Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Integrate an external ticketing system

Integrate your external ticketing system with ConductorOne to automatically create, track, and update helpdesk tickets for provisioning tasks.

Configure Jira Cloud as an external ticketing provider

This process walks you through configuring an external ticketing integration with Jira Cloud. Once set up, ConductorOne automatically creates Jira tickets to track provisioning assignments on the entitlements you choose. ConductorOne will track the status of the Jira ticket, and will update the status of the access request in ConductorOne accordingly.

Step 1: Set up the Jira Cloud connector

  1. Follow the documentation to set up the Jira Cloud connector.

  2. During configuration, check the box to Enable external ticket provisioning.

Step 2: Configure the external ticket provisioner integration

  1. In ConductorOne, click Settings > External ticketing.

  2. Click Add ticket provisioner.

  3. Select Jira Cloud as the ticket provisioner and give it a display name.

  4. Click Create and add details. A new configuration page opens.

  5. Find the Settings section of the page and click Edit.

  6. In the Schema field, select the Jira issue type that you want new issues to be created in.

  7. Optional. Add a ticket title and description that will be applied to all Jira issues created by ConductorOne.

    To customize your ticket titles and descriptions so they include specific information about the request, see the section on Customizing ticket templates below.

  1. Add a ticket label. This label (tag) will be added to Jira issues created by ConductorOne.

  2. Based on the Jira issue type you specified above, a list of custom fields is shown. Map these fields to the fields in a Jira issue. Except where noted, all fields are required.

  3. Add provision state mappings. ConductorOne will monitor the status of the Jira issue and update the access request task in ConductorOne accordingly.

  • Mark complete: When a Jira issue transitions to this status, ConductorOne will complete the provisioning step on the task.

  • Mark errored: When a Jira issue transitions to this status, ConductorOne will mark the provisioning step as errored and fall back to manual provisioning.

  1. Click Save.

Step 3: Configure entitlement provisioning settings

  1. In ConductorOne, click Applications.

  2. Select an application and click Entitlements.

  3. Click the (more actions) menu for your selected entitlement and select Edit provisioning.

  4. In the Configure provisioning drawer, select the External ticketing provisioning method.

  5. Select the Jira Cloud external ticket provisioner configuration you created.

  6. Optional. Add any instructions you want to include in the Jira tickets ConductorOne will create about how to provision this access.

  7. Click Save.

Repeat this process for other entitlements as needed.

That’s it! Now, when a user requests access to the entitlement, ConductorOne will automatically create a Jira issue. ConductorOne will monitor the status of the Jira issue, and once the Jira issue transitions to its completed status, the provisioning step will be marked complete in ConductorOne as well.

Configure Jira Data Center as an external ticketing provider

This process walks you through configuring an external ticketing integration with Jira Data Center. Once set up, ConductorOne automatically creates Jira tickets to track provisioning assignments on the entitlements you choose. ConductorOne will track the status of the Jira ticket, and will update the status of the access request in ConductorOne accordingly.

Step 1: Generate a personal access token in Jira Data Center

  1. In Jira Data Center, navigate to your profile by clicking on your profile icon and selecting Profile.

  2. Navigate to the Personal Access Tokens section.

  3. Click Create token.

  4. Give your token a name, such as “ConductorOne”.

  5. Click Create. The new personal access token is generated.

  6. Carefully copy and save the new token. You’ll use it in Step 3.

Step 2: Set up the Baton connector

This task requires the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose how to set up the new Baton connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

  5. Click Next.

    If you selected someone else as the connector owner, that person will be notified to take over this process from this point.

  6. Find the Settings area of the page and click Edit.

  7. Click Rotate to generate a new set of credentials. Carefully copy the Client ID and Secret. You’ll use them in Step 3.

Step 3: Set up the Jira Data Center Baton connector

Install the Jira Data Center Baton connector, passing in the credentials generated in Steps 1 and 2. Brew and Docker options are available.

