diff --git a/baton/artifactory.mdx b/baton/artifactory.mdx
index 066faf5..04f0f72 100644
--- a/baton/artifactory.mdx
+++ b/baton/artifactory.mdx
@@ -10,13 +10,23 @@ sidebarTitle: "JFrog Artifactory"
| Resource | Sync | Provision |
| :--- | :--- | :--- |
-| Account | | |
-| Group | | |
-| Repository | | |
+| Account | | |
+| Administrator | | |
+| Group | | |
+| Repository | | |
**Additional functionality:**
-*None.*
+- **Create user accounts** — Provision new Artifactory users with a randomly generated password.
+- **Delete user accounts** — Remove users from Artifactory.
+- **Grant/revoke Administrator role** — Assign or remove the platform admin flag on a user.
+- **Grant/revoke group membership** — Add or remove users from Artifactory groups.
+- **Grant/revoke repository permissions** — Manage per-repository permissions (Read, Write, Delete, Manage, Annotate, Managed Xray Metadata) for both users and groups. Permissions are managed via baton-owned permission targets.
+
+**Known limitations:**
+
+- Repository permissions granted via pre-existing Artifactory permission targets (not created by C1) cannot be revoked through this connector. Only permissions provisioned by C1 can be revoked.
+- When a user inherits a repository permission from multiple groups, the connector attributes the grant to one group.
## Gather Artifactory configuration information
diff --git a/baton/capabilities.mdx b/baton/capabilities.mdx
index eaeb087..567bbef 100644
--- a/baton/capabilities.mdx
+++ b/baton/capabilities.mdx
@@ -34,7 +34,7 @@ og:description: "A quick reference for how each connector can be set up and what
| [Airflow](/baton/airflow) | | | |
| [Amazon EKS](/baton/eks) | | | |
| [ArgoCD](/baton/argo-cd) | | | |
-| [Artifactory](/baton/artifactory) | | | |
+| [Artifactory](/baton/artifactory) | | | |
| [Asana](/baton/asana) | | | |
| [Atlassian](/baton/atlassian) | | | |
| [Auth0](/baton/auth0) | | | |
diff --git a/baton/claude-enterprise.mdx b/baton/claude-enterprise.mdx
index 92b5c4c..dda3a18 100644
--- a/baton/claude-enterprise.mdx
+++ b/baton/claude-enterprise.mdx
@@ -15,20 +15,64 @@ The Claude Enterprise connector syncs the following resources:
| Resource | Sync | Provision |
| :--- | :--- | :--- |
-| Accounts | | |
-| Groups | | |
+| Accounts | | Create, Delete |
+| Groups | | Grant, Revoke |
{/* AUTO-GENERATED:END - capabilities */}
+**Additional functionality:**
+
+ Supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning)
+
+#### Account creation fields
+
+When provisioning a new Claude Enterprise user account, C1 prompts for the following field:
+
+| Field | Required | Description |
+| :--- | :--- | :--- |
+| `display_name` | Yes | The user's first and last name, space-separated (e.g., "Jane Smith"). The first word is used as the given name; the remainder is used as the family name. |
+
+The user's email address is provided automatically by C1 and is used as the SCIM username. No password is required — Claude Enterprise authenticates users through SSO, so accounts are created without credentials.
+
+## SCIM-only connector
+
+This connector uses the SCIM 2.0 API exclusively. Claude Enterprise does not currently offer an Admin API for managing users and groups, so SCIM is the only programmatic interface available.
+
+### What this means in practice
+
+- **Only SCIM-managed users and groups are visible.** Users or groups created directly through the Claude Enterprise UI will not appear in syncs. To get full visibility, all user management should flow through SCIM.
+- **Groups are managed through SCIM only.** The connector can sync groups and grant or revoke group membership, but it cannot create or delete groups. Groups must be created outside of C1 (e.g., through your identity provider or directly via the SCIM API).
+- **Claude Enterprise uses WorkOS under the hood** for its SCIM implementation. The SCIM endpoint URL provided during setup points to the WorkOS SCIM service.
+
+### What SCIM provides
+
+| Capability | Supported |
+| :--- | :--- |
+| Provision (create) user | |
+| Deprovision (delete) user | |
+| Add user to group | |
+| Remove user from group | |
+| Sync all users | |
+| Sync all groups and memberships | |
+| Create or delete groups | |
+| Assign roles | |
+| Manage workspace settings | |
+
+
+If Anthropic adds an Admin API in the future, the connector can be extended to support additional capabilities such as role management.
