Diff access rights from two SaaS systems with Baton
After reading this guide, you will be able to:
- Understand how to set up the Baton connectors
- Understand how the
batonutility works - Understand how to compare access rights between two GitHub organizations
Before you start
Before you begin, make sure you have everything set up from the list below:
- GitHub account
Part one: Set up the Baton SDK
Use this commands to install the Baton SDK and Baton GitHub connector:
$ brew install conductorone/baton/baton conductorone/baton/baton-githubIf you don’t have Homebrew installed yet, follow this guide.
Inspect the
batonutility by using this command:$ baton --help
After running baton --help, you will see a console with all available commands. You can find a list of all the commands in our getting started guide, where we explain them in detail.
Now you have the Baton SDK ready to use. It’s time to show you how to use baton-github to create a c1z.
About the c1z file
c1zfiles contain all of the information that the connector has collected as part of a synchronization process. Using the Baton CLI, you can browse the contents of thesync.c1zfile and export that data to a .csv or .xlsx file.
Part two: Connect GitHub connector and run comparison
The GitHub connector allows you to manage access rights for all users across all repositories. Setting up the connector is very simple, so let’s take a look at how to do it.
Create a new GitHub Personal Access Token with the following permissions:
Area Scope of access repo All admin:org All user All Create a new file called
github-compare.sh.Insert this code into the
github-compare.sh:
#!/bin/bash
set -e
# Set your tokens here!
BATON_TOKEN="<your GitHub token>"
ORG1="<github org 1>"
ORG2="<github org 2>"
# Set what do you want to compare between 2 apps
entitlementId="team" # org/team/repository
entitlementName="<name of your team>" # display name of the entitlement (e.g. name of a team)
entitlementType="member" # type of a permission (admin/maintainer/member)
# Set the output filenames
now=$(date +"%Y%m%d%H%M%S")
c1zFileSaaS1="baton-saas1-comparison.c1z"
c1zFileSaaS2="baton-saas2-comparison.c1z"
# Run sync to produce c1z for 1st SaaS
BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG1" -f "$c1zFileSaaS1"
# Run sync to produce c1z for 2nd SaaS
BATON_TOKEN="$BATON_TOKEN" baton-github --orgs "$ORG2" -f "$c1zFileSaaS2"
# Find an id of the entitlement with given entitlement type by its name in 1st SaaS
idInSaaS1=$(baton entitlements -f "$c1zFileSaaS1" -o json | jq -r '[.entitlements[].entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")][0] | .id.resourceType + ":" + .id.resource')
# Find an id of the entitlement with given entitlement type by its name in 2nd SaaS
idInSaaS2=$(baton entitlements -f "$c1zFileSaaS2" -o json | jq -r '[.entitlements[].entitlement.resource | select(.id.resourceType=="'$entitlementId'" and .displayName=="'$entitlementName'")][0] | .id.resourceType + ":" + .id.resource')
# Compare two principals in 2 c1z files
baton principals compare -f "$c1zFileSaaS1" --entitlement "$idInSaaS1:$entitlementType" --compare-entitlement "$idInSaaS2:$entitlementType" --compare-file "$c1zFileSaaS2"
Insert your GitHub access token and GitHub org into the code shown above. Simply copy&paste into it.
Save your
github-compare.sh.Make
github-compare.shexecutable:
chmod +x github-compare.sh
- Run the script to compare your files by:
./github-compare.sh
What’s next?
Now that you have a good overview of the access rights from different Software-as-a-Service with Baton, you can look into its other features. ConductorOne provides export capabilities to help administrators take control of user access and security. The Baton SDK also integrates with Amazon Web Services for a full suite of cloud services for your organization. With these tools, you can easily customize access rights for users and more efficiently manage security across all systems.
Check out our other tutorials to discover the full potential of Baton: