> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up an Asana connector

> C1 provides identity governance and just-in-time provisioning for Asana. Integrate your Asana instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource   | Sync                                                          | Provision                                                     |
| :--------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Teams      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Workspaces | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Licenses\* | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

The Asana connector supports [automatic account provisioning](/product/admin/account-provisioning). New users are created with a view-only license.

This connector does not support account deprovisioning. You must deprovision accounts directly in Asana.

\*License syncing and provisioning is only available for Asana Enterprise accounts. You must use a service account token to set up the connector in order to sync and provision licenses. When provisioning licenses, the connector supports the following actions:

* Grant an enterprise license to a user with a view-only license
* Revoke an enterprise license (automatically grants a view-only license instead)
* Revoke a view-only license (deprovisions the user's access to Asana)

## Gather Asana credentials

Configuring the connector requires you to pass in credentials generated in Asana. Gather these credentials before you move on.

You can configure the Asana connector using either a personal access token or a service account token.

### Option 1: Generate a personal access token

This option does not support syncing and provisioning licenses.

<Steps>
  <Step>
    Log into Asana and navigate to [app.asana.com/0/my-apps](https://app.asana.com/0/my-apps).
  </Step>

  <Step>
    In the **Personal access tokens** area of the page, click **+ Create new token**.
  </Step>

  <Step>
    Give the new token a name, such as **C1**.
  </Step>

  <Step>
    Click **Create token**.
  </Step>

  <Step>
    The new token is generated for you. Carefully copy and save the token.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

### Option 2: Generate a service account token

<Warning>
  **Important**

  An Asana super admin using an Asana Enterprise plan must complete this task.
</Warning>

<Steps>
  <Step>
    If you haven't already done so, create or identify a service account in Asana that will be used for the C1 integration.

    The service account needs, at minimum, the **Users: Read** and **Teams: Read** permissions in order to sync user data. To provision accounts and other access with C1, give the service account full permissions.
  </Step>

  <Step>
    Click the three-dots icon next to the name of your service account and select **Edit service account**.
  </Step>

  <Step>
    Click **Reset and generate new token**.
  </Step>

  <Step>
    The new token is generated for you. Carefully copy and save the token.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Asana connector

<Warning>
  **To complete this task, you'll need:**

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Asana credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Asana** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Asana connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Paste the personal access token you generated in Step 1 into the **Personal access token** field.

        **Service account users:** Click to enable **Is service account** and enter your service account token in the **Personal access token** field.
      </Step>

      <Step>
        **Optional.** If you want C1 to provision new Asana accounts, enter the ID of the workspace new accounts should be added to in the **Default workspace** field.
        If you do not set the default workspace ID here, you can set it when [configuring account provisioning](/product/admin/account-provisioning#part-2-cel-expressions-pull-in-the-required-information). The workspace ID must be set in at least one of these places, or account provisioning will fail.
      </Step>

      <Step>
        **Optional.** If want to use C1 to sync and provision Asana licenses, click to enable **Use SCIM API**.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Asana connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Asana connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [GitHub repository](https://github.com/conductorone/baton-asana): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Asana connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Asana connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Asana connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-asana-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-asana-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # Asana specific credentials
      BATON_TOKEN: <Asana personal access token or service account token>

      # Optional: Include if using a service account token
      BATON_USE_SERVICE_ACCOUNT: true

      # Optional: Include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true

      # Optional: The workspace where C1 should add newly provisioned Asana accounts
      BATON_DEFAULT_WORKSPACE_ID: <Asana workspace ID>

      # Optional: Include to use the Asana SCIM API for enterprise license management
      BATON_USE_SCIM_API: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-asana.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-asana
      labels:
        app: baton-asana
    spec:
      selector:
        matchLabels:
          app: baton-asana
      template:
        metadata:
          labels:
            app: baton-asana
            baton: true
            baton-app: asana
        spec:
          containers:
          - name: baton-asana
            image: ghcr.io/conductorone/baton-asana:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-asana
            envFrom:
            - secretRef:
                name: baton-asana-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Asana connector to. Asana data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Asana connector is now pulling access data into C1.
  </Tab>
</Tabs>