+
+
## Gather Claude Enterprise credentials
+Configuring the connector requires you to generate SCIM credentials in Claude Enterprise. Gather these credentials before you move on.
+
-To configure the Claude Enterprise connector, the Primary Owner of the Claude Enterprise organization must first enable SCIM provisioning. SCIM is only available on Enterprise plans.
+The **Primary Owner** of the Claude Enterprise organization must perform this task. SCIM provisioning is only available on Enterprise plans.
- In Claude Enterprise, navigate to **Settings** > **Identity and access** > **Setup SCIM**.
+ Sign into [claude.ai](https://claude.ai) and navigate to **Settings** > **Identity and access** > **Setup SCIM**.
@@ -40,183 +84,202 @@ To configure the Claude Enterprise connector, the Primary Owner of the Claude En
-
-The SCIM connector only sees users and groups managed through SCIM. Users added via the Claude Enterprise UI will not appear in syncs.
-
+**That's it!** Next, move on to the connector configuration instructions.
## Configure the Claude Enterprise connector
+
+To complete this task, you'll need:
+
+- The **Connector Administrator** or **Super Administrator** role in C1
+- Access to the Claude Enterprise SCIM credentials generated by following the instructions above
+
+
- Follow these instructions to use a built-in, no-code connector hosted by C1.
-
-
- In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
-
+ **Follow these instructions to use a built-in, no-code connector hosted by C1.**
+
+
+
+ In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
+
-
- Search for **Claude Enterprise** and click **Add**.
-
+
+ Search for **Claude Enterprise** and click **Add**.
+
-
- Choose how to set up the new Claude Enterprise connector:
+
+ Choose how to set up the new Claude Enterprise connector:
- - Add the connector to a currently unmanaged app
- - Add the connector to a managed app
- - Create a new managed app
-
+ - Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
+ - Add the connector to a managed app (select from the list of existing managed apps)
+ - Create a new managed app
+
-
- Set the owner for this connector.
-
+
+ Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
-
- Click **Next**.
-
+ If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
+
-
- Find the **Settings** area of the page and click **Edit**.
-
+
+ Click **Next**.
+
+
+
+ Find the **Settings** area of the page and click **Edit**.
+
{/* AUTO-GENERATED:START - config-params
Generated from config_schema.json. Do not edit manually. */}
-
- Enter the required configuration:
+
+ Enter the required configuration:
- - **SCIM Token** (required): SCIM bearer token for Claude Enterprise (from claude.ai > Settings > Identity and access)
- - **SCIM URL**: SCIM endpoint URL. Defaults to the WorkOS SCIM endpoint configured during setup.
-
+ - **SCIM Token** (required): The SCIM bearer token for Claude Enterprise (from claude.ai > Settings > Identity and access).
+ - **SCIM URL** (required): The SCIM endpoint URL provided during SCIM setup (from claude.ai > Settings > Identity and access). This is the WorkOS SCIM endpoint generated for your organization.
+
{/* AUTO-GENERATED:END - config-params */}
-
- Click **Save**.
-
+
+ Click **Save**.
+
+
+
+ The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
+
+
-
- The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
-
-
+ **That's it!** Your Claude Enterprise connector is now pulling access data into C1.
- **That's it!** Your Claude Enterprise connector is now pulling access data into C1.
- Follow these instructions to use the [Claude Enterprise](https://github.com/ConductorOne/baton-claude-enterprise) connector, hosted and run in your own environment.
- When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
+ **Follow these instructions to use the Claude Enterprise connector, hosted and run in your own environment.**
+
+ When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
+
+ ### Resources
- ### Step 1: Set up a new Claude Enterprise connector
+ * [Official download center](https://dist.conductorone.com/ConductorOne/baton-claude-enterprise): For stable binaries (Windows/Linux/macOS) and container images.
-
-
- In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
-
+ * [GitHub repository](https://github.com/ConductorOne/baton-claude-enterprise): Access the source code, report issues, or contribute to the project.
-
- Search for **Baton** and click **Add**.
-
+ ### Step 1: Set up a new Claude Enterprise connector
-
- Choose how to set up the new Claude Enterprise connector:
+
+
+ In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
+
- - Add the connector to a currently unmanaged app
- - Add the connector to a managed app
- - Create a new managed app
-
+
+ Search for **Baton** and click **Add**.
