Click Application permissions and select Sites.Read.All.
4
Click + Add permissions > Microsoft SharePoint > Application permissions, then choose one of the following based on your security requirements:
Sites.FullControl.All (recommended) — lets the connector read the membership of every SharePoint group, including groups that restrict membership visibility. Choose this for complete access data.
Sites.Read.All (least privilege) — use this if your security policy doesn’t allow Sites.FullControl.All. With this permission the connector cannot read the membership of groups that restrict membership visibility, so you must also enable the skip-membership-restricted-groups flag. See the note below.
5
Save your changes.
About groups that restrict membership visibilitySome SharePoint groups have “Who can view the membership of the group” set to Group Members instead of Everyone. Only members of such a group (or an administrator) can list its members.
With Sites.FullControl.All: the connector reads these groups normally. Leave skip-membership-restricted-groups off — turning it on would skip those groups unnecessarily and you’d lose memberships you could otherwise sync.
With Sites.Read.All: the connector cannot read these groups. You must enable the skip-membership-restricted-groups flag (or set BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS=true). The connector then skips those groups and the sync completes normally. Without the flag, the sync fails when it reaches the first such group.
What the flag does: when enabled, it skips any SharePoint group whose membership visibility is restricted (regardless of the permission you granted), so those groups and their memberships are excluded from the sync.Enabling it on an existing connector: if the connector previously synced these groups (for example, while using Sites.FullControl.All), enabling the flag will remove those groups and their grants from C1 on the next sync, since they’re now excluded.
Next, you’ll create a self-signed certificate and a private key in PEM format using OpenSSL. The commands to create the certificate are the same regardless of your operating system.
1
Use the following command to create both a private key and a self-signed certificate. Be sure to replace your_domain_name with your actual domain or a descriptive name.
Next, you’ll be prompted to enter details for the certificate. The most crucial field here is the Common Name.For the Common Name, enter your domain (such as example.com).
3
Once the process is complete, two files will be created in your current directory:
your_domain_name.key: This is your private key
your_domain_name.crt: This is your self-signed certificate in PEM format
4
Upload the certificate to your application by navigating to Certificates & secrets > Certificates.
Done. Next, move on to the connector configuration instructions.
The Connector Administrator or Super Administrator role in C1
Access to the set of SharePoint credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for SharePoint and click Add.Don’t see the SharePoint connector? Reach out to support@c1.ai to add SharePoint to your Connectors page.
3
Choose how to set up the new SharePoint connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Paste the client ID into the Client ID field.
8
Paste the client secret into the Client secret field.
9
Paste the tenant ID into the Tenant ID field.
10
Enter your domain for the Microsoft Graph API in the Graph domain field. The default is graph.microsoft.com.
11
Upload your self-signed certificate to the PEM certificate field.
12
Upload the key for your certificate in the PEM key field.
13
Enter your SharePoint subdomain in the SharePoint domain field. (For example, enter subdomain if you access SharePoint at subdomain.sharepoint.com)
14
Click Save.
15
Finally, tell the connector where to find the identities that will be used for this app in C1.
In the Shared identity source area of the page, click Edit.
Select the connector from which you want to pull identities.
Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
Click Save.
16
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your SharePoint connector is now pulling access data into C1.
Follow these instructions to use the SharePoint connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
In C1, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new SharePoint connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-sharepoint-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-sharepoint-secretstype: OpaquestringData: # C1 credentials BATON_CLIENT_ID: <C1 client ID> BATON_CLIENT_SECRET: <C1 client secret> # SharePoint credentials BATON_AZURE_CLIENT_ID: <Azure client ID> BATON_AZURE_CLIENT_SECRET: <Azure client secret> BATON_AZURE_TENANT_ID: <Azure tenant ID> BATON_AZURE_GRAPH_DOMAIN: <Microsoft Graph API domain (default is graph.microsoft.com)> BATON_PEM_CERTIFICATE: <Base-64 encoded PEM certificate> BATON_PEM_CERTIFICATE_KEY: <Base-64 encoded private key> BATON_SHAREPOINT_DOMAIN: <SharePoint subdomain (for example, "subdomain" in "subdomain.sharepoint.com")> BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS: <Optional. Set to "true" when using Sites.Read.All to skip groups that restrict membership visibility. Leave unset/false when using Sites.FullControl.All.> BATON_EXTERNAL_SYNC_MODE: true BATON_EXTERNAL_RESOURCE_C1Z: <The path to the c1z file to sync external Baton resources with> BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER: <Optional. The entitlement that external users, groups must have access to sync external Baton resources>
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the SharePoint connector to. SharePoint data should be found on the Entitlements and Accounts tabs.
Done. Your SharePoint connector is now pulling access data into C1.
