Nailing the Security Audit with RRCU

Baton docs

Welcome to Baton

Welcome to Baton by ConductorOne. In this guide you will find all the basic information for working with the Baton project, which includes a CLI, connectors for popular SaaS and IaaS apps, and an SDK for using Baton with any application.

What is Baton by ConductorOne?

Baton comprises three major components:

The Baton CLI

A command line interface that provides a set of commands to extract, compare, and explore identity, resource, and permission data in an app.

The Baton SDK

A toolkit that makes building a connector for any application seamless. These connectors generate data that the CLI consumes and/or they can connect directly to ConductorOne.

Baton connectors

These pre-built and supported integrations work with common SaaS and IaaS apps to sync identity and permission data.

As a toolkit, Baton allows you to easily gain unified visibility into all identity, resource, and permission data in an application and to create workflows that manage identity and access.

Why did ConductorOne build Baton?

ConductorOne is an identity security company that helps companies automate user access control and governance. Our software provides real-time visibility into all accounts in your Saas, IaaS, on-prem, and HR environments and allows customers to automate access control on users, groups, roles, and permissions.

ConductorOne uses Baton as the integration layer to connect our control plane to any application. This unified interface means that ConductorOne can work with any app, regardless of whether that app has modern APIs and/or where it is deployed (on prem or cloud). Baton, as an interface, creates a connective layer and unified view of all identity, resource, and access data within an application, and allows ConductorOne to execute workflows against those applications (such as just in time provisioning, visibility into identities, user access reviews, and more). The Baton SDK allows ConductorOne to connect to any application, even if ConductorOne does not maintain a cloud connector for that app.

Why did ConductorOne open source Baton?

ConductorOne open sourced the Baton project because:

  • There are a lot of hacky Python scripts out there doing the same thing: extracting and munging identity and access data.
  • Every app has a bespoke identity and authorization management scheme, but the world needs a unified interface for orchestrating access control.
  • We wanted to give back to the security engineering community by providing a valuable tool that can help users accomplish their identity security or governance project goals.

How do I start using Baton?

There are two ways to work with Baton:

The Baton command-line interface (CLI): the CLI allows you to work with data extracted from a Baton integration. For example, after syncing data from GitHub using the baton-github connector, you can use the Baton CLI to query all of the GitHub repo admins in an org.

The Baton software development kit (SDK): use the SDK to create a connector for ANY application or technology. Once implemented, the connector can be used for gaining visibility into identity and authorization data and for managing access in the app.

Let’s take a look at both options:

Use the Command Line Interface

The Baton CLI allows you to interface with data extracted from a Baton connector.

This is what the CLI looks like:

baton is a utility for working with the output of a baton-based connector

Usage:
  baton [command]

Available Commands:
  access         List effective access for a user
  completion     Generate the autocompletion script for the specified shell
  diff           Perform a diff between sync runs
  entitlements   List entitlements
  export         Export data from the C1Z for upload
  grants         List grants
  help           Help about any command
  principals     List principals
  resource-types List resource types for the latest (or current) sync
  resources      List resources for the latest sync
  stats          Simple stats about the c1z

Flags:
  -f, --file string            The path to the c1z file to work with. (default "sync.c1z")
  -h, --help                   help for baton
  -o, --output-format string   The format to output results in: (console, json) (default "console")
  -v, --version                version for baton

Use "baton [command] --help" for more information about a command.

Implement the Baton SDK to create a connector for your app

The Baton SDK can be implemented to support any application or technology. By using the Baton SDK, you create a unified interface that the Baton CLI can interface with and/or you can connect the app directly to ConductorOne to use with our modern governance and access management control plane. The SDK can be implemented to support backoffice portals, homegrown apps, legacy on-prem systems, and SaaS tools that aren’t supported by ConductorOne.

What’s next?

We have two guides that explain how to use the Baton CLI and how to integrate the SDK into your application:

Or see the list of connectors we’ve built with Baton:

But it doesn’t stop there! Check out our Baton tutorials for practical examples of Baton in action:

Related topics

  • Export GitHub access updates to a CSV file using Baton

    After reading this guide, you will be able to: Understand how the Baton SDK works Understand how to connect Baton SDK to your GitHub instance Understand how to use the CLI Understand how to export results in a... Read more

  • Baton connectors

    Available Baton connectors Click on any connector to be directed to its GitHub repo, where you can learn more about installing the connector, its available commands, and the specific identity and permission data the connector syncs... Read more

  • Getting started with the Baton CLI

    In this guide you can find basic information about the Baton CLI. Together we will go through the basic concepts and show you how to install and use the CLI... Read more