Meet ConductorOne at RSAC

ConductorOne docs

Add and manage applications

Applications allow you to govern access and gain visibility into accounts and permissions.

Your application inventory

Applications in ConductorOne mirror the tools and services your organization uses. You’ll have an application for each piece of software that you manage in ConductorOne.

On the Applications page there are three applications categories:

  • Managed apps: These are the apps you’ve set up in ConductorOne so it can provide visibility, governance, and automation. You’re actively managing these apps with ConductorOne.

  • Unmanaged apps: When you add a connector for an app that is an identity provider (IdP), SSO, or federation provider, the connector discovers the child apps inside of it. These apps are listed as unmanaged. You can move these apps to the Managed state (more on that below) or leave them as-is.

  • Shadow apps: These are apps that have been discovered in your environment but are likely not sanctioned for use by your organization’s corporate IT. Learn more about shadow apps.

All newly created tenants start with a single managed app: the ConductorOne app.

Create a new application

Setting up a new application primarily involves telling ConductorOne where the app’s access data will be sourced from.

A user with the Application Admin or Super Admin role in ConductorOne must complete this task.

  1. Navigate to Admin > Applications and click New application.

  2. Select the data source for the new application:

    • Connector to sync data automatically through a direct integration with the tool or service.

    • File import to upload access data from a file or datasource. Learn more about formatting files for upload.

      Also select this option if you want to create a custom app that provisions access using webhooks or helpdesk tickets.

    • Single-sign-on provider to pull data about the app via your single-sign-on provider’s connector.

  3. Provide the required information for your chosen data type:

  • For a Connector app, select the connector.

    If you haven’t yet set up the connector, leave this page and complete that task, then come back and create the application.

  • For a File import app, set the new app’s name and provide a description. You’ll be prompted to import the data on the next screen.

  • For a Single-sign-on app, select the application from the list of currently unmanaged apps. Optionally, select a connector to add to this app.

    Adding a connector to a single-sign-on app means that the application will contain records of both what the single-sign-on provider knows about the app (activity and accounts), and the resource and entitlement data pulled from the software itself by the connector.

    For example, if your organization signs into BizApp via your SSO provider, you’d select the unmanaged BizApp application, then add the BizApp connector you set up to pull access data directly from the software into ConductorOne. (You can also add a connector to a single-sign-on app later, if it’s not set up quite yet.)

  1. Set one or more application owners. You can add or change application owners later, if needed.

    Application owners can manage the configuration of the applications they own, can be set as reviewers in policies, and are the fallback assignees if an automatic provisioning task on this app fails.

    Make sure the users you select as application owners have either the Application Admin or Super Admin user role, as these are required to be able to see and manage the application.

  2. Click Continue. The new application’s details page opens.

That’s it! From here, you can configure the new app, add connectors or upload data, view resources, entitlements, and accounts, run reports, and more.

Move an unmanaged app to managed

When you add a connector for an app that is an identity provider (IdP), SSO, or federation provider, the connector discovers the apps that are inside of it. These apps are added to the Unmanaged app list.

If you want to bring an unmanaged app under ConductorOne management so you can start enforcing access controls on it:

  1. On the Applications page, click Unmanaged apps.

  2. Locate the app and click Manage.

  3. Set one or more application owners. (You can add or change application owners later, if needed.)

    Application owners can manage the configuration of the applications they own, can be set as reviewers in policies, and are the fallback assignees if an automatic provisioning task on this app fails.

    Make sure the users you select as application owners have either the Application Admin or Super Admin user role, as these are required to be able to see and manage the application.

  4. Click Manage. The unmanaged app becomes a new managed app.

How connectors relate to apps

Connectors provide data ingestion and orchestration functionality for a managed application. View the full connector library to view available connectors and the connectors overview and FAQ page to learn more about how they work.

Should an app have multiple connectors?

In most cases, you’ll only have a single connector for an application. However, it’s not uncommon to need or want to have multiple data sources feeding into one application in ConductorOne.

For example, you might use a complex tool that requires multiple flat file uploads to fully represent the user and access data. In this case, you would add multiple file connectors to the application, one for each of the files.

Important notes about managing applications

Delete applications with great caution!

If you delete an IdP, federation, or SSO provider application from ConductorOne, all of the applications that have been discovered within it, both those that are unmanaged and those you’ve moved to managed and added connectors to, will also be deleted. You’ll have to manually recreate these apps and re-add connectors to them to continue managing them with ConductorOne.