Documentation Index
Fetch the complete documentation index at: https://conductorone-ian-account-to-user-pipeline.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Access conflict
An access conflict occurs when two entitlements assigned to the same user violate a separation of duties (SoD) policy or other regulation. See Conflict monitor.
Access profile
A group of resources and entitlements curated for their applicability to a certain audience and only visible to that audience. Access profiles limit what resources and entitlements each user can see and request, so only relevant access is visible and available. An access profile can be set up so that users can request each app or permission it contains individually (in their app catalog), or so that the entire bundle of access is requestable as a unit (also called a profile). See App catalog.
Account
A unique record associated with a specific actor (such as a human, a system account, or a service account) within an application. An account in an application is granted permissions and roles in that app.
Account owner
The human user known to C1 who is associated with an account in an application. See User.
App catalog
The list of applications (and permissions within them) that are available for a specific end user to request, based on all the access profiles that user has access to. See Access profile.
Application
Within C1, an application is a mirrored record of the access, account, and user data within a tool or service your organization uses. See Connector.
Attribute value
A custom risk level or compliance framework tag that you create and apply to entitlements, such as “SOC2” or “High risk”.
Automation
A custom workflow built in C1 that automates repetitive tasks such as onboarding, offboarding, and role transfers. An automation consists of a trigger (the event or schedule that causes it to run) and one or more steps (the actions it performs). Automations can run automatically based on their trigger or be started manually on demand. See Task and Policy.
Baton
The open-source code framework that powers connectors. Named for an orchestra conductor’s baton, which focuses and directs the musicians, and for the baton transferred from one runner to the next (like data!) in a relay race. We like a double meaning around here.
Binding
A relationship between two entitlements, so that being granted access to entitlement A automatically also grants the user access to entitlement B. See Linked entitlement and Virtual entitlement.
C1 app
A special application that models C1 within C1. Allows you to review and manage access to C1 using C1’s tools. Very meta, very useful.
C1 group
C1 groups are collections of C1 users that you create and use within C1. They can be useful for organizing groups of employees as access recipients or assignees to tasks.
Campaign (UAR)
User access review (UAR) campaigns are a framework for periodically reviewing user access. A campaign has a scope (the access to be reviewed) and a timeframe (the start and end dates of the campaign).
CEL
Common Expression Language (CEL) was developed by Google and is used in C1 to write conditional expressions that use variables and user data known to C1.
Cone
C1’s command-line interface (CLI) tool. Allows you to interact with C1 from the comfort of your terminal window. The name is “C1” but with the “one” spelled out. Pronounced like the ice cream holder or traffic diverter of the same name.
Conflict monitor
A conflict monitor watches for a certain access conflict in any user’s requested or assigned access and notifies admins if a conflict is found so the access can be evaluated. See Access conflict.
Connector
Integration code that connects C1 to another software tool or service. Used as the source of data for applications in C1. All connectors can read (sync) data, and some can also write (provision) to the connected software. See Application.
Additional fields added to an access request that require requestors to provide context when making a request, such as a cost center code, ticket reference, or start date. Custom forms help IT and security teams make informed approval decisions and support audit and compliance requirements. See Request.
Deprovision
The process of removing previously assigned permissions or shutting down user accounts in connected systems after a revocation proposal is confirmed. In C1, deprovisioning tasks are assigned to users when manual deprovisioning of access is required. See Revoke / Revocation.
Digest
A personalized email sent to C1 users that includes an overview of open tasks, connector sync errors, expiring access, and more. Sometimes called “daily digest”, but can be set by your organization for daily or weekly delivery.
Delegate
A designated user who will receive and complete the C1 tasks that would otherwise be assigned to a user who cannot (or should not) complete them, such as an executive or an employee on extended leave.
Directory
An application that holds key information about the people who work for and with your organization (employees, contractors, interns, partners, etc.) such as their department, manager, job title, employment status, and more. Directories are usually your HR and identity provider (IdP) tools, but any app can be set as a directory. See Application.
