Shine a light on shadow apps

ConductorOne Docs

Create applications

Applications mirror the many tools and services your company uses. Applications provide visibility and management of accounts and permissions.

๐Ÿ“‹ Your application-creation workflow

When setting up applications for your new ConductorOne instance, follow this order of operations:

  1. Integrate your identity provider (IdP). This creates the IdP app in ConductorOne, and also automatically creates child apps for all the software that you use your IdP to manage or SSO into.

  2. Add connectors or file uploads between the auto-created child apps and the software, so that the software’s usage data is pulled into the app.

  3. Create new applications for any other software your company uses. These might use connectors, or might be custom applications that use a file upload or a data source to pull in usage data.

Application types

There are three types of applications in ConductorOne:

  1. Applications created via integration with an identity provider (IdP). When ConductorOne is integrated with an IdP such as Okta, which is in turn integrated with third-party tools, those integrations are passed through the IdP to ConductorOne, creating applications of this type.

    See Add connectors to applications created by an IdP integration for more on setting up this type of application.

  2. Applications created by individual integrations. These applications are created when ConductorOne is integrated directly with another piece of software. You’ll also integrate with your IdP this way.

    See Create applications from integrations for more on setting up this type of application.

  3. Custom applications. These applications are built inside ConductorOne and used to manage the access and permissions for the tools that your company hosts or has built in-house, as well as tools that aren’t yet part of our growing list of integrations.

    See Create a custom application for more on setting up this type of application.

Add connectors to applications created by an IdP integration

When you integrate with an identity provider (IdP) that your company uses to SSO into lots of other software, ConductorOne automatically creates applications for each one (these are your SCIMed apps). This is done so you have a full picture of which software your colleagues SSO into via the IdP.

However, it’s important to understand that in these auto-created apps, the only resource pulled in is the ability to SSO into the app.

To get the full picture of the usage data for that app, you need to set up an integration, adding the connector to the existing app when prompted, rather than creating a new one. If no integration for the software is available, you can upload the usage data or build a custom connector.

Create new applications from integrations

ConductorOne connectors pull account and usage data from a software instance into ConductorOne. This lets you do things like review access, approve new access requests, and (in cases where the integration connector also supports provisioning) add and remove permissions.

Visit the Integrations library to see a list of all available integrations.

When you set up a new integration, ConductorOne asks if you want to create a new application, or to add the data stream you’re integrating to an existing application. This lets you design how you want to group and configure the access data you’re pulling in.

When to add multiple connectors to one application

In most cases, you’ll have one integration hooked up to one application. But it’s not uncommon to need or want to have multiple data sources feeding into one application in ConductorOne.

Here’s an example. Let’s say your company uses an expenses-tracking app called PayDough, and ConductorOne offers a PayDough integration. The company uses one PayDough instance for the executive team, and a different PayDough instance for the sales team. But in ConductorOne you’ll want to run access reviews on all the PayDough access for both instances.

In this case, you’d set up your PayDough integration using two connectors, one pulling the exec team’s usage data, and the other pulling the sales team’ usage data. BOTH connectors will pull that data into a single PayDough application in ConductorOne, so you can review and manage all the PayDough usage in one place.

Create custom applications

You also have the option to create a new application without setting up an integration. This type of application is useful when you want to pull data into ConductorOne with a spreadsheet or CSV file, or through regular uploads from an S3 bucket.

Create custom applications to manage access and permissions for on-prem, home-grown, and other tools that aren’t directly integrated with ConductorOne.

  1. In the navigation panel, open Apps and click Applications.

  2. Click Create application.

  3. Enter a name and description for the new application.

  4. In the Owners field, select one or more users who will be responsible for the application.

  5. Click Create application.

To upload identity and entitlement data to the new application, see the instructions in Import app data from an S3 bucket.