Elisity Custom Connector

Elisity's Custom Connector enables the configuration of multiple data sources within Cloud Control Center in the form of device spreadsheet imports, enabling custom attributes to be ingested into IdentityGraph and leveraged in Policy Group match criteria.

Custom Connector behaves much like every other IdentityGraph Connector. Devices are discovered on Elisity-onboarded infrastructure, and each connector is scheduled for enrichment from all connected identity sources - including all configured data sources within Custom Connector. Each configured data source in Custom Connector will appear as a separate tile in the IdentityGraph view within Device Details.

Up to 8 data sources can be configured in Custom Connector for enrichment, each acting as an independent connector in IdentityGraph. Each data source supports up to 300,000 entries.

Configure Custom Connector

Login to Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector.

Select Configure on the Custom Connector tile in the list. 

On the Required Configuration tab, enter a Connector Name and enter a Description (optional). This is the name which will appear in the IdentityGraph enrichment source as "Custom Connector | <Connector Name>"

On this tab, you can also configure Custom Attributes by selecting + ADD NEW ATTRIBUTE - indicated by the arrow below. See the section on Adding Custom Attributes for details.

Customizing Connector Icons

Custom Connector icons improve visual recognition within Cloud Control Center by allowing administrators to upload custom branding or source-specific icons. These icons appear in the Connectors list and in IdentityGraph enrichment tiles, making it easier to identify and distinguish different data sources at a glance.

Uploading a Custom Icon

Step 1. Navigate to Settings > Connectors and select your Custom Connector from the list, or create a new connector by selecting + Add Connector.

Step 2. On the connector configuration page, locate the Logo Upload (Optional) section on the Required Configuration tab.

Step 3. The Logo Upload section displays preview modes for both light and dark themes. Select Click to upload or drag and drop your icon file into the upload area. Both file types (JPEG, PNG, GIF, SVG) and drag-and-drop are supported.

Step 4. After uploading, verify the icon displays correctly in both light and dark mode previews. Once satisfied, complete the connector configuration by clicking Add or Save.

Icon Display Locations

Once uploaded, custom icons appear in the following locations within Cloud Control Center:

• Connectors list in Settings (in the Connector column)
• IdentityGraph enrichment tiles showing data from the custom connector
• Device Details view when custom connector data is enriched

Configure Custom Connector Advanced Settings from the Advanced Settings tab. These settings explained in detail below.

Advanced Settings

Match Order

The Match Order setting in Custom Connector defines how Cloud Control Center matches discovered devices to records in the uploaded dataset. These records represent customer-defined device inventory — effectively serving as a lightweight, built-in CMDB within Elisity.

Each time a device is discovered, Cloud Control Center evaluates the record set using the selected match methods, in the defined order. Once a match is found, identity and metadata from the record are applied to the device.

Available Match Methods

• MAC + IP Address: Matches when both the discovered MAC and IP address align with a row in the uploaded data.

• MAC Address Only: Matches when the MAC address of the discovered device aligns with a record. Ideal for environments where MACs are globally unique.

• IP Address Only: Matches when the IP address aligns with a record. Use with caution if IP reuse or DHCP churn is common.

• Host Name: Matches when the discovered hostname aligns with the name field in a record. Useful when asset names are standardized and unique across the environment.

Behavior and Configuration

• Reorder match methods to define precedence using drag-and-drop.

• Enable/Disable methods using the + and trash icons.

• Matching stops at the first successful match (top-down evaluation).

This flexibility allows administrators to tailor the match logic based on the quality and consistency of attributes in their uploaded dataset.

Duplicate Device Detection

The Duplicate Device Detection setting determines how Cloud Control Center identifies duplicate records within the Custom Connector dataset. This setting is critical for managing how uploaded or merged data is handled when conflicts occur.

You can configure the duplicate check to use one of the following methods:

• MAC Address + IP Address: A record is considered a duplicate only if both the MAC address and IP address match an existing entry.

• MAC Address Only: A record is considered a duplicate if the MAC address matches, regardless of IP.

