> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Beeline connector
> C1 provides identity governance for Beeline. Integrate your Beeline instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------------ | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Organizations | | |
| Roles | | |
## Gather Beeline credentials
Configuring the connector requires you to pass in credentials generated in Beeline. Gather these credentials before you move on.
**Important**
A user with the **Administrator** role in Beeline must perform this task.
To set up the Beeline connector, you'll need:
* **Base URL**: This is typically [https://client.beeline.com](https://client.beeline.com/) but may vary depending on your Beeline environment.
* **Beeline Client Site ID**: Provided by Beeline for your organization's site.
* **Auth Server URL**: This is the OAuth2 token endpoint for authentication. The default value is [https://integrations.auth.beeline.com/oauth/token](https://integrations.auth.beeline.com/oauth/token), which is used for production environments.
* **OAuth2 Client ID and Client Secret**: These must be requested through Beeline's Customer Operations Manager (COM). Contact your COM to create a change request ticket to scope their needs. Once the change request has been scoped and project assigned, Beeline's Integrations team will create and securely transmit these security credentials.
Scopes required by the connector:
* For organization operations: read:org and write:org
* For account operations: read:user and write:user
* For role and permission operations: read:iam and write:iam
* For provisioning operations (adding/removing users from roles): write:iam is specifically required
**Done.** Next, move on to the connector configuration instructions.
## Configure the Beeline connector
**To complete this task, you'll need:**
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Beeline credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Beeline** and click **Add**.
Choose how to set up the new Beeline connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter your client site ID into the **Client site ID** field.
Enter the OAuth2 client ID and client secret into the **OAuth2 client ID** and **OAuth2 client secret** fields.
Enter the base URL into the **Base URL** field. The default is `https://client.beeline.com`.
Enter your auth server URL into the **Auth server URL** field. The default is `https://auth.beeline.com/oauth/token`.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Beeline connector is now pulling access data into C1.
**Follow these instructions to use the Beeline connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [GitHub repository](https://github.com/conductorone/baton-beeline): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Beeline connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Beeline connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Beeline connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-beeline-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-beeline-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Beeline credentials
BATON_BASE_URL:
BATON_BEELINE_CLIENT_SITE_ID:
BATON_BEELINE_CLIENT_ID:
BATON_BEELINE_CLIENT_SECRET:
BATON_AUTH_SERVER_URL:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-beeline.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-beeline
labels:
app: baton-beeline
spec:
selector:
matchLabels:
app: baton-beeline
template:
metadata:
labels:
app: baton-beeline
baton: true
baton-app: beeline
spec:
containers:
- name: baton-beeline
image: ghcr.io/conductorone/baton-beeline:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-beeline
envFrom:
- secretRef:
name: baton-beeline-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Beeline connector to. Beeline data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Beeline connector is now pulling access data into C1.