> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up OpenAI connector

> C1 provides identity governance and just-in-time provisioning for OpenAI. Integrate your OpenAI instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource          | Sync                                                          | Provision                                                     |
| :---------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Account           | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Invitation        | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Organization      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Organization role | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Project           | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Service account   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Group             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| API key           | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |

**Predefined roles supported:**

* Organization roles: Owner, Reader
* Project roles: Owner, Member, Viewer

**Custom roles supported:**

* Organization custom roles (dynamic, fetched per organization)
* Project custom roles (dynamic, fetched per project)

<Note>
  **Group member listing requires a paid plan.** Listing group members and syncing group-inherited role grants requires a Business, Enterprise, or higher OpenAI plan. Free plan accounts will not have group membership grants synced.
</Note>

<Note>
  **Custom project roles require project membership.** To assign a custom project role to a user or group, they must already have a predefined project role (Owner, Member, or Viewer). If they don't, the connector automatically adds them as a **Member** first.
</Note>

<Note>
  **Custom project roles cannot be assigned to service accounts via the API.** The OpenAI API does not support assigning custom project roles to service accounts programmatically. The connector syncs existing custom project role assignments for service accounts, but provisioning (granting) a custom project role to a service account will fail. Use the OpenAI platform to manage custom project role assignments for service accounts.
</Note>

<Note>
  **Organization owners are implicit project owners.** OpenAI enforces that organization owners are automatically project owners for all projects. This grant is shown as inherited from the organization owner role and cannot be modified through the connector or the OpenAI API.
</Note>

**Additional functionality:**

<Icon icon="square-check" iconType="solid" color="#c937ae" /> Supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning) <br />

## SCIM provisioning notes

OpenAI supports SCIM-based directory sync for automating user provisioning and deprovisioning. However, there are important limitations to be aware of when planning your provisioning strategy.

### Availability

SCIM is only available on certain OpenAI plans:

* **API Platform**: Custom or Unlimited billing plans
* **ChatGPT**: Enterprise or EDU plans

SCIM is not available on the Business plan. If you are on a plan that does not support SCIM, you must manage users manually or through the OpenAI Admin API.

### Configuring SCIM

SCIM is not configured through the OpenAI API. Instead, organization owners enable directory sync through the **Identity** settings in the OpenAI Platform dashboard. This opens a setup flow through the WorkOS portal, where you connect your identity provider (IdP).

Supported identity providers include Okta, Entra ID (Azure AD), Google Workspace, PingFederate, OneLogin, and Rippling, among others.

### Limitation: no SCIM Groups support on the API Platform

OpenAI's SCIM integration on the API Platform does not currently support SCIM Groups. This means:

* Users provisioned via SCIM are automatically invited to the **organization**, but they are **not assigned to any project**.
* There is no way to use SCIM to automatically map IdP groups to OpenAI projects or roles.
* Each user provisioned via SCIM must be separately assigned to projects after they join the organization.

<Note>
  SCIM Groups are supported for ChatGPT Enterprise workspaces but not for the API Platform. If you use both products, be aware that group sync behavior differs between them.
</Note>

### Workaround: use the Admin API for project assignments

Because SCIM cannot assign users to projects, you can use the OpenAI Admin API's [Project Users endpoints](https://platform.openai.com/docs/api-reference/project-users) to manage project membership after a user is provisioned via SCIM.

The key endpoints are:

* **Add user to project**: `POST /v1/organization/projects/{project_id}/users` — requires `user_id` and `role` (`member` or `owner`)
* **Modify project user role**: `POST /v1/organization/projects/{project_id}/users/{user_id}` — update a user's project role
* **Remove user from project**: `DELETE /v1/organization/projects/{project_id}/users/{user_id}`

The C1 OpenAI connector uses the Admin API to manage project memberships. When you configure C1 to provision access to OpenAI projects, C1 handles these API calls for you, filling the gap that SCIM leaves for project-level access.

### What SCIM provides vs. what requires the Admin API

| Capability                         | SCIM                                                          | Admin API (via C1)                                            |
| :--------------------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Provision user into organization   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Deprovision user from organization | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Assign user to project             |                                                               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Assign project role                |                                                               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Assign organization role           |                                                               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Map IdP groups to projects         |                                                               |                                                               |

<Note>
  Neither SCIM nor the Admin API currently supports automatically mapping IdP groups to OpenAI projects. To assign users to projects, use C1's provisioning capabilities with the OpenAI connector, which calls the Admin API on your behalf.
</Note>

## Gather OpenAI configuration information

Configuring the connector requires you to pass in information from OpenAI. Gather these configuration details before you move on.

Here's the information you'll need:

* **OpenAI Admin API Key** (required) — This must be an Admin API key created with **All permissions** selected. The connector requires full admin permissions to manage users, projects, and invitations. Keys created with "Restricted" permissions will cause the connector to error.

To create the Admin API key:

1. In the OpenAI platform, navigate to **Settings** > **API keys** in the **Organization** section.
2. Click **Create new admin key**.
3. When prompted to set permissions, select **All**. Do not select "Restricted", as the connector requires access to all organization management endpoints.
4. Copy and save the generated key.

See the OpenAI docs for more information: [Admin API Keys documentation](https://platform.openai.com/docs/api-reference/admin-api-keys)

## Configure the OpenAI connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of OpenAI configuration information gathered by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **OpenAI** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new OpenAI connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the configuration information from the previous section.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your OpenAI connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the OpenAI connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-openai): For stable binaries (Windows/Linux/macOS) and container images.

    ### Step 1: Set up a new OpenAI connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new OpenAI connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your OpenAI connector deployment:

    #### Secrets configuration

    ```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-openai-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-openai-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # OpenAI config
      BATON_OPENAI_ADMIN_KEY: <OpenAI Admin API Key with All permissions>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-openai.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-openai
      labels:
        app: baton-openai
    spec:
      selector:
        matchLabels:
          app: baton-openai
      template:
        metadata:
          labels:
            app: baton-openai
            baton: true
            baton-app: openai
        spec:
          containers:
          - name: baton-openai
            image: ghcr.io/conductorone/baton-openai:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-openai
            envFrom:
            - secretRef:
                name: baton-openai-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the OpenAI connector to. OpenAI data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your OpenAI connector is now pulling access data into C1.
  </Tab>
</Tabs>