Skip to main content

BambooHR

The BambooHR integration provides integration with HR data such as group memberships, employment status, out of the office, location, etc.

caution

The external data sources we provide are meant to be examples and inspiration for users to create their own data sources. We won't maintain these integrations in perpetuity, and changes to the APIs they interact with may break them in the future.

The datasource project is open-source, and if the community wishes to provide contributions to keep it working in the future, we will shepherd those updates.

Install

  1. Create new BambooHR API key by navigating to Your profileAPI Keys, and adding a new API Key.

  2. In order to correctly parse dates returned by BambooHR API you will need to provide a time zone - either an UTC or IANA Time Zone database name, i.e. America/New_York.

These instructions assume a local testing environment using Docker Compose. Adjust as needed for your deployment environment.

  1. Add the datasource docker image to Docker Compose:

    version: "3"services:  bamboohr:    image: docker.cloudsmith.io/pomerium/datasource/datasource:main    command:      - bamboohr      - --bamboohr-api-key=$YOUR_API_KEY      - --bamboohr-subdomain=$YOUR_BAMBOOHR_SUBDOMAIN      - --bamboohr-time-zone=America/New_York      - --address=:8080    container_name: bamboohr    restart: always    expose:      - 8080
  2. Bring up the new container.

Configure External Data Source

BambooHR data connector exposes two API endpoints:

  • /employees/all returns all employees
  • /employees/available returns employees that are not currently out of the office due to vacation or other leave reasons.

To create new external data record:

  1. In the Pomerium Enterprise Console, navigate to CONFIGUREExternal Data and click + ADD EXTERNAL DATA SOURCE.

  2. Fill out the following fields:

    FieldContentNotes
    URLhttp://bamboohr:8080/employees/availableAdjust for the endpoint you'll write policies against.
    Record typepomerium.io/BambooHRAvailableAs above, adjust to somethinglike pomerium.io/BambooHRAll for the other endpoint.
    Foreign Keyuser.emailPomerium uses the users's email to associate IdP and Bamboo user entries.
  3. Click SAVE EXTERNAL DATA SOURCE.

  4. Define a new policy. The example policy below only allows access to the persons in the Marketing department and only when they are not on vacation.

    Example BambooHR Policy in the Builder view

Reference

The BambooHR data source provides the following record details; see BambooHR Field Reference for details.

  • department
  • division
  • status
  • first_name
  • last_name
  • country
  • state