Enrollment
A user is enrolled in an access profile when they are automatically granted the full contents of an access profile due to meeting the criteria set for that access. See Access profile.
Entitlement
A specific permission that can be requested and reviewed in C1. Entitlements are how users gain access to resources, and designate the type of access granted. For instance, a resource called “revolution-hall-repo” might have two entitlements called “admin” and “member”. See Resource.
External data source
A designated file system, S3 bucket, or Azure Blob container that C1 can read from and write to. These are useful for managing access data from systems and tools that cannot use a connector.
External insight
Identity risk data from external security tools — such as risk scores and security findings — that C1 syncs and surfaces alongside the identities it describes. External insights are shown during access reviews and at the moment of approval so reviewers can make more informed decisions without switching tools.
External ticketing system
An integration with your organization’s IT ticketing system, such as Jira or ServiceNow. Once configured, when manual provisioning of new access is required, C1 automatically creates a ticket in the connected external ticketing system. C1 will monitor the status of the ticket and mark the provisioning step complete in C1 once the ticket is closed.
Function
Serverless TypeScript functions that extend C1’s capabilities with custom automation logic. Functions can call external systems, run on events, implement organization-specific workflows, and access C1 data through the C1 SDK. A function can be invoked from an automation step, the C1 web UI, or the API.
Grant
A record indicating that an application account has been explicitly assigned an entitlement on a resource. See Entitlement and Account.
Linked entitlement
An existing relationship between an entitlement in an IdP and one in a standalone application. Linked entitlements commonly connect IdP resources with the apps the IdP controls access to.
Managed app
An application that you’re actively managing with C1. A managed application has an active connector or other data source. See Application, Connector, and “Unmanaged app”.
Mapping
The process of matching how key data points are labeled in an integrated software or service with how they’re labeled in C1, so data can be pulled in and used correctly across sources.
Membership
A rule set on an access profile that automatically creates enrollment or unenrollment requests for users who meet — or no longer meet — defined criteria such as department, job title, or manager. Membership automates access changes when users join, leave, or move between teams without requiring manual requests. See Access profile and Enrollment.
Policy
A reusable rule set that defines a process for requesting, reviewing, or revoking access. Policies can contain instructions such as who a certain task should be routed to, as well as instructions on sending notifications, triggering webhooks, conditional routing, and much more.
Profile attribute
A piece of information about an application account that is pulled in from an application, and that can be used to scope UAR campaigns or build policies. See Account.
Profile type
A way to segment users into categories — such as full-time employees, contractors, or vendors — and define a tailored set of attributes relevant to each group. Profile types control which user attributes appear on profiles and enable precise filtering when scoping UAR campaigns and policies. See User attribute.
Provision
The process of creating new user accounts and the assignment of permissions in connected systems after an access request is approved. In C1, provisioning tasks are assigned to users when manual provisioning of new access is required. See Request.
Request
Broadly, when a user asks for a new permission, this is a request (or more formally, an access request). In C1, the user submits the request and a request task is created, which is governed by a request policy. See Task and Policy.
Requestable action
An automation exposed to end users as a requestable object, allowing them to trigger a workflow — such as requesting temporary elevated access or initiating an offboarding task — through a standard approval process rather than requiring standing permissions. See Automation and App catalog.
Requestor
The person making a request for access. This is most commonly the user who will be granted the access, but it can be a manager or other admin making the request on the user’s behalf.
Resource
A named object within an application, such as a specific role, group, repository, or license. A resource contains entitlements, which are the specific permissions that are reviewed and requested in C1. See Entitlement.
Resource type
A general categorization of the resource objects found in an application, such as roles, groups, repositories, and licenses.
Review
Broadly, when a user’s access to a certain permission is checked to ensure it is still appropriate and necessary, this is a review (or more formally, an access review, which is part of a user access review (UAR) campaign). In C1, review tasks are created as part of a campaign, and these tasks are governed by a review policy. See Task and Policy.
