Inside DigitalOcean’s SOX Compliance Playbook

Baton docs

Provision access using the Baton CLI

If the Baton connector you're using supports provisioning, you can use the Baton CLI to provision and deprovision access for members of your team.

If you’re working with a Baton connector built by the ConductorOne team, visit the Baton connectors library for information on whether your connector supports provisioning and what it can provision.

Provision access with the Baton CLI

  1. Run baton resources -t user to look up the user ID for the application account you want to grant access to.

    ❯ baton resources -t user
    ID        | Display Name    | Resource Type | Parent Resource
    117884397 | jirlose         | User          | -
    61822     | Justin Gallardo | User          | -
    
  2. Make a note of the ID number for the account you want to grant access to.

  3. Run baton entitlements to look up the entitlements available to grant in the application.

    ❯ baton entitlements
    ID                            | Display Name                | Resource Type | Resource    | Permission
    team:8442709:member           | test-team Team Member       | Team          | test-team   | member
    team:8442709:maintainer       | test-team Team Maintainer   | Team          | test-team   | maintainer
    team:6951557:member           | test Team Member            | Team          | test        | member
    team:6951557:maintainer       | test Team Maintainer        | Team          | test        | maintainer
    team:8007359:member           | jirwin-test Team Member     | Team          | jirwin-test | member
    team:8007359:maintainer       | jirwin-test Team Maintainer | Team          | jirwin-test | maintainer
    repository:564115691:pull     | test-repo Repo Pull         | Repository    | test-repo   | pull
    repository:564115691:triage   | test-repo Repo Triage       | Repository    | test-repo   | triage
    repository:564115691:push     | test-repo Repo Push         | Repository    | test-repo   | push
    repository:564115691:maintain | test-repo Repo Maintain     | Repository    | test-repo   | maintain
    repository:564115691:admin    | test-repo Repo Admin        | Repository    | test-repo   | admin
    repository:516060177:pull     | quadlek Repo Pull           | Repository    | quadlek     | pull
    repository:516060177:triage   | quadlek Repo Triage         | Repository    | quadlek     | triage
    repository:516060177:push     | quadlek Repo Push           | Repository    | quadlek     | push
    repository:516060177:maintain | quadlek Repo Maintain       | Repository    | quadlek     | maintain
    repository:516060177:admin    | quadlek Repo Admin          | Repository    | quadlek     | admin
    org:58892331:admin            | quadlek Org Admin           | Org           | quadlek     | admin
    org:58892331:member           | quadlek Org Member          | Org           | quadlek     | member
    
  4. Make a note of the ID number associated with the entitlement you want to grant.

  5. Run the connector with the --grant-entitlement flag, passing in the entitlement ID and account ID you looked up earlier:

    ❯ baton-<CONNECTOR NAME> --grant-entitlement <ENTITLEMENT ID> --grant-principal <ACCOUNT ID> --grant-principal-type user
    

    Here’s an example using Baton to grant the test-team member entitlement to account Justin Gallardo in GitHub:

    ❯ baton-github --grant-entitlement team:8442709:member --grant-principal 61822 --grant-principal-type user
    

That’s it! The account you specified is now granted access to the entitlement you specified.

Deprovision access with the Baton CLI

  1. Sync the Baton connector by running baton-<CONNECTOR NAME> to make all grant information is up to date.

  2. Look up the ID for the entitlement you want to deprovision from an account. For example, to look up the accounts that have the test-team member entitlement (which we looked up in the provision access instructions above):

    ❯ baton grants -t team -r 8442709
    ID                                 | Resource Type | Resource  | Entitlement               | Principal
    team:8442709:maintainer:user:5170  | Team          | test-team | test-team Team Maintainer | Mindy Moreland
    team:8442709:maintainer:user:61822 | Team          | test-team | test-team Team Maintainer | Justin Gallardo
    
  3. Run the connector with the --revoke-grant flag, passing in the ID you looked up in step 2.

    ❯ baton-<CONNECTOR NAME> --revoke-grant <ENTITLEMENT ID>
    

    Here’s an example of the command used to revoke the test-team Team Maintainer entitlement from account Justin Gallardo in GitHub:

    ❯ baton-github --revoke-grant team:8442709:maintainer:user:61822
    

That’s it! The entitlement is now deprovisioned from the account.