Nailing the Security Audit with RRCU

ConductorOne docs

Adding applications

Applications allow you to govern access and gain visibility into accounts and permissions. In this doc we'll walk through how applications get added to ConductorOne.

There are three types of applications in ConductorOne:

  • Managed apps: Apps for which ConductorOne can provide visibility, governance, and automation.

  • Unmanaged apps: Apps that have been discovered in federation providers such as Microsoft Entra or Okta. ConductorOne can move these apps to the Managed state to begin enforcing access controls.

  • Shadow apps: Apps that have been discovered in your environment but are likely not sanctioned for use by your organization’s corporate IT. Learn more about shadow apps.

Creating a managed app

Managed apps are the starting point for enforcing access controls and governance. There are several ways to create a managed app in ConductorOne:

  • Authorize a shadow app: Authorizing a shadow app moves it to managed.

  • Manage an unmanaged app: Clicking Manage on an unmanaged app moves the app to managed.

  • Add a connector and create a new app: When adding a connector, if you do not attach it to an existing managed or unmanaged app, it will create a new managed app by default.

  • Create a custom app: On the Applications page, click New application and create a custom app.

All newly created tenants start with a single managed app: the ConductorOne app.

Custom apps

Custom apps are a great starting point if you want to:

  • Ingest flat files into an app for UARs
  • Create an app that provisions access using webhooks or helpdesk tickets

To create a custom app:

  1. Navigate to Applications

  2. Click New Application

  3. Enter the title, description, and select the app owner

  4. Click Continue

Unmanaged apps explained

When you add a connector for an app that is an identity provider (IdP), SSO, or federation provider, the connector with discover the apps that are inside of it. These apps are added to the Unmanaged app list on the Applications page.

Unmanaged apps are a great starting point for enforcing access controls. To setup access controls on an unmanaged app:

  1. Navigate to Applications > Unmanaged apps tab

  2. Find the app you want to manage

  3. Click Manage

  4. Select the application owners and click Manage

This will migrate the unmanaged app to a managed state.

On the app page, you can now enforce access controls, get visibility into who has access to the app, run UARs, and more.

How connectors relate to apps

Connectors provide data ingestion and orchestration functionality for a managed application. Connectors are added from the connector library or by integrating an on-prem hosted connector.

When adding a connectors, you can:

  1. Add a connector to an existing managed app

    This option adds a connector to an existing managed app. This may be useful if you’ve created a custom app, and want to add a connector after the fact.

  2. Add a connector to an unmanaged app

    This option adds a connector to an unmanaged app and in doing so, promotes the app to the managed state. This is very useful when adding connectors for applications that live in your IdP or SSO provider.

    For example: You’ve connected Okta to ConductorOne. We discovered Salesforce and put it into the unmanaged state. You want to add a Salesforce connector to the app so that it can automate data ingestion for UARs and automation provisioning. In this scenario, you would:

    • Navigate to Connectors
    • Find Salesforce and click Add
    • Choose Add to unmanaged app and select Salesforce from the dropdown
    • Click Continue

    By completing these steps, you will now have a managed Salesforce app, that has a connector that gives full visibility into accounts, permission sets, and roles and can automate provisioning and access control.

  3. Create a new app

    Use this option if you want the connector to create a new application instead of tying it to an existing managed or unmanaged app.

Data files as connectors

ConductorOne treats flat files such as CSV uploads as connectors as well (since they are data sources). You can learn more about file connectors here.

When should an app have multiple connectors?

In most cases, you’ll only have a single connector for an application. However, it’s not uncommon to need or want to have multiple data sources feeding into one application in ConductorOne.

For example: There is a complex app that requires multiple flat file uploads to fully represent the user and application data. In this case, you would add multiple file connectors to the application - one for each of the files.

Important notes about managing applications

Delete applications with great caution!

If you delete an IdP, federation, or SSO provider application from ConductorOne, all of the applications that have been discovered within it, both those that are unmanaged and those you’ve moved to managed and added connectors to, will also be deleted. You’ll have to manually recreate these apps and re-add connectors to them to continue managing them with ConductorOne.