Reviewer
The person who is evaluating a request or review task and making a decision about whether new access should be granted, current access should be preserved, or unnecessary access should be removed.
Revoke / Revocation
Broadly, when a permission that was granted to a user is removed, this is a revocation. In C1, a revocation task is created when the user, their manager, or a reviewer during a UAR campaign recommends that the access be removed. The revocation task is governed by a revoke policy. (“Revoke” and “revocation” are used interchangeably in C1 since unlike “review” and “request”, the noun and verb forms differ.) See Task and Policy.
Role mining
An analysis tool that examines the access held across your organization’s users to surface patterns and suggest access profiles. Role mining groups users by shared attributes such as department, job title, or manager, identifies entitlements those groups commonly hold, and turns those patterns into access profile suggestions. See Access profile.
Scope
The specific user access that will be reviewed in a user access review (UAR) campaign. See Campaign.
Secret
A sensitive credential or other confidential data, such as an API key, token, password, or private file. C1 provides two secrets-related capabilities: syncing secrets from connected applications for visibility, and a secret sharing tool for securely distributing secrets to internal or external recipients.
Service account
A special type of application account used by a computer program or service that represents a non-human identity. Used to access resources or perform actions in an app or network.
Service principal
A non-human identity in C1 designed for scripts, CI/CD pipelines, Terraform runs, and API integrations. Service principals can be assigned C1 roles and have owners who manage them, and they authenticate using either client credentials or workload identity federation.
Shadow app
Shadow apps are applications and cloud services not managed or approved by an organization’s IT department that employees sign into using their corporate email.
Step-up authentication
An additional authentication challenge required of approvers before they can approve sensitive access requests. C1 implements step-up authentication using the RFC 9470 OAuth 2.0 Step Up Authentication Challenge Protocol, generating a fresh challenge for each qualifying approval so that prior authentication state is never reused. See Policy and Request.
Sync
The process of reaching out to an integrated software tool or service via a connector to read new data or to write data to the tool or service based on changes and decisions made in C1. Based on the type and configuration of the connector, syncs can happen automatically on a schedule, or can be triggered manually. See Connector.
System account
A special type of application account used by an operating system that represents a non-human identity. Used to perform system-level operations.
Task
A discrete task to be performed in C1, such as reviewing a user’s access to a specific entitlement as part of a UAR campaign, approving or denying a user’s request for new access, or manually provisioning new access. See Request, Review, Revoke / Revocation, Provision, and Deprovision.
Template
A pre-configured, reusable framework for creating recurring UAR campaigns. Templates make it faster and easier to set up identical or very similar campaign configurations when you need to run a certain campaign on a recurring schedule.
Unmanaged app
The child apps that are discovered by a connector for an app that is an identity provider (IdP), SSO, or federation provider, but that you haven’t yet added a connector or other data source to so you can begin managing them in C1. See Managed app.
User
A human at your organization whose access data is synced to C1, and who can be assigned tasks in C1. C1 user accounts are automatically created when you set directories as sources of user data. See Directory.
User attribute
A specific piece of data about a user that is pulled from a directory app. See Directory.
User role
A group of permissions in C1 that define what a user can and cannot see, create, and modify. User roles are assigned to users and are scoped to the work each user will do in C1, ranging from Basic User to Super Admin.
Vault
Centralized secure storage within C1 where initial or temporary passwords for application accounts provisioned through the platform are posted. Only the account owner and the vault owner can retrieve and distribute a new account’s password.
Virtual entitlement
A special proxy entitlement that is created in C1 and does not get written back to the source software. Virtual entitlements are ideal for making easy-to-understand user-facing target entitlements that can be bound to more complex existing entitlements in your IdP, SSO, or federation provider.
Webhook
An HTTP callback that connects C1 to external systems. Outbound webhooks fire from C1 to an external URL when certain events occur, such as when a provisioning step completes. Inbound webhooks allow external systems to trigger C1 automations by sending authenticated HTTP POST requests to a C1 listener endpoint.
