Skip to content
Access Control
Release Notes

Directory Sources

Concepts

Vendors

Each of your organization’s applications, platforms, and SaaS systems that have users are referred to as a vendor.

Sources

Your organization may have multiple deployments, environments, or instances for each vendor. These are collectively referred to as a source (each has unique URL and/or API credentials).

Directory Users

A Directory User has a unified profile of metadata for all of the users in your organization across all vendor sources.

Directory Source

A Directory Source stores the API credentials to perform sync jobs. You will configure Directory Attributes that map which Directory Source User API attributes are used to populate and push updates to the value of the unified Directory User profile for each of your users throughout their lifecycle changes. As an added benefit, any changes detected are logged and start automation workflows that you can customize in Access Control.

API Integration

Each vendor has API endpoints that we use with the credentials for each Directory Source to get all of the provisioned users from your vendor’s database. Each user’s work email address is a metadata attributes that each vendor API has that Access Control uses to check if a user exists. Access Control saves the API ID for each user in our database that is used to sync and manage users, permissions, and/or roles (if enabled).

Primary Source

Access Control uses a primary source to establish the baseline identity for a user with their name, email address, and status of contract or employment lifecycle (active or deprovisioned). This primary source is usually your single sign-on (SSO) vendor that is connected to your HR Information System (HRIS) already.

After you have created the Directory Source and configured the API credentials, Access Control will import all of the users. You can configure which Directory User profile attributes to populate using the new Directory Source. Any changes to user attributes are detected during recurring sync jobs.

Any users that are onboarding (joiners), have job/role changes, (movers), or are offboarded (leavers) are detected during the recurring sync job and trigger audit and automation workflows.

Additional Sources

Each additional source that you add provides several benefits:

  1. Aggregate user profile attributes from different sources
  2. Automate IAM and RBAC provisioning and deprovisioning tasks
  3. Monitor changes across multiple systems

After your source is created, you will need to run configure the credentials and user attributes.

Sync Flow

Diagram

Operational Impacts

Deactivate a Source

Deactivating a Directory Source can have detrimental impacts to downstream systems and RBAC. You should know that:

  1. Credentials remain in-tact to reactivate.
  2. Sync jobs will no longer occur.
  3. User attributes that are mapped to this source are frozen with current values until the source is reactivated or a different source is configured to populate the attribute.
  4. Any user attributes mapped to this source for new users will have null value until the source is reactivated or a different source is configured to populate the attribute.
  5. Any changes on the source are no longer detected, such as attribute value changes or lifecycle events.
  6. Automation workflows that use this source will not run.

Need to destroy a source? A limited number of org admins have permission to run the dir:destroy-source command.