Behavior

• During Spreadsheet Upload: If duplicate rows are present in the uploaded file (based on the selected method), only the first occurrence is kept. Subsequent duplicate rows in the same upload are skipped.

• During Merge Operations: When merging new data into the existing dataset, any row identified as a duplicate (based on the selected method) will be skipped entirely. The existing record will be left unchanged — no data is overwritten or merged.

This logic ensures that duplicate records do not unintentionally overwrite existing entries, but it also means that administrators must ensure data consistency and accuracy before uploading or merging large datasets.

MAC Address Handling
Cloud Control Center standardizes MAC address formats in uploaded datasets to ensure consistent matching and enrichment across all sources.

Accepted Input Formats:

• 00:0a:95:9d:67:16 (colon-delimited)

• 00.0a.95.9d.67.16 (dot-delimited)

• 00-0a-95-9d-67-16 (dash-delimited)

• 000a959d6716 (no delimiter)

All accepted formats are automatically converted to a standardized colon-delimited format (00:0a:95:9d:67:16) during import.
Letter case is ignored during processing, and MAC addresses are normalized for accurate identity correlation and policy evaluation.

Query Exclusion Rules

Query Exclusion Rules allow you to restrict which discovered devices are evaluated against your uploaded dataset. This gives administrators control over when and where enrichment is performed, helping to eliminate noise from unreliable sources (like randomized MACs) or untrusted environments (like guest subnets).

You can exclude devices from being queried based on:

▸ Subnet

Enable this option to exclude devices that are attached from specific subnets. Devices in the selected subnets will not be queried against the connector dataset for enrichment or identity matching.

• Supports up to 100 subnets

• Useful for excluding infrastructure networks, guest VLANs, or temporary staging segments

▸ Virtual Edge Node

Exclude devices connected through specific Virtual Edge Nodes. This option is helpful when certain sites or switches are not part of your enrichment strategy.

• Supports up to 100 Virtual Edge Nodes

• Often used to suppress queries from lab sites or onboarding areas

▸ Random MAC

Enable this to automatically exclude devices using randomized MAC addresses (commonly seen on mobile devices, IoT, and BYOD endpoints). Since these MACs are ephemeral and often non-deterministic, they can cause data mismatches or unnecessary connector queries.

Note: Devices that meet any of the exclusion criteria above will be ignored during enrichment. These settings apply only to the querying process for enrichment — they do not affect how devices are discovered or visualized elsewhere in Cloud Control Center.

Connector Data Purging
When the Connector Data Purging feature is enabled, Cloud Control Center will purge all data learned about the device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable and can be set between 1 and 90 days. The connector status will change from Up to Date to Stale if the device is no longer known by the connector but prior to the purge event. 

Configure timers from the Interval Settings tab.

Global Timer: The frequency at which Cloud Control Center queries the connected database for updates. You can select from 1 to 168 hours. It is recommended to leave this setting as the default value.

Initial Delay: The delay in seconds before Cloud Control Center initiates the first query to the connected database after initially discovering a new device. Default is 0 seconds. It is recommended to leave this setting as the default value.

Once the required and advanced settings are configured, select Add to create the Custom Connector. 

Adding Custom Attributes

Administrators can add Custom Attributes to capture additional device or system properties that are not included in the standard connector schema. These optional attributes can be added during connector creation or later by editing an existing connector. Up to 20 Custom Attributes can be configured per Custom Connector instance, enabling flexible representation of customer-specific data. Once defined, Custom Attributes become available in IdentityGraph, Policy Group Match Criteria, and import/export workflows for that connector instance.

Each Custom Connector instance can define:

• 15 String Value Attributes (Custom Attribute 1–15)

• 5 Integer Value Attributes (Custom Attribute 16–20)

These attributes can also be assigned Aliases, which determine how the attributes are displayed throughout the Elisity UI, including IdentityGraph, Policy Group configurations, and import/export templates.

