> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up Retool connector

> C1 provides identity governance and just-in-time provisioning for Retool. Integrate your Retool instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource      | Sync                                                          | Provision                                                     |
| :------------ | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Groups        | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Organizations | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Pages (Apps)  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Resources     | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |

## Gather Retool credentials

Configuring the connector requires you to pass in credentials generated in Retool. Gather these credentials before you move on.

<Warning>
  A user with the ability to create a new user in Retool must perform this task.
</Warning>

### Create a Retool user and compose the connection string

<Steps>
  <Step>
    Connect to the Retool database and create a new user. The connector will use this user to connect to the PostGreSQL database. Make sure to create and save a secure password:

    `CREATE USER baton WITH PASSWORD 'secure-password';`
  </Step>

  <Step>
    Grant the new user the following privileges, which are required by the connector for inspecting Retool privileges:

    ```bash expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    GRANT SELECT ("id", "name", "organizationId", "universalAccess", "universalResourceAccess", "universalQueryLibraryAccess", "userListAccess", "auditLogAccess", "unpublishedReleaseAccess") ON groups TO baton;
    GRANT SELECT, INSERT, UPDATE ("id", "accessLevel"), DELETE ON group_pages TO baton;
    GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") ON group_folder_defaults TO baton;
    GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") on group_resources TO baton;
    GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") on group_resource_folder_defaults TO baton;
    GRANT SELECT ("id", "name") ON organizations TO baton;
    GRANT SELECT ("id", "name", "organizationId", "folderId", "photoUrl", "description", "deletedAt") ON pages TO baton;
    GRANT SELECT ("id", "name", "organizationId", "type", "displayName", "environmentId", "resourceFolderId") ON resources TO baton;
    GRANT SELECT ("id", "email", "firstName", "lastName", "profilePhotoUrl", "userName", "enabled", "lastLoggedIn", "organizationId") ON users TO baton;
    GRANT SELECT, INSERT, UPDATE, DELETE ("id", "userId", "groupId", "isAdmin", "updatedAt") ON user_groups TO baton;
    GRANT USAGE, SELECT ON SEQUENCE user_groups_id_seq TO baton;
    GRANT DELETE ON user_groups TO baton;
    ```
  </Step>

  <Step>
    Compose and save the Retool connection string you'll use when setting up the connector. This string will be in this form:

    `"user=baton password=secure-password host=localhost port=5432 dbname=hammerhead_production"`
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Retool connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Retool credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    *Cloud-hosted connector not currently available.*
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Retool connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [GitHub repository](https://github.com/conductorone/baton-retool): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Retool connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Retool connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Retool connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-retool-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-retool-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # Retool credentials
      BATON_CONNECTION_STRING: <The Retool connection string, in format "user=baton password=secure-password host=localhost port=5432 dbname=hammerhead_production">

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-retool.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-retool
      labels:
        app: baton-retool
    spec:
      selector:
        matchLabels:
          app: baton-retool
      template:
        metadata:
          labels:
            app: baton-retool
            baton: true
            baton-app: retool
        spec:
          containers:
          - name: baton-retool
            image: ghcr.io/conductorone/baton-retool:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-retool
            envFrom:
            - secretRef:
                name: baton-retool-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Retool connector to. Retool data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Retool connector is now pulling access data into C1.
  </Tab>
</Tabs>