a connector that supports ticket provisioning. Examples of ticketing enabled connectors are Jira and ServiceNow.

Once a connector with ticketing is added, create a template for the ticket:

  1. Navigate to Admin > Settings
  2. Click the External ticketing tab
  3. Set up an external ticketing template (see External ticketing for more information)

Then set provisioning for the entitlement to use the external ticketing template you defined.

Method 5: Webhook provisioning

When to use? Use a webhook if you want to quickly add provisioning for a homegrown app or if you need to add custom logic in your provisioning workflow.

To set up webhook provisioning:

  1. Navigate to Admin > Settings and click Webhooks.
  2. Follow the instructions in Using webhooks to set up a new webhook endpoint.
  3. Navigate to an entitlement you want to set webhook provisioning on.
  4. In the Provisioning section of the entitlement’s details page, click Edit.
  5. In the Configure provisioning pane, select Webhook and choose your webhook from the dropdown.
  6. Click Save.

Method 6: Multi-step provisioning

When to use? If you have multiple steps for provisioning access, such as “put the user in an IdP group AND directly provision the entitlement in another application”.

Custom provisioning allows for significant flexibility when it comes to provisioning access. Multi-step provisioning allows you to perform a series of steps for provisioning access, such as “send a webhook and then create a helpdesk ticket and then directly assign the permission in the app”.

To configure multi-step provisioning:

  1. Navigate to an entitlement.
  2. In the Provisioning section of the entitlement’s details page, click Edit.
  3. In the Configure provisioning pane, use the Add step controls to add as many provisioning steps as are needed. Make sure to add the provisioning steps in the order you want them to be applied.
  4. Click Save.