Adding a Custom Attribute

To add a new Custom Attribute:

1. In Cloud Control Center, navigate to
   Settings → Connectors → Custom Connector Configuration.

2. In the Required Configuration tab, click + Add Custom Attribute.

3. In the Add New Attribute window, select one or more attributes from the available list.

• Custom Attribute 1–15 are of String type. Allows string values (e.g. "Region = North America") with appropriate conditional operators in Policy Group match criteria (e.g. contains, equals, does not equal, etc.)

• Custom Attribute 16–20 are of Integer type. Allows integer values (e.g. "Risk Score = 55") with appropriate conditional operators in Policy Group match criteria (e.g. '=' '<' '>').

4. Click Add to confirm the selection.

You can select multiple attributes simultaneously by checking the boxes next to the desired attributes.

After adding attributes, the configuration table displays the following columns:

• Attribute Name: The raw system name (e.g., customAttribute1)

• Attribute Alias: The name displayed in IdentityGraph and Policy UI. If not modified by the user, will apply default values (Custom Attribute 1, Custom Attribute 2, etc.) - see the following step.

• Data Type: Specifies whether the field is of type STRING or INTEGER

Editing Attribute Aliases

The Attribute Alias field defines how the attribute appears in Cloud Control Center and all front-end workflows, replacing the raw system name wherever possible.

To modify an alias:

1. Click the Edit icon next to the desired attribute.

2. Update the Alias field with the preferred display name.

3. Click the Save icon to confirm the change.

Changes to an alias are immediately reflected in the IdentityGraph view, Policy Group Match Criteria, and future imports/exports for the connector.

Implementation Behavior and Considerations

• Custom Attributes are defined per connector instance and are not global. Each Custom Connector can maintain its own alias configuration.

• By default, no attributes are pre-defined. Attributes only become active once they are added and configured within a connector.

• IdentityGraph and Policy Modules display the Alias instead of the raw attribute name wherever possible.

• Import and export operations reference the Alias value. If no alias is defined, the default attribute name (e.g., customAttribute1) will be used.

• If an alias is deleted or changed, associated Policy Groups and imports will automatically revert to using the raw attribute name until a new alias is defined.

• The XLS import template for each Custom Connector instance dynamically updates based on defined Custom Attributes and their aliases. This ensures that data uploaded aligns with the latest schema.

Best Practices

• Define and finalize Custom Attributes before uploading data to the connector. Creating a Custom Attribute will generate a new template with additional columns to accomodate the new attributes. This ensures import templates and field mappings remain consistent.

• Use clear, descriptive aliases that reflect the source data attribute (e.g., “Device Risk Level” instead of the default “Custom Attribute 1”).

• Avoid renaming aliases after data import or policy creation, as it can lead to temporary mismatches during synchronization.

By following these steps, administrators can extend Custom Connector functionality to accommodate unique data models across multiple sources, ensuring alignment between imported datasets and identity-based policy operations within Elisity Cloud Control Center.

Uploading and Managing Data in a Custom Connector

After creating a Custom Connector, navigate to Settings > Connectors in Cloud Control Center. From the list of connectors, select View on your connector to open the details page.

The connector details page displays two options for adding devices to your Custom Connector:

• Add Multiple Devices - Bulk spreadsheet upload (recommended for 10+ devices)
• Add Single Device - Individual device entry through the UI (for quick additions)

Spreadsheet Upload (Bulk Import)

Spreadsheet upload is the primary method for managing Custom Connector data and is recommended when:

• Adding or updating more than 10 devices at once
• Data originates from an external system (CMDB, asset database, etc.)
• You need version control of device inventories
• Regular periodic bulk updates are required

To upload devices via spreadsheet:

1. Click + ADD DEVICE and select Add Multiple Devices
2. The Device Inventory Upload dialog opens

Preparing the Spreadsheet

Download the sample spreadsheet by clicking DOWNLOAD SAMPLE. Make sure you have added any Custom Attributes prior to downloading the sample, as this ensures the template matches the required upload format exactly.

The uploaded spreadsheet must follow the exact format of the provided sample template. Columns may not be renamed, removed, or reordered. If formats do not align, device enrichment will not succeed.

When preparing your dataset, note the following limitations:

• Maximum of 300,000 devices per upload
• Optional text fields only support alphanumeric values, spaces, and these characters: + " [] , . - _ / & ()

Below is an example of a correctly formatted file for upload based on our previous configurations.