+
-
- Set the owner for this connector.
-
+
+ Choose how to set up the new Claude Enterprise connector:
-
- Click **Next**.
-
+ - Add the connector to a currently unmanaged app
+ - Add the connector to a managed app
+ - Create a new managed app
+
-
- In the **Settings** area of the page, click **Edit**.
-
+
+ Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
-
- Click **Rotate** to generate a new Client ID and Secret.
+ If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
+
- Carefully copy and save these credentials.
-
-
+
+ Click **Next**.
+
- ### Step 2: Create Kubernetes configuration files
+
+ In the **Settings** area of the page, click **Edit**.
+
- Create two Kubernetes manifest files for your Claude Enterprise connector deployment:
+
+ Click **Rotate** to generate a new Client ID and Secret.
- #### Secrets configuration
+ Carefully copy and save these credentials. We'll use them in Step 2.
+
+
- ```yaml expandable
- # baton-claude-enterprise-secrets.yaml
- apiVersion: v1
- kind: Secret
- metadata:
- name: baton-claude-enterprise-secrets
- type: Opaque
- stringData:
- # C1 credentials
- BATON_CLIENT_ID:
- BATON_CLIENT_SECRET:
+ ### Step 2: Create Kubernetes configuration files
- # Claude Enterprise SCIM credentials
- BATON_SCIM_TOKEN:
- BATON_SCIM_URL:
- ```
+ Create two Kubernetes manifest files for your Claude Enterprise connector deployment:
- See the connector's README or run `--help` to see all available configuration flags and environment variables.
+ #### Secrets configuration
- #### Deployment configuration
+ ```yaml expandable
+ # baton-claude-enterprise-secrets.yaml
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: baton-claude-enterprise-secrets
+ type: Opaque
+ stringData:
+ # C1 credentials
+ BATON_CLIENT_ID:
+ BATON_CLIENT_SECRET:
- ```yaml expandable
- # baton-claude-enterprise.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: baton-claude-enterprise
- labels:
+ # Claude Enterprise SCIM credentials
+ BATON_SCIM_TOKEN:
+ BATON_SCIM_URL:
+ ```
+
+ See the connector's README or run `--help` to see all available configuration flags and environment variables.
+
+ #### Deployment configuration
+
+ ```yaml expandable
+ # baton-claude-enterprise.yaml
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: baton-claude-enterprise
+ labels:
+ app: baton-claude-enterprise
+ spec:
+ selector:
+ matchLabels:
app: baton-claude-enterprise
- spec:
- selector:
- matchLabels:
+ template:
+ metadata:
+ labels:
app: baton-claude-enterprise
- template:
- metadata:
- labels:
- app: baton-claude-enterprise
- baton: "true"
- baton-app: claude-enterprise
- spec:
- containers:
- - name: baton-claude-enterprise
- image: public.ecr.aws/conductorone/baton-claude-enterprise:latest
- imagePullPolicy: IfNotPresent
- env:
- - name: BATON_HOST_ID
- value: baton-claude-enterprise
- envFrom:
- - secretRef:
- name: baton-claude-enterprise-secrets
- ```
-
- ### Step 3: Deploy the connector
-
-
-
- Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
-
-
-
- Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Claude Enterprise connector to. Claude Enterprise data should be found on the **Entitlements** and **Accounts** tabs.
-
-
-
- **That's it!** Your Claude Enterprise connector is now pulling access data into C1.
+ baton: "true"
+ baton-app: claude-enterprise
+ spec:
+ containers:
+ - name: baton-claude-enterprise
+ image: public.ecr.aws/conductorone/baton-claude-enterprise:latest
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: BATON_HOST_ID
+ value: baton-claude-enterprise
+ envFrom:
+ - secretRef:
+ name: baton-claude-enterprise-secrets
+ ```
+
+ ### Step 3: Deploy the connector
+
+
+
+ Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
+
+
+
+ Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Claude Enterprise connector to. Claude Enterprise data should be found on the **Entitlements** and **Accounts** tabs.
+
+
+
+ **That's it!** Your Claude Enterprise connector is now pulling access data into C1.
+
diff --git a/baton/google-workspace.mdx b/baton/google-workspace.mdx
index a2277cd..092239f 100644
--- a/baton/google-workspace.mdx
+++ b/baton/google-workspace.mdx
@@ -86,7 +86,7 @@ Click **Enable**.