Brew

  1. Install the Jira Data Center Baton connector:
  brew install conductorone/baton/baton
  conductorone/baton/baton-jira-datacenter
  1. Run the connector by passing in the credentials generated in Steps 1 and 2. Enable external ticket provisioning by adding the --ticketing flag:
  BATON_C1_API_HOST=<CONDUCTOR_ONE_API_DOMAIN> baton-jira-datacenter
  --client-id <CLIENT ID> --client-secret <SECRET> --instance-url
  <JIRA_INSTANCE_URL> --access-token <JIRA_ACCESS_TOKEN> --ticketing

Docker

docker run --rm -v $(pwd):/out \
-e BATON_C1_API_HOST=<conductor-one-domain> \
-e BATON_CLIENT_ID=<client-id> \
-e BATON_CLIENT_SECRET=<client-secret> \
-e BATON_ACCESS_TOKEN=<jira-access-token> \
-e BATON_INSTANCE_URL=<jira-instance-url> \
-e BATON_TICKETING=true \
ghcr.io/conductorone/baton-jira-datacenter:latest -f "/out/sync.c1z"

Step 4: Configure the external ticket provisioner integration

  1. In ConductorOne, click Settings > External ticketing.

  2. Click Add ticket provisioner.

  3. Select Jira Data Center as the ticket provisioner and give it a display name.

  4. Click Create and add details. A new configuration page opens.

  5. Find the Settings section of the page and click Edit.

  6. In the Schema field, select the Jira issue type that you want new issues to be created in.

  7. Optional. Add a ticket title and description that will be applied to all Jira issues created by ConductorOne.

    To customize your ticket titles and descriptions so they include specific information about the request, see the section on Customizing ticket templates below.

  1. Add a ticket label. This label (tag) will be added to Jira issues created by ConductorOne.

  2. Based on the Jira issue type you specified above, a list of custom fields is shown. Map these fields to the fields in a Jira issue. Except where noted, all fields are required.

  3. Add provision state mappings. ConductorOne will monitor the status of the Jira issue and update the access request task in ConductorOne accordingly.

  • Mark complete: When a Jira issue transitions to this status, ConductorOne will complete the provisioning step on the task.

  • Mark errored: When a Jira issue transitions to this status, ConductorOne will mark the provisioning step as errored and fall back to manual provisioning.

  1. Click Save.

Step 5: Configure entitlement provisioning settings

  1. In ConductorOne, click Applications.

  2. Select an application and click Entitlements.

  3. Click the (more actions) menu for your selected entitlement and select Edit provisioning.

  4. In the Configure provisioning drawer, select the External ticketing provisioning method.

  5. Select the Jira Data Center external ticket provisioner configuration you created.

  6. Optional. Add any instructions you want to include in the Jira tickets ConductorOne will create about how to provision this access.

  7. Click Save.

Repeat this process for other entitlements as needed.

That’s it! Now, when a user requests access to the entitlement, ConductorOne will automatically create a Jira issue. ConductorOne will monitor the status of the Jira issue, and once the Jira issue transitions to the “Done” status, the provisioning step will be marked complete in ConductorOne as well.

Configure ServiceNow as an external ticketing provider

This process walks you through configuring an external ticketing integration with ServiceNow. Once set up, ConductorOne will automatically create ServiceNow items to track provisioning assignments on the entitlements you choose. ConductorOne will track the status of the ServiceNow item, and will update the status of the access request in ConductorOne accordingly.

Step 1: Set up the ServiceNow connector

  1. Follow the documentation to set up the ServiceNow connector.

  2. During configuration, check the box to Enable external ticket provisioning.

  3. Optional. Add a catalog ID and/or category ID to filter down catalog items. These fields are optional, but ConductorOne only syncs 100 catalog items, so filtering is recommended.

Step 2: Configure the external ticket provisioner integration

  1. In ConductorOne, click Settings > External ticketing.

  2. Click Add ticket provisioner.

  3. Select ServiceNow as the ticket provisioner and give it a display name.

  4. Click Create and add details. A new configuration page opens.

  5. Find the Settings section of the page and click Edit.

  6. In the Schema field, select the catalog item that you want requests to be created for.

  7. Optional. Add a ticket title and description. If added, the title and description will be added to all ServiceNow requested items created by ConductorOne.

    To customize your ticket titles and descriptions so they include specific information about the request, see the section on Customizing ticket templates below.

  1. Add a ticket label. This label (tag) will be added to ServiceNow requested items created by ConductorOne.

  2. Based on the schema you specified above, a list of custom fields is shown. Map these fields to the fields in a ServiceNow requested item. Except where noted, all fields are required.

    You can also use ServiceNow’s ref variables here, but the sys_id must be used to populate the value.

  3. Add provision state mappings. ConductorOne will monitor the status of the ServiceNow requested item and update the access request task in ConductorOne.

  • Mark complete: When a ServiceNow requested item transitions to this status, ConductorOne will mark the provisioning step on the task complete.