Uploading and Validation

Once your dataset is ready, upload the .xlsx file in the Device Inventory Upload dialog.

Cloud Control Center will analyze the file before committing changes:

• Valid entries are added to the connector dataset
• Duplicates are skipped, based on the connector's duplicate detection configuration
• Invalid entries are skipped if required fields are missing or formatting errors are detected

A summary report is displayed showing how many devices were successfully added, skipped as duplicates, or skipped due to errors.

Managing Updates

After data exists in the connector, you can choose how future uploads are applied. Two modes are available:

• Replace previous Devices and Attributes — Overwrites existing dataset with the contents of the new file. This removes all entries and replaces with an entirely new dataset.
• Merge Devices and Attributes — Adds new entries while skipping duplicates based on your duplicate detection settings. Ideal for adding additional devices to an existing dataset without removing existing entries.

This flexibility allows administrators to either completely refresh their dataset or incrementally add new records.

Managing Individual Devices

In addition to bulk spreadsheet uploads, Custom Connector supports managing devices on an individual basis through both the Cloud Control Center UI and the Elisity API. This capability is useful for:

• Guest device registration workflows - Add devices from registration forms without requiring spreadsheet uploads
• Quick corrections - Fix device attributes without re-uploading entire datasets
• One-time device additions - Add individual devices as needed
• Programmatic device management - Integrate device registration with external systems via API

Required Permissions

Managing Custom Connector device inventory requires specific RBAC privileges. Users must have the appropriate permissions to view or modify device records.

For detailed information on configuring RBAC roles and permissions, see the Role-Based Access Control (RBAC) Privilege Reference article.

Accessing Device Records

To view and manage individual devices in a Custom Connector:

1. Navigate to Settings → Connectors
2. Click on your Custom Connector name to view its details
3. The Devices and Attributes table displays all imported devices

Use the Search field to filter devices by any attribute.

Adding a Single Device

To add a new device manually through the UI:

1. Click the + ADD DEVICE button in the top right
2. Select Add Single Device from the dropdown menu
3. A new row appears at the top of the device table for inline entry
4. Enter the required MAC address in the format XX:XX:XX:XX:XX:XX

5. Fill in optional fields as needed (hostname, IP address, type, label, etc.)
6. Click the Save icon (checkmark) to create the device
7. Click the Cancel icon (X) to discard the entry

Editing an Existing Device

To modify a device's attributes through the UI:

1. Locate the device in the Devices and Attributes table
2. Click the Edit icon (pencil) in the Actions column
3. The row becomes editable with all fields available for modification

4. Update field values as needed
5. Click the Save icon (checkmark) to save changes
6. Click the Cancel icon (X) to discard changes

Deleting a Device

To remove a device from the Custom Connector:

1. Locate the device in the Devices and Attributes table
2. Click the Delete icon (trash) in the Actions column
3. A confirmation dialog appears

4. Click YES, DELETE to permanently remove the device
5. Click CANCEL to abort the deletion

Managing Devices via API

Custom Connector devices can be managed programmatically using the Elisity API. API-based operations follow the same validation rules and have the same immediate policy impact as UI-based changes.

Available Endpoints

Common use cases include guest registration portals, CMDB synchronization, automated provisioning, and custom enrollment applications.

For complete API documentation including authentication, request/response schemas, and error handling, refer to the Elisity API documentation or contact your Elisity support representative.

Best Practices

Maintain Backup Records

Export device data periodically using the Download icon, keep backup spreadsheets for disaster recovery, and document manual changes if required for compliance.

Policy Impact Awareness

Before making changes, verify which Policy Groups use Custom Connector attributes, test in non-production environments when possible, and communicate changes to security teams if devices may change Policy Groups.

API Integration

When integrating via API, implement error handling for validation failures, maintain audit logs of API-driven changes, and test integrations thoroughly before production deployment.

