Shine a light on shadow apps

ConductorOne Docs

Set up entitlement bindings

Entitlement bindings allow ConductorOne to model relationships between entitlements. This is powerful for modeling implicit grants within and across applications.

What’s an entitlement binding?

Entitlement bindings represent relationships between applications. Some bindings are created automatically by ConductorOne connectors, while others are set up manually.

Bindings help you to:

  • Show implicit grants that are created from other entitlements. For example, when a user is made a member of the Engineering group, they also receive Pull permissions on a GitHub repository.

  • Give auditors and reviewers an understanding of how an entitlement was granted.

  • Give auditors and reviewers an understanding of what access is granted as a result of an entitlement being granted.

Find the list of current bindings on each entitlement’s Bindings tab.

The following information is shown for each binding:

  • Source entitlement: The entitlement that grants the relationship.

  • Action: Grants is the only action that ConductorOne currently supports. Entitlements can be granted from a bound entitlement.

  • Destination entitlement: The entitlement that is granted by the relationship.

  • Direction: An entitlement can be either Incoming or Outgoing:

    • Incoming bindings mean that the entitlement on the page is granted by another entitlement.
    • Outgoing bindings mean that the entitlement on the page grants another entitlement.
  • Type: a binding can be:

    • Manual: The entitlement binding is created manually.
    • System managed: The entitlement binding is created by the connector.

Add a manual binding

In many cases, ConductorOne can create bindings for entitlements automatically through integrations. In some cases, it can be difficult or impossible to discern automatically if entitlements have a relationship. This may be due to custom configuration in federation, cross-application limitations, API limitations, or custom coding logic associated with group memberships.

Manual bindings allow ConductorOne to model these entitlement relationships. Defining these relationships is not required, but it automates the creation of grants and visibility of access across your enterprise. This allows allows for more intuitive access reviews that correctly review the downstream grants that are the focus of the access review, rather than many possible upstream grants.

To add a manual binding:

  1. Navigate to an entitlement (for clarity we’ll call this the “active entitlement” in these instructions) and click Bindings.

  2. Click Add manual binding.

  3. Select whether the binding is Incoming (the active entitlement is granted by another entitlement) or Outgoing (the active entitlement grants another entitlement).

  4. Select the application that contains the entitlement you’re binding the active entitlement to.

  5. Select the specific entitlement that you’re binding the active entitlement to.

  6. Click Add binding.

Your new manual binding is added to the list of bindings for the active entitlement. If you’ve created an outgoing binding, the details of the additional access grants that are bound to access to the active entitlement are shown in the Inherited entitlements area.