> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Workato connector
> C1 provides identity governance and just-in-time provisioning for Workato. Integrate your Workato instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :--------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Privileges | | |
| Roles | | |
| Folders | | |
| Projects | | |
## Gather Workato credentials
Each setup method requires you to pass in credentials generated in Workato. Gather these credentials before you move on.
### Create a client role
In Workato, navigate to **Workspace admin** > **API clients** > **Client roles** > **Add client role**.
Give the new client role a name, such as "C1 integration role".
Select the following endpoints:
| Area | Section | Action | API Endpoint |
| :--------------------------------------------------------------------------------------------------------- | :----------------- | :---------------------------- | :-------------------------------- |
| **Projects** | Projects & Folders | List projects | `GET /api/projects` |
| | Projects & Folders | List folders | `GET /api/folders` |
| **Admin** | Collaborators | Get collaborators | `GET /api/members` |
| | Collaborators | Get collaborator | `GET /api/members/:id` |
| | Collaborators | Update collaborators' roles\* | `PUT /api/members/:id` |
| | Collaborators | Get collaborator privileges | `GET /api/members/:id/privileges` |
| | Collaborator roles | List non-system roles | `GET /api/roles` |
| \*If you don't want to use C1 to provision role assignments, you can skip **Update collaborator’s roles**. | | | |
Save the new role.
### Create an API client
Navigate to **Workspace admin** and select **API clients** > **Create API client**.
Give the new client a name, such as "C1 integration".
Select the client role you set up above.
If your workspace has environments enabled, select the environment the API client (and by extension, C1) is allowed to access.
Select the projects the API client is allowed to access.
If needed, add allowed IP ranges that API requests using this token can originate from ([view C1's IP addresses](/baton/faq/)).
Click **Create client**
The new client's API token is shown. Carefully copy and save the API token.
### Look up your data center location
You'll also need to specify the location of your Workato data center. Workato displays your data center in the base URL of the API endpoint:
* US Data Center: [https://www.workato.com/api/](https://www.workato.com/api/)
* EU Data Center: [https://app.eu.workato.com/api/](https://app.eu.workato.com/api/)
* JP Data Center: [https://app.jp.workato.com/api/](https://app.jp.workato.com/api/)
* SG Data Center: [https://app.sg.workato.com/api/](https://app.sg.workato.com/api/)
* AU Data Center: [https://app.au.workato.com/api/](https://app.au.workato.com/api/)
**Done.** Next, move on to the connector configuration instructions.
## Configure the Workato connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Workato credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Workato** and click **Add**.
Choose how to set up the new Workato connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the API token in the **API key** field.
In the **Data center** field, enter one of `us`, `eu`, `jp`, `sg`, or `au` to identify the location of your Workato data center. The default is `us`.
In the **Environment** field, enter one of `dev`, `test`, or `prod` to identify your Workato environment. The default is `dev`.
**Optional.** If desired, check the box to **Disable custom roles sync**.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Workato connector is now pulling access data into C1.
**Follow these instructions to use the Workato connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-workato): For stable binaries (Windows/Linux/macOS) and container images.
* [GitHub repository](https://github.com/conductorone/baton-workato): Access the source code, report issues, or contribute to the project.
### Step 1: Configure the Workato connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Workato connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Workato connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workato-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-workato-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Workato credentials
BATON_WORKATO_API_KEY:
BATON_WORKATO_DATA_CENTER:
BATON_WORKATO_ENV:
# Optional: include if you don't want to sync custom Workato roles
BATON_DISABLE_CUSTOM_ROLES_SYNC: true
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workato.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-workato
labels:
app: baton-workato
spec:
selector:
matchLabels:
app: baton-workato
template:
metadata:
labels:
app: baton-workato
baton: true
baton-app: workato
spec:
containers:
- name: baton-workato
image: ghcr.io/conductorone/baton-workato:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-workato
envFrom:
- secretRef:
name: baton-workato-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Workato connector to. Workato data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Workato connector is now pulling access data into C1.