Upcoming webinar: How to stop privilege creep

ConductorOne docs

Connect directory apps and map key user data

Integrate your directory apps and designate them as the sources of truth for employee information.

Connect directory apps and create user accounts

As part of setting up ConductorOne for your organization, integrate your directory apps and designate them as the sources of truth for employee information.

What is a directory app?

The applications that hold key information about your organization’s employees are called directories in ConductorOne.

Directory apps can include:

  • Your human resources app
  • Your identity provider (IdP)
  • Other apps that contain employee data such as manager, employment status, department, or job title

Once directory apps are set, ConductorOne uses their information to create ConductorOne user accounts for everyone in your company.

Step 1: Integrate apps that hold employee data

This task requires the Super Administrator role in ConductorOne.

First, connect the apps that hold employee data, such as your HR system and your identity provider (IdP). Browse our connectors library and follow the instructions in the linked docs to connect the apps where your employee data is found.

You can also create a custom app from a spreadsheet or CSV of key employee data, and set this as a directory.

Step 2: Set apps as directories

Next, tell ConductorOne that the apps you’ve integrated are your directories. You can (and probably will!) have multiple directories, as employee data is commonly stored across multiple apps.

  1. In the ConductorOne navigation panel, open Admin and click Settings.

  2. In the User data sources area of the page, click Edit.

  3. Some apps commonly used as directories are automatically added to this section when you integrate them:

    • Google Workspace
    • Okta
    • OneLogin
    • JumpCloud
    • BambooHR

    If your directory app was not automatically added, select an application in the dropdown and click Add.

  4. If needed, repeat this process for additional apps.

  5. Click Done.

Step 3: ConductorOne creates user accounts from your directory apps

When an app is set as a directory, ConductorOne automatically uses the info in the directory’s accounts (excluding service accounts) to create ConductorOne user accounts. The user’s email address is the key data point.

Accounts from various apps integrated with ConductorOne are all tied to the same human user because they all share an email address.

Here’s an example of how it works.

Kelly is an employee at your company. Her work email, kelly@acmeco.com, is used for her accounts in the HR app, the company’s IdP, and in several other apps.

You integrate the HR app and the IdP with ConductorOne and set these two apps as directories. ConductorOne automatically creates ConductorOne user accounts for Kelly and all the human users it finds in the directory apps (service accounts are ignored).

Later on, when you integrate additional work apps, Kelly’s accounts on those apps will also be associated with her ConductorOne user account because they all use her kelly@acmeco.com email address.

What’s next?

Now that your directory apps are set up, tell ConductorOne where to find key data about your employees by mapping key user attributes.

Map user attributes

Pull key user data from the apps you integrate with ConductorOne into the platform with user attribute mapping.

Why do I need to map user attributes?

If your company is like most, you have employee info stored in several different apps. For instance, your human resources (HR) app might hold the data on who everyone’s manager is, while your identity provider (IdP) app has the details on job titles and departments.

To make sure all this critical employee data is imported and organized correctly, tell ConductorOne which app to pull what data from, and how that data is labeled in the source app. This lets ConductorOne build a single complete and accurate index of your company’s employees using the data from one or multiple apps.

Map key user attributes

This task requires the Super Administrator role in ConductorOne.

Tell ConductorOne where to find key pieces of employee data. This is where you can specify that (for instance) an employee’s manager should be pulled from the HR app, but job title and department should be read from the IdP. You’ll then map the info types ConductorOne looks for to the way that information is labeled in the source app.

  1. In the ConductorOne navigation panel, open Admin and click Settings.

  2. In the User data sources area of the page, click Edit.

  3. In the User attribute box, select one of the pre-loaded key user attributes. These are:

    • Manager
    • Department
    • Job Title
    • Directory Status (the employee’s status in the IdP, such as active, suspended, or deleted)
    • Employment Type (such as full-time employee, contractor, intern)
    • Employment Status (the employees’s status in the HR system, such as active, suspended, or deleted)
    • Additional Username

  4. In the Application box, select the app from which ConductorOne should source the selected user attribute data. All the apps you have integrated with ConductorOne are shown as options; you’re not limited to only reading user attribute data from your directories.

  5. In the Application attribute box, select the label used in your selected app for the user attribute.

    The Manager attribute is special. When adding the Manager user attribute, you do not need to select an application attribute. ConductorOne will find the relevant field for you.

  1. Click Add.

  2. Repeat the process to add the remaining key user attributes.

Now that the key user attributes are mapped, you can use them to refine the scope of access review campaigns by setting them as campaign parameters.

Create and map custom user attributes

This task requires the Super Administrator role in ConductorOne.

You can also add your own custom user attributes to ConductorOne. If you want to add additional fields such as a secondary email, business unit, or location.

The custom user attributes you create are added to each user’s details in ConductorOne, and you can use this data to refine the scope of access reviews.

  1. In the ConductorOne navigation panel, open Admin and click Settings.

  2. In the User data sources area of the page, click Edit.

  3. In the User attribute box, type in the name of the custom user attribute as you want it to appear on each user’s profile.

  4. In the Application box, select the app from which ConductorOne should source the selected user attribute data. All the apps you have integrated with ConductorOne are shown as options; you’re not limited to only reading user attribute data from your directories.

  5. In the Application attribute box, select the label used in your selected app for the user attribute.

    I don’t see the application attribute I need. Check to make sure that the application you’ve selected is connected and syncing data correctly. A sync error might be the cause of missing attributes.

  1. Click Add.

That’s it! The custom user attribute you’ve added is now shown on each user’s details page.