Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Understanding entitlement provisioning

Learn how entitlement provisioning works in ConductorOne.

Provisioning is hard! (And complicated.) We’re identity people, we’d know.

ConductorOne supports multiple methods for provisioning access. This allows you to add governance and access control to all of your apps and technologies.

We’ll walk you through the different methods for provisioning, from simplest to most sophisticated, and when to use each one.

Method 1: Connector provisioning

When to use? Direct provisioning is the default provisioning strategy for apps with a connector.

This is the easiest method. Provisioning-enabled ConductorOne connectors complete the provisioning process directly, without any input needed from you. ConductorOne can provision fine-grained entitlements and permissions directly in the connected application or infrastructure. By default, ConductorOne will use the connector when provisioning or deprovisioning access. To determine if a connector supports provisioning, see the connector’s documentation.

Method 2: Linked entitlements

When to use? Use linked entitlements if the application is in your SSO directory or identity provider and you need basic access control.

ConductorOne allows you to manage the apps from your SSO directory or identity provider. Once these apps are managed, ConductorOne will discover “linked entitlements”. These are entitlements in the SSO directory or identity provider that have a relationship with the application.

Examples of linked entitlements:

  • In Microsoft Entra, several groups are assigned to the application for access control.
  • In Okta, several push groups are used to SCIM group memberships to the app.
  • In Okta, AWS access is controlled using custom attributes that are added to the SAML assertion at login time.

In each example above, access is “controlled” by assigning the user to the entitlement (such as group membership) in the SSO directory or identity provider.

ConductorOne allows you to manage provisioning in the downstream app by creating the linkage between that managed app in ConductorOne and the SSO directory or identity provider.

To use this method, first ensure that app is managed by ConductorOne:

  1. Navigate to the Applications page.
  2. Click the Unmanaged apps tab.
  3. Find the app and click Manage.
  4. Set the app owners and click Manage.

Next, configure the linked entitlements:

  1. On the Managed apps tab, click the app you just managed.
  2. Click the Linked entitlements tab.
  3. Click Set up linked entitlements.
  4. Use the panel to either create new roles or resources in ConductorOne that map to those entitlements, or map those to existing roles or resources (if you’ve already added a connector to the app).

Once set up, ConductorOne will provision the entitlement by provisioning the “linked” entitlement in the SSO directory or identity provider. This is transparent to the end user.

Method 3: Manual provisioning

When to use? Use manual provisioning as a last resort. Nobody likes touching provisioning requests.

Manual provisioning treats the provisioning step as if ConductorOne were a ticketing engine. The provisioning task is assigned to one or more users to complete the provisioning.

Manual provisioning can be configured by clicking the provisioning settings on an entitlement.

If there is an error or issue in provisioning, manual provisioning is used as the fallback method. In this scenario, the request is assigned to the application owner to resolve the issue.

Method 4: Ticket-based provisioning

When to use? Use ticket-based provisioning if you need access requests to flow through your helpdesk.

ConductorOne supports helpdesk ticket creation as a method for provisioning access. To use ticket provisioning, you’ll first need to add a connector that supports ticket provisioning. Examples of ticketing-enabled connectors are Jira and ServiceNow.

Once a connector with ticketing is added, configure how ConductorOne will create tickets in the system (see External ticketing for instructions), then set provisioning to use the external ticketing option. Once set up, a helpdesk ticket will be automatically created any time provisioning is required. ConductorOne will track the progress of the helpdesk ticket and update or close the provisioning task accordingly.

Method 5: Webhook provisioning

When to use? Use a webhook if you want to quickly add provisioning for a homegrown app, or if you need to add custom logic in your provisioning workflow.

To set up webhook provisioning:

  1. Navigate to Admin > Settings and click Webhooks.
  2. Follow the instructions in Using webhooks to set up a new webhook endpoint.
  3. In ConductorOne, click Applications.
  4. Select an application and click Entitlements.
  5. Click the (more actions) menu for your selected entitlement and select Edit provisioning.
  6. In the Configure provisioning drawer, select the Webhook provisioning method.
  7. Select your webhook from the dropdown.
  8. Click Save.

Method 6: Multi-step provisioning

When to use? If you have multiple steps for provisioning access, such as “put the user in an IdP group, then directly provision the entitlement in another application”.

Custom provisioning allows for significant flexibility when it comes to provisioning access. Multi-step provisioning allows you to perform a series of steps for provisioning access, such as “send a webhook and then create a helpdesk ticket and then directly assign the permission in the app”.

To configure multi-step provisioning:

  1. In ConductorOne, click Applications.
  2. Select an application and click Entitlements.
  3. Click the (more actions) menu for your selected entitlement and select Edit provisioning.
  4. In the Configure provisioning drawer, use the Add step controls to add as many provisioning steps as are needed. Make sure to add the provisioning steps in the order you want them to be applied.
  5. Click Save.