  • Mark errored: When a ServiceNow requested item transitions to this status, ConductorOne will mark the provisioning step as errored and fall back to manual provisioning.

  1. Click Save.

Step 3: Configure entitlement provisioning settings

  1. In ConductorOne, click Applications.

  2. Select an application and click Entitlements.

  3. Click the (more actions) menu for your selected entitlement and select Edit provisioning.

  4. In the Configure provisioning drawer, select the External ticketing provisioning method.

  5. Select the ServiceNow external ticket provisioner configuration you created.

  6. Optional. Add any instructions you want to include in the ServiceNow item about how to provision this access.

  7. Click Save.

Repeat this process for other entitlements as needed.

That’s it! Now, when a user requests access to the entitlement, ConductorOne will automatically create a ServiceNow requested item. ConductorOne will monitor the status of the ServiceNow requested item, and once the ServiceNow requested item transitions to the “Done” status, the provisioning step will be marked complete in ConductorOne as well.

Customizing ticket templates

You can pull data from ConductorOne into your external ticketing system so that each ticket shows specific details about the access request, user, application, and entitlement. The variables listed below can be used when setting up the ticket template fields in ConductorOne to generate a unique, customized title and description for each external ticket.

For example, using this template in the Description field:

Please grant {{ .User.Email }} the {{ .Entitlement.Name }} entitlement in {{.App.Name}}.

Results in message in the ticket’s description field such as:

Please grant john.doe@example.com the Super Administrator Role Member entitlement in Okta.

You can also use if/else statements to form more complex conditional templates. For example, this template:

Please {{ if .IsGrantTicket }}grant{{ else }}revoke{{ end }} the {{ .Entitlement.Name }} entitlement in {{ .App.Name }} {{ if .IsGrantTicket }}to{{else}}from{{end}} {{ .User.Email }}

And this template:

Please {{ if eq .TicketType "Grant" }}grant{{ else }}revoke{{ end }} the {{ .Entitlement.Name }} entitlement in {{ .App.Name }} {{ if eq .TicketType "Grant" }}to{{else}}from{{end}} {{ .User.Email }}

Each result in these messages:

  • For a request: Please grant the Super Administrator Role Member entitlement in Okta to john.doe@example.com

  • For a revocation: Please revoke the Super Administrator Role Member entitlement in Okta from john.doe@example.com

Fields

  • {{ .Description }}: The description (reason for) of the access request.
  • {{ .Id }}: The unique ticket ID for the access request.
  • {{ .LengthOfAccess }}: How long access is requested for.
  • {{ .Instructions }}: The instructions on the entitlement provisioning settings.
  • {{ .BundleName }} The bundle name for an access request that was made a part of a bundle request.
  • {{ .IsGrantTicket }} Returns true if the ticket is a grant ticket, false otherwise.
  • {{ .IsRevokeTicket}} Returns true if the ticket is a revoke ticket, false otherwise.
  • {{ .TicketType }} Returns the type of the ticket (possible values: Revoke, Grant).

Subject

  • {{ .Subject.Id }}: The unique ID of the ConductorOne user.
  • {{ .Subject.DisplayName }}: The display name of the ConductorOne user.
  • {{ .Subject.Email }}: The email address of the ConductorOne user.
  • {{ .Subject.JobTitle }}: The job title of the ConductorOne user.
  • {{ .Subject.Department }}: The department of the ConductorOne user.
  • {{ .Subject.Profile.< CUSTOM USER ATTRIBUTE > }}: Any custom user attribute that you’ve set up in ConductorOne.

User

  • {{ .User.Id }}: The unique ID of the user.
  • {{ .User.DisplayName }}: The display name of the user.
  • {{ .User.Email }}: The email address of the user.
  • {{ .User.JobTitle }}: The job title of the user.
  • {{ .User.Department }}: The department the user works in.
  • {{ .User.Profile.< CUSTOM USER ATTRIBUTE > }}: Any custom user attribute for a user’s application account.

App

  • {{ .App.Id }}: The unique ID of the application.
  • {{ .App.Name }}: The name of the application.

Entitlement

  • {{ .Entitlement.Id }}: The unique ID of the entitlement.
  • {{ .Entitlement.Name }}: The name of the entitlement.
  • {{ .Entitlement.Description }}: A description of the entitlement.

RequestedFor

  • {{ .RequestedFor.Id }}: The ID of the user in your external ticketing system.