Nailing the Security Audit with RRCU

Baton docs

Diff access rights from two SaaS systems with Baton

Comparing access rights from different Software-as-a-Service (SaaS) systems can be tedious and time consuming. Thankfully, ConductorOne's Baton makes the process much easier. With its command line interface (CLI), you can quickly and easily compare access rights between two GitHub organizations.

After reading this guide, you will be able to:

  • Understand how to set up the Baton connectors
  • Understand how the baton utility works
  • Understand how to compare access rights between two GitHub organizations

Before you start

Before you begin, make sure you have everything set up from the list below:

Part one: Set up the Baton SDK

  1. Use this commands to install the Baton SDK and Baton GitHub connector:

    $ brew install conductorone/baton/baton conductorone/baton/baton-github
    

    If you don’t have Homebrew installed yet, follow this guide.

  2. Inspect the baton utility by using this command:

    $ baton --help
    

After running baton --help, you will see a console with all available commands. You can find a list of all the commands in our getting started guide, where we explain them in detail.

Now you have the Baton SDK ready to use. It’s time to show you how to use baton-github to create a c1z.

About the c1z file

  • c1z files contain all of the information that the connector has collected as part of a synchronization process. Using the Baton CLI, you can browse the contents of the sync.c1z file and export that data to a .csv or .xlsx file.

Part two: Connect GitHub connector and run comparison

The GitHub connector allows you to manage access rights for all users across all repositories. Setting up the connector is very simple, so let’s take a look at how to do it.

  1. Create a new GitHub Personal Access Token with the following permissions:

    AreaScope of access
    repoAll
    admin:orgAll
    userAll
  2. Create a new file called github-compare.sh.

  3. Insert this code into the github-compare.sh:

#!/bin/bash
set -e

# Set your tokens here!
BATON_TOKEN="<your GitHub token>"
ORG1="<github org 1>"
ORG2="<github org 2>"

# Set what do you want to compare between 2 apps
entitlementId="team" # org/team/repository
entitlementName="<name of your team>" # display name of the entitlement (e.g. name of a team)
entitlementType="member" # type of a permission (admin/maintainer/member)

# Set the output filenames
now=$(date +"%Y%m%d%H%M%S")
c1zFileSaaS1="baton-saas1-comparison.c1z"
c1zFileSaaS2="baton-saas2-comparison.c1z"

# Run sync to produce c1z for 1st SaaS
BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG1" -f "$c1zFileSaaS1"

# Run sync to produce c1z for 2nd SaaS
BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG2" -f "$c1zFileSaaS2"

# Find an id of the entitlement with given entitlement type by its name in 1st SaaS
idInSaaS1=$(baton entitlements -f "$c1zFileSaaS1" -o json | jq -r '[.entitlements[].entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")][0] | .id.resourceType + ":" + .id.resource')

# Find an id of the entitlement with given entitlement type by its name in 2nd SaaS
idInSaaS2=$(baton entitlements -f "$c1zFileSaaS2" -o json | jq -r '[.entitlements[].entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")][0] | .id.resourceType + ":" + .id.resource')

# Compare two principals in 2 c1z files
baton principals compare -f "$c1zFileSaaS1" --entitlement "$idInSaaS1:$entitlementType" --compare-entitlement "$idInSaaS2:$entitlementType" --compare-file "$c1zFileSaaS2"
  1. Insert your GitHub access token and GitHub org into the code shown above. Simply copy&paste into it.

  2. Save your github-compare.sh.

  3. Make github-compare.sh executable:

chmod +x github-compare.sh
  1. Run the script to compare your files by:
./github-compare.sh

What’s next?

Now that you have a good overview of the access rights from different Software-as-a-Service with Baton, you can look into its other features. ConductorOne provides export capabilities to help administrators take control of user access and security. The Baton SDK also integrates with Amazon Web Services for a full suite of cloud services for your organization. With these tools, you can easily customize access rights for users and more efficiently manage security across all systems.

Check out our other tutorials to discover the full potential of Baton: