Skip to main content

What are resources?

In C1, a resource represents any object within an application. Think of resources as the specific items you want to manage access for. Common examples of resources include:
  • Roles
  • Groups
  • Permission sets
  • Profiles
  • Licenses
  • S3 buckets
Resources are always specific to a particular application. C1’s flexible data model allows you to easily model and manage these resources, along with the entitlements (the specific access rights) associated with each resource. C1 automatically identifies and creates resources when application data is ingested through connectors or file uploads. These resources form the foundation for all permission management activities within C1. You can view all an application’s resources on the Resources tab.

What is the Credential resource?

Every application managed within C1 includes a unique default resource known as the Credential resource. This resource always contains exactly one entitlement, called Access. The Credential resource represents the fundamental ability to have an account within that specific application. The Access entitlement is used to reference and manage accounts associated with the application. This design allows C1 to uniformly manage both accounts and general application access as if they were standard resources and entitlements. Example use cases:
  • Making new accounts requestable: To allow users to request new accounts within an application, configure the access controls directly on the Access entitlement of the application’s Credential resource.
  • Running account-level access reviews: If you need to perform an access review for all users who possess any account within a particular application, select the application’s Credential resource as the target for the review.

Creating resources

Most resources in C1 are created automatically when application data is ingested. Our connectors are designed to identify and synchronize essential resources (such as roles, groups, and permissions) from your connected applications directly into C1. This automated process ensures that your resource inventory is always up to date. In specific scenarios where a resource cannot be automatically ingested (such as for custom or non-standard objects), resources can be created manually. You can do this via the C1 API or by creating a virtual entitlement.

Managing resources

Once resources are in C1, you can manage their associated metadata, even if they were automatically ingested by a connector. To manage a resource, navigate to the resource’s details page:
1
Navigate to the Apps page and click Resources.
2
Click the name of the resource you want to manage.
From the resource detail page, you can rename the resource, update its owners, and change the resource’s description.

Rename the resource

If you change the name of the resource, C1 will remember and persist this change through future connector syncs, but the new name will not be written back to the connected application. To change the resource name:
1
On the resource’s details page, click on the current resource name. This transforms the name into an editable text box.
2
Enter the new name, then press Enter or click outside of the field to save your changes.

Change resource owners

Resource owners can be the target of policy approval steps. For example, a policy might require a resource owner to approve an access request for sensitive data or roles. To edit the resource owner:
1
On the resource’s details page, click Edit.
2
In the Owner field, add or remove owners as needed.
3
Click Save.

Change resource description

By default, resource description are auto-generated to provide a basic explanation of their functionality, but you can edit these default descriptions to provide more tailored information. Resource descriptions are displayed to users during access reviews. To edit the resource description:
1
On the resource’s details page, click Edit.
2
Update the contents of the Description field.
3
Click Save.

View a resource’s grants

A grant signifies that an application account has been explicitly assigned an entitlement (a specific access right) on a resource. Viewing grants allows you to see who currently has access to a particular resource. To view the a resource’s current grants:
1
Navigate to the Apps page and click Resources.
2
Click the name of the resource. The resource’s details page opens.
3
Click Grants.
This tab displays a comprehensive list of all accounts that have been assigned entitlements for this resource. You can filter this list by account type and status.

Resource visibility controls

Resource visibility controls let you determine who can see a resource and its entitlements in C1. By default, resources are visible to everyone in your organization. You can restrict visibility so that only users who have been granted entitlements on the resource, or resource owners, can view it. This is useful when you want to limit the exposure of sensitive resources — for example, resources related to production infrastructure, privileged roles, or restricted data. Users with the SuperAdmin role can always see all resources and entitlements, regardless of visibility settings.

Visibility options

SettingWho can view the resource
EveryoneAll users in your organization can see the resource and its entitlements. This is the default setting.
MembersUsers who have been granted any entitlement on this resource. Owners of this resource, owners of any entitlement on this resource, and the parent app owner can also see it.
OwnersOnly the owner of this specific resource, owners of entitlements on this specific resource, and the parent app owner.

Set resource visibility

1
Navigate to the Apps page, select the application, and click the Resources tab.
2
Click the name of the resource you want to configure.
3
In the Visibility and requests section, click Edit.
4
Under Access configuration, select one of the three visibility options: Everyone, Members, or Owners.
5
Click Save to apply your changes.
When you restrict a resource’s visibility, users who are not permitted to view the resource will not see it or its entitlements in search results, directory listings, or other areas of the C1 interface.
Access profiles take priority over visibility settings. If a user is included in an access profile that grants or allows requests to an entitlement on a restricted resource, that user will still be able to see and request the entitlement in the access catalog, regardless of the resource’s visibility setting.

Delete a resource

You can delete manually created resources from C1.
Important:Resources that have been synchronized from a connector cannot be deleted directly within C1. These resources represent the authoritative “truth” as defined in your connected software tool. To remove such a resource from C1, you must first delete it within the source tool itself, and the resource will be removed from C1 on the next data sync.
To delete a manually created resources:
1
Navigate to the Apps page and click Resources.
2
Click the name of the resource. The resource’s details page opens.
3
Click the (more actions) menu and select Delete.
You’ll be asked to confirm your action before you proceed.