C1 provides identity governance and just-in-time provisioning for Treasure AI. Integrate your Treasure AI instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.
The Treasure AI connector syncs the following resources from Treasure AI CDP (REST API v3):
Resource
Sync
Provision
Users
Delete
Roles
Policies
Grant/Revoke
Policy Groups
Grant/Revoke
Users: All Treasure AI users with email, name, and admin status. Delete user supported.
Roles: Account roles derived from the administrator field (Admin or User). Read-only — roles are determined when a user is created in the Treasure AI Console and cannot be granted or revoked via the API. Role membership is not tracked as grants in the sync bundle.
Policies: Access control policies defining fine-grained permissions on databases, workflows, segments, etc. Only available when PBAC (Policy-Based Access Control) is enabled.
Policy Groups: Delegated access groups that associate users and policies. Only available when PBAC is enabled.
Policies and Policy Groups require the PBAC paid add-on. These resources are opt-in and can be enabled from the C1 connector settings. Without opt-in, only Users and Roles are synced.Required permissions by resource type:
Resource
Requirements
Users
Master API Key
Roles
Master API Key
Policies
Master API Key + PBAC paid add-on
Policy Groups
Master API Key + PBAC + Delegated Admin feature
Grant and revoke operations for Policy Groups replace the entire member list for a group. The connector reads current membership before writing to preserve existing members not involved in the operation.
Copy your Master API key.For production use, we recommend creating a dedicated service user (for example, c1-service@your-domain.com) with read-only access to:
Access control APIs (users, policies, policy groups, permissions)
User and account metadata
Generate a Master API key for that service user.
4
Determine your region endpoint:
Region
Base URL
US (default)
https://api.treasuredata.com
EU
https://api.eu01.treasuredata.com
Japan
https://api.treasuredata.co.jp
Korea
https://api.ap02.treasuredata.com
5
If your account has IP allowlisting enabled, add C1’s egress IP range(s) to the allowlist for the service user.
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Treasure AI and click Add.
3
Choose how to set up the new Treasure AI connector:
Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app
4
Set the owner for this connector.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the required configuration:
API Key: Your Treasure AI Master API key (TD1 scheme).
Base URL (optional): API base URL for your region. Defaults to https://api.treasuredata.com (US). Set to https://api.eu01.treasuredata.com for EU, https://api.treasuredata.co.jp for Japan, or https://api.ap02.treasuredata.com for Korea.
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your Treasure AI connector is now pulling access data into C1.
Follow these instructions to use the Treasure AI connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
# baton-treasure-data-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-treasure-data-secretstype: OpaquestringData: # C1 credentials BATON_CLIENT_ID: <C1 client ID> BATON_CLIENT_SECRET: <C1 client secret> # Treasure AI credentials BATON_TREASURE_DATA_API_KEY: <Treasure AI Master API key> BATON_TREASURE_DATA_BASE_URL: <API base URL, for example https://api.treasuredata.com> # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true # Optional: restrict which resource types are synced. # Use this if your account has PBAC but not Delegated Admin # (to exclude Policy Groups). Example: user,role,policy # BATON_SYNC_RESOURCE_TYPES: user,role,policy
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the Treasure AI connector to. Treasure AI data should be found on the Entitlements and Accounts tabs.
Done. Your Treasure AI connector is now pulling access data into C1.