-**Optional.** If you want to use the group settings connector action, you must also search for, select, and enable the **Groups Settings API**.
+**Optional.** If you want to use the group settings connector action, you must also search for, select, and enable the **Groups Settings API**.
**Optional.** If you want to enable **Sync Enterprise Apps**, you must also search for, select, and enable the **Cloud Identity API**.
@@ -334,7 +334,7 @@ When running in service mode on Kubernetes, a self-hosted connector maintains an
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-google-workspace): For stable binaries (Windows/Linux/macOS) and container images.
-* [GitHub repository](https://github.com/conductorone/baton-google-workspace): Access the source code, report issues, or contribute to the project.
+* [GitHub repository](https://github.com/ConductorOne/baton-google-workspace): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Google Workspace connector
@@ -485,7 +485,7 @@ Re-add the relevant scopes:
Read/Write
- ```bash
+ ```bash
https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.datatransfer, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/apps.groups.settings
```
diff --git a/baton/salesforce.mdx b/baton/salesforce.mdx
index 12b9d2a..d855ece 100644
--- a/baton/salesforce.mdx
+++ b/baton/salesforce.mdx
@@ -202,7 +202,7 @@ When running in service mode on Kubernetes, a self-hosted connector maintains an
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-salesforce): For stable binaries (Windows/Linux/macOS) and container images.
-* [GitHub repository](https://github.com/conductorone/baton-salesforce): Access the source code, report issues, or contribute to the project.
+* [GitHub repository](https://github.com/ConductorOne/baton-salesforce): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Salesforce connector
diff --git a/baton/tableau.mdx b/baton/tableau.mdx
index 0737b53..bf38278 100644
--- a/baton/tableau.mdx
+++ b/baton/tableau.mdx
@@ -143,7 +143,7 @@ When running in service mode on Kubernetes, a self-hosted connector maintains an
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-tableau): For stable binaries (Windows/Linux/macOS) and container images.
-* [GitHub repository](https://github.com/conductorone/baton-tableau): Access the source code, report issues, or contribute to the project.
+* [GitHub repository](https://github.com/ConductorOne/baton-tableau): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Tableau connector
diff --git a/baton/zoom.mdx b/baton/zoom.mdx
index e7602a8..fb2c2da 100644
--- a/baton/zoom.mdx
+++ b/baton/zoom.mdx
@@ -14,10 +14,11 @@ This connector works with Zoom on the Pro, Business, Business Plus, or Enterpris
| Resource | Sync | Provision |
| ------------ | ---- | --------- |
-| Accounts | | |
-| Groups | | |
+| Accounts | | |
+| Groups | | |
| Roles | | |
| Contact groups | | |
+| Invites | | |
The Zoom connector supports [automatic account provisioning](/product/admin/account-provisioning).
@@ -143,6 +144,9 @@ Enter the account ID for the new app into the **Account ID** fields.
Enter the Client ID and Client secret into the **Client ID** and **Client secret** fields.
+Optionally, enable **Sync Inactive Users** to include deactivated Zoom users in the sync. When enabled, inactive users appear with a disabled status in C1. This is disabled by default.
+
+
Click **Save**.
@@ -159,7 +163,7 @@ When running in service mode on Kubernetes, a self-hosted connector maintains an
### Resources
-* [GitHub repository](https://github.com/conductorone/baton-zoom): Access the source code, report issues, or contribute to the project.
+* [GitHub repository](https://github.com/ConductorOne/baton-zoom): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Zoom connector
@@ -221,6 +225,9 @@ stringData:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
+
+ # Optional: sync deactivated Zoom users (disabled by default)
+ BATON_SYNC_INACTIVE_USERS: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
diff --git a/docs.json b/docs.json
index 69fe3c8..41cf66f 100644
--- a/docs.json
+++ b/docs.json
@@ -355,6 +355,7 @@
"baton/duo",
"baton/cisco-meraki",
"baton/claude-developer-platform",
+ "baton/claude-enterprise",
"baton/clickhouse-cloud",
"baton/cloudamqp",
"baton/cloudflare",
@@ -428,8 +429,8 @@
"baton/microsoft-dynamics",
"baton/microsoft-dynamics-fo",
"baton/microsoft-entra",
- "baton/fileshare",
"baton/sharepoint",
+ "baton/fileshare",
"baton/miro",
"baton/mode",
"baton/monday",
@@ -782,4 +783,3 @@
},
"theme": "aspen"
}
-