Get the Guide to Modern IGA

ConductorOne docs

Understanding entitlement provisioning

This guide will give you the basics on how entitlement provisioning works.

Provisioning is hard! (And complicated). We’re identity people, we’d know.

ConductorOne supports multiple methods for provisioning access. This allows customers to add governance and access control to all of their apps and technologies.

In this guide, we’ll cover the different methods for provisioning, from simplest to most sophisticated.

Method 1: Connector provisioning

When to use? Direct provisioning is the default provisioning strategy for apps with a connector.

This is the easiest method for provisioning. Our connectors just “take care of” the provisioning directly. This allows ConductorOne to provision fine-grained entitlements and permissions directly in the connected application or infrastructure. By default, ConductorOne will use the connector when provisioning or deprovisioning access. To determine if connector supports provisioning, see the connector docs page.

Method 2: Linked entitlements

When to use? Use linked entitlements if the application is in your SSO / identity provider and you need basic access control.

ConductorOne allows you to manage apps from your SSO directory or identity provider. Once these apps are managed, ConductorOne will discover “linked entitlements”. These are entitlements in the SSO or identity provider that have a relationship with the application.

Examples of linked entitlements are:

  • In Microsoft Entra, several groups are assigned to the application for access control
  • In Okta, several push groups are used to SCIM group memberships to the app
  • In Okta, AWS access is controlled using custom attributes that are added to the SAML assertion during login time

In the examples above, access is “controlled” by assigning the user to the entitlement (e.g. group membership) in the IdP or SSO solution.

ConductorOne allows you to manage provisioning in the downstream app by creating the linkage between that managed app in ConductorOne and the identity provider / SSO solution.

To use this method, first ensure that app is managed by ConductorOne:

  1. Navigate to the Applications tab
  2. Click the Unmanaged tab
  3. Find the app, and click Manage
  4. Set the app owners and click Continue

Then, configure the linked entitlements:

  1. Navigate to the managed app
  2. Click the Linked entitlements tab in the app
  3. Click Set up linked entitlements
  4. Use the panel to either create new roles or resources in ConductorOne that map to those entitlements OR map those to existing roles or resources (if you’ve already added a connector to the app)

Once setup, ConductorOne will provision the entitlement by provisioning the “linked” entitlement in the IdP / SSO solution. This is transparent to the end user.

Method 3: Manual provisioning

When to use? Use manual provisioning as a last resort. Nobody likes touching provisioning requests.

Manual provisioning treats the provisioning step as if ConductorOne were a ticketing engine. With manual provisioning, the provisioning task is assigned to one or more users to complete the provisioning.

Manual provisioning can be configured by clicking the provisioning settings on an entitlement.

If there is an error or issue in provisioning, manual provisioning is used as the fallback method. In this scenario, the request is assigned to the application owner to resolve the issue.

Method 4: Ticket based provisioning

When to use? Use ticket based provisioning if you need access requests to flow through your helpdesk.

ConductorOne supports helpdesk ticket creation as a method for provisioning access. To use ticket provisioning, you’ll first need to add a connector that supports ticket provisioning. Examples of ticketing enabled connectors are Jira and ServiceNow.

Once a connector with ticketing is added, create a template for the ticket:

  1. Navigate to Admin > Settings
  2. Click the External ticketing tab
  3. Setup an external ticketing template (see External ticketing for more information)

Then set provisioning for the entitlement to use the external ticketing template you defined.

Method 5: Webhook provisioning

When to use? Use a webhook if you want to quickly add provisioning for a homegrown app or if you need to add custom logic in your provisioning workflow.

To use webhooks:

  1. Navigate to Admin > Settings
  2. Click the Webhooks tab
  3. Setup a new webhook endpoint (see Using webhooks for more information)

Then set provisioning for the entitlement to use the webhook you defined.

Method 6: Custom / multi-step provisioning

When to use? If you have multiple steps for provisioning access e.g. put the user in an IdP group AND directly provision the entitlement in another application.

Custom provisioning allows for significant flexibility when it comes to provisioning access. Multi-step provisioning allows you to perform a series of steps for provisioning access e.g. send a webhook and then create a helpdesk ticket and then directly assign the permission in the app.