Provider Connectors
Providers are external systems such as Entra ID, Active Directory, Okta, Workday, SAP, or CSV exports. Connectors are Roster-owned integrations that query providers and normalize records into the Roster database.
Connector Responsibilities
Section titled “Connector Responsibilities”Connectors provide:
- provider connection configuration
- credential storage references
- cached directory user and group refresh
- normalized directory record data
- refresh checkpoint behavior
The worker refreshes cached directory records on configured schedules and stores runtime state in the database. It does not full-sync provider directories or import every upstream user, group, or group membership. For group records already attached to participants, it also refreshes the cached direct membership edges used by participant resolution.
Secret Handling
Section titled “Secret Handling”Provider credentials are outbound credentials. When
provider_connection_secrets.storage = 'encrypted', runtime encryption and
decryption use:
ROSTER_PROVIDER_SECRET_ENCRYPTION_KEY=<high-entropy-secret>ROSTER_PROVIDER_SECRET_KEY_ID=env:prod-2026-05The encryption key must be provided by the deployment environment or secret manager. Do not commit provider credentials.
CSV Data Volume
Section titled “CSV Data Volume”CSV connector files can be mounted into:
${ROSTER_DATA_DIR}/connectors/csvUse durable storage and controlled file delivery for production CSV refreshes.