C1 provides identity governance and just-in-time provisioning for Kyriba. Integrate your Kyriba instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.
To configure the Kyriba connector, you need administrator access to the Kyriba Developer Portal to create API credentials.
The connector authenticates using OAuth2 client credentials. You will need:
Kyriba URL — the base URL of your Kyriba instance (for example, https://api.kyriba.com)
Token URL — the OAuth2 token endpoint (for example, https://api.kyriba.com/gateway/oauth/token)
Client ID — your OAuth2 client identifier
Client Secret — your OAuth2 client secret
1
Log in to the Kyriba Portal and navigate to API Access or OAuth Applications.
2
Create a new OAuth2 application or API credential set named ConductorOne.
3
Grant the following OAuth scopes to enable full sync and provisioning:
Scope
Used for
user-scope
Sync users and access profiles; create and delete users; assign data permission profiles
user-group-scope
Sync user groups; add and remove members
data-permission-profile-scope
Sync data permission profiles
For sync-only (read) access, all three scopes are still required. Provisioning requires write permissions on the relevant scopes: user-scope for account creation/deletion and data permission profile assignment; user-group-scope for group membership changes.
4
Copy the Client ID, Client Secret, and Token URL. Save these securely — the secret cannot be retrieved again after creation.
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Kyriba and click Add.
3
Choose how to set up the new Kyriba connector:
Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app
4
Set the owner for this connector.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the required configuration:
Kyriba URL: The base URL of your Kyriba instance (for example, https://api.kyriba.com)
Token URL: The OAuth2 token endpoint URL (for example, https://api.kyriba.com/gateway/oauth/token)
Kyriba Client ID: Your OAuth2 client ID from the Kyriba Developer Portal
Kyriba Client Secret: Your OAuth2 client secret from the Kyriba Developer Portal
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your Kyriba connector is now pulling access data into C1.
Follow these instructions to use the Kyriba connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Applications. On the Managed apps tab, locate and click the name of the application you added the Kyriba connector to. Kyriba data should be found on the Entitlements and Accounts tabs.
Done. Your Kyriba connector is now pulling access data into C1.
Access profiles with no assigned users — The Kyriba API does not expose a standalone list endpoint for access profiles. ConductorOne derives access profile resources from user-assignment data. Any access profile that exists in Kyriba but has no users currently assigned to it will not appear in the ConductorOne catalog until at least one user is assigned to it and a sync completes.
