ConductorOne · aldevv · Sep 24, 2025 · Sep 19, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/pkg/connector/license.go b/pkg/connector/license.go
@@ -17,9 +17,15 @@ import (
 )
 
 var licences = []string{creator, explorer, viewer, unlicensed}
+var licensesMap = map[string]string{
+	"creator":    creator,
+	"explorer":   explorer,
+	"viewer":     viewer,
+	"unlicensed": unlicensed,
+}
 var RolesPerLicense = map[string][]string{
-	creator:    {siteAdministratorCreator, creator},
-	explorer:   {siteAdministratorExplorer, explorerCanPublish, explorer, readOnly, siteAdministrator},
+	creator:    {creator, siteAdministratorCreator},
+	explorer:   {explorer, siteAdministratorExplorer, explorerCanPublish, readOnly, siteAdministrator},
 	viewer:     {viewer},
 	unlicensed: {unlicensed},
 }
@@ -105,6 +111,34 @@ func (l *licenseResourceType) Grants(ctx context.Context, resource *v2.Resource,
 	return rv, token, nil, nil
 }
 
+func (l *licenseResourceType) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+	licenseName, ok := licensesMap[entitlement.Resource.Id.Resource]
+	if !ok {
+		return nil, fmt.Errorf("unknown license %s", entitlement.Resource.Id.Resource)
+	}
+	principalID := principal.Id.Resource
+
+	outputAnnotations := annotations.New()
+	err := l.client.UpdateUserSiteRole(ctx, principalID, licenseName)
+	if err != nil {
+		return outputAnnotations, fmt.Errorf("failed to grant %s license to user %s: %w", licenseName, principalID, err)
+	}
+
+	return outputAnnotations, nil
+}
+
+func (l *licenseResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	principalID := grant.Principal.Id.Resource
+
+	outputAnnotations := annotations.New()
+	err := l.client.UpdateUserSiteRole(ctx, principalID, unlicensed)
+	if err != nil {
+		return outputAnnotations, fmt.Errorf("failed to revoke license from user %s: %w", principalID, err)
+	}
+
+	return outputAnnotations, nil
+}
+
 func licenseBuilder(client *tableau.Client) *licenseResourceType {
 	return &licenseResourceType{
 		resourceType: resourceTypeLicense,

diff --git a/pkg/connector/site.go b/pkg/connector/site.go
@@ -3,6 +3,7 @@ package connector
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
@@ -123,9 +124,55 @@ func (o *siteResourceType) Grants(ctx context.Context, resource *v2.Resource, pt
 	return rv, "", nil, nil
 }
 
+func (o *siteResourceType) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+	roleName, err := parseRoleFromEntitlementID(entitlement.Id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse role from entitlement ID: %w", err)
+	}
+	principalID := principal.Id.Resource
+
+	var apiRoleName string
+	for key, value := range roles {
+		if value == roleName {
+			apiRoleName = key
+			break
+		}
+	}
+
+	if apiRoleName == "" {
+		return nil, fmt.Errorf("unknown role: %s", roleName)
+	}
+
+	err = o.client.UpdateUserSiteRole(ctx, principalID, apiRoleName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to grant %s role to user %s: %w", roleName, principalID, err)
+	}
+
+	return nil, nil
+}
+
+func (o *siteResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	principalID := grant.Principal.Id.Resource
+
+	err := o.client.UpdateUserSiteRole(ctx, principalID, unlicensed)
+	if err != nil {
+		return nil, fmt.Errorf("failed to revoke site role from user %s: %w", principalID, err)
+	}
+
+	return nil, nil
+}
+
 func siteBuilder(client *tableau.Client) *siteResourceType {
 	return &siteResourceType{
 		resourceType: resourceTypeSite,
 		client:       client,
 	}
 }
+
+func parseRoleFromEntitlementID(entitlementID string) (string, error) {
+	parts := strings.Split(entitlementID, ":")
+	if len(parts) != 3 {
+		return "", fmt.Errorf("invalid entitlement ID: %s", entitlementID)
+	}
+	return parts[2], nil
+}
diff --git a/pkg/tableau/client.go b/pkg/tableau/client.go
@@ -426,3 +426,37 @@ func (c *Client) RemoveUserFromSite(ctx context.Context, userId string) error {
 
 	return nil
 }
+
+func (c *Client) UpdateUserSiteRole(ctx context.Context, userId string, siteRole string) error {
+	url, err := buildResourceURL(c.baseUrl, "/sites/"+c.siteId+"/users", userId)
+	if err != nil {
+		return err
+	}
+	var res struct {
+		User User `json:"user"`
+	}
+
+	requestBody, err := json.Marshal(map[string]interface{}{
+		"user": map[string]interface{}{
+			"siteRole": siteRole,
+		},
+	})
+
+	if err != nil {
+		return err
+	}
+
+	if err := c.doRequest(ctx, url, &res, nil, requestBody, http.MethodPut); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func buildResourceURL(baseURL string, endpoint string, elems ...string) (string, error) {
+	joined, err := url.JoinPath(baseURL, append([]string{endpoint}, elems...)...)
+	if err != nil {
+		return "", fmt.Errorf("invalid URL: %w", err)
+	}
+	return joined, nil
+}