Skip to main content

What are resources?

In ConductorOne, a resource represents any object within an application. Think of resources as the specific items you want to manage access for. Common examples of resources include:
  • Roles
  • Groups
  • Permission sets
  • Profiles
  • Licenses
  • S3 buckets
Resources are always specific to a particular application. ConductorOne’s flexible data model allows you to easily model and manage these resources, along with the entitlements (the specific access rights) associated with each resource. ConductorOne automatically identifies and creates resources when application data is ingested through connectors or file uploads. These resources form the foundation for all permission management activities within ConductorOne. You can view all an application’s resources on the Resources tab.

What is the Credential resource?

Every application managed within ConductorOne includes a unique default resource known as the Credential resource. This resource always contains exactly one entitlement, called Access. The Credential resource represents the fundamental ability to have an account within that specific application. The Access entitlement is used to reference and manage accounts associated with the application. This design allows ConductorOne to uniformly manage both accounts and general application access as if they were standard resources and entitlements. Example use cases:
  • Making new accounts requestable: To allow users to request new accounts within an application, configure the access controls directly on the Access entitlement of the application’s Credential resource.
  • Running account-level access reviews: If you need to perform an access review for all users who possess any account within a particular application, select the application’s Credential resource as the target for the review.

Creating resources

Most resources in ConductorOne are created automatically when application data is ingested. Our connectors are designed to identify and synchronize essential resources (such as roles, groups, and permissions) from your connected applications directly into ConductorOne. This automated process ensures that your resource inventory is always up to date. In specific scenarios where a resource cannot be automatically ingested (such as for custom or non-standard objects), resources can be created manually. You can do this via the ConductorOne API or by creating a virtual entitlement.

Managing resources

Once resources are in ConductorOne, you can manage their associated metadata, even if they were automatically ingested by a connector. To manage a resource, navigate to the resource’s details page:
1
Navigate to Admin > Applications and click Resources.
2
Click the name of the resource you want to manage.
From the resource detail page, you can rename the resource, update its owners, and change the resource’s description.

Rename the resource

If you change the name of the resource, ConductorOne will remember and persist this change through future connector syncs, but the new name will not be written back to the connected application. To change the resource name:
1
On the resource’s details page, click on the current resource name. This transforms the name into an editable text box.
2
Enter the new name, then press Enter or click outside of the field to save your changes.

Change resource owners

Resource owners can be the target of policy approval steps. For example, a policy might require a resource owner to approve an access request for sensitive data or roles. To edit the resource owner:
1
On the resource’s details page, click Edit.
2
In the Owner field, add or remove owners as needed.
3
Click Save.

Change resource description

By default, resource description are auto-generated to provide a basic explanation of their functionality, but you can edit these default descriptions to provide more tailored information. Resource descriptions are displayed to users during access reviews. To edit the resource description:
1
On the resource’s details page, click Edit.
2
Update the contents of the Description field.
3
Click Save.

View a resource’s grants

A grant signifies that an application account has been explicitly assigned an entitlement (a specific access right) on a resource. Viewing grants allows you to see who currently has access to a particular resource. To view the a resource’s current grants:
1
Navigate to Admin > Applications and click Resources.
2
Click the name of the resource. The resource’s details page opens.
3
Click Grants.
This tab displays a comprehensive list of all accounts that have been assigned entitlements for this resource. You can filter this list by account type and status.

Delete a resource

You can delete manually created resources from ConductorOne.
Important:Resources that have been synchronized from a connector cannot be deleted directly within ConductorOne. These resources represent the authoritative “truth” as defined in your connected software tool. To remove such a resource from ConductorOne, you must first delete it within the source tool itself, and the resource will be removed from ConductorOne on the next data sync.
To delete a manually created resources:
1
Navigate to Admin > Applications and click Resources.
2
Click the name of the resource. The resource’s details page opens.
3
Click the (more actions) menu and select Delete.
You’ll be asked to confirm your action before you proceed.