In addition to bulk spreadsheet uploads, Custom Connector supports managing devices on an individual basis through both the Cloud Control Center UI and the Elisity API. This capability is particularly useful for:

• Guest device registration workflows - Add devices from registration forms without requiring spreadsheet uploads
• Quick corrections - Fix device attributes without re-uploading entire datasets
• One-time device additions - Add individual devices as needed without maintaining spreadsheet files
• Programmatic device management - Integrate device registration with external systems via API
• Small-scale device inventories - Manage data sources with frequent individual changes

Verifying Device Enrichment

Once data has been uploaded, enrichment will appear on discovered devices in Cloud Control Center. In the Device Details view, attributes from the Custom Connector — such as hostname, vendor, model, category, and labels — will be displayed. The Matched Source field shows which method (e.g., MAC + IP, Host Name) was used to correlate the discovered asset with the connector record.

Devices added or modified through individual device management (via UI or API) are enriched in the same way as devices imported via spreadsheet upload. The Matched Source field displays the Custom Connector name for all devices from that connector, regardless of how they were added.

Leveraging Attributes in Policy Groups

As with all other IdentityGraph connectors, attributes from each configured Custom Connector are available as Policy Group match criteria. To leverage these attributes in Policy Group definitions, create or modify a Dynamic Policy Group, select the connector (Custom Connector | IT Devices in our case) and choose attributes you would like to use as match criteria. You can then verify if any discovered devices will match the Policy Group on creation.
 

Time-Based Access Control

Custom Connector supports time-based access control through the Access Start Date and Access End Date attributes. These attributes define a time window during which a device is considered active. Cloud Control Center evaluates these dates against the current time and exposes a computed boolean attribute — Time Based Access Active — that indicates whether a device is currently within its access window. This attribute is available as match criteria in Dynamic Policy Groups, enabling devices to automatically enter and exit Policy Groups based on their configured access schedule.

Configuring Access Start and End Dates

Access dates can be configured through CSV import or inline editing in the Cloud Control Center UI.

CSV Import

To include time-based access dates in a Custom Connector spreadsheet import, add Access Start Date and Access End Date as the last two columns in the CSV file, after all standard attributes (MAC, IP, Type, Hostname, FQDN, Label, Vendor, Model, Operating System, Description, Genre, Class, Owner Username, Owner Id). Values use ISO 8601 timestamp format.

Inline Editing

Access dates can also be configured directly in the Cloud Control Center UI. Navigate to Settings > Devices and Attributes for the Custom Connector data source. The table displays Start Time and End Time columns for each device. To edit these values:

1. Click the Edit icon (pencil) in the Actions column for the target device
2. Select the Start Time or End Time field to open the date/time picker
3. Use the calendar and time selector (hour, minute, AM/PM) to set the desired date and time
4. Click the Save icon to apply changes, or the Cancel icon (X) to discard

Devices without configured access dates display -- in the Start Time and End Time columns and are not evaluated for time-based access.

Time Based Access Active Attribute

Cloud Control Center automatically evaluates each device's Access Start Date and Access End Date against the current time and computes a boolean attribute called Time Based Access Active.

• When the current time falls within the configured access window (between Access Start Date and Access End Date), the attribute value is Yes (True).
• When the current time falls outside the configured access window, the attribute value is No (False).

This computed attribute is visible in the Device Details view under the IdentityGraph™ tab. It appears in the Custom Connector enrichment tile alongside all other attributes from that data source.

Using Time-Based Access in Policy Groups

The Time Based Access Active attribute is available as match criteria when creating or editing a Dynamic Policy Group. To use it:

1. Navigate to Policies > Policy Groups and create or edit a Dynamic Policy Group
2. In the Matching Criteria Configuration step, click + AND RULE to add a new condition
3. Select Time Based Access Active as the criteria, with the source set to the Custom Connector data source (e.g., Custom Connector | Healthcare Devices)
4. Set the value to True to match devices that are currently within their active access window

Combine Time Based Access Active with other AND or OR criteria — such as Type, Label, or Genre — for granular control over which devices match the Policy Group. As access windows open and close, devices automatically enter and exit the Policy Group based on the evaluated state of the Time Based Access Active attribute.