Skip to main content
Oleria’s Custom Application integration lets you connect any custom data source - an internal app, an HR system, a database - to Oleria without a native integration. You export your data as CSV files, upload them to an S3 bucket you control, and Oleria automatically reads, maps, and syncs the data on a recurring schedule.

How it works

How the Custom Application integration works

Prerequisites

  • An Amazon S3 bucket in your AWS account where you will upload your data.
  • AWS IAM admin access to add a bucket policy to that S3 bucket.
  • Your application’s data exported as CSV files (comma-separated values with a header row).
Use a dedicated S3 bucket or a scoped prefix within your bucket for Oleria data to limit access to only what is needed.

Set Up Your S3 Bucket

1

Create or identify your S3 bucket

Create or identify the S3 bucket you will use to share data with Oleria.
2

Organize your files

Organize your files inside the bucket using the following folder structure:S3 bucket folder structure
The config/ folder must contain exactly one .yaml file - Oleria discovers it automatically. The date-stamped folder under rawdata/ (e.g. startedat=2026-04-17T00:00:00Z) tells Oleria which data is new. Each time you export fresh data, create a new folder with the current timestamp. Oleria always picks the most recent one. If your data does not change frequently, you can place your CSV subfolders directly inside rawdata/ without a date-stamped folder.

Prepare Your CSV Files

Your CSV files must have a header row. The column names in the header are what you reference in the config.yaml file. Column names can be anything - you map them to Oleria’s fields in the config. Example users.csv:
Example roles.csv:
Example user_roles.csv (membership - which user has which role):

Create Your config.yaml

The config/config.yaml file maps your CSV columns to Oleria’s data model. Your Oleria Customer Success team can provide a starting config based on your data, or you can write it yourself using the format below.
Oleria will soon provide an automated way to analyze your CSV data and generate the config.yaml for you - no manual authoring required. Coming soon.

What object types can I map to?

Entity objects - use these for things like users, roles, and groups: Relationship objects - connect two entities together. Always use the links shorthand for these:

source.s3 fields

These fields go inside source.s3 in your config.yaml. They tell Oleria where your S3 data lives and how frequently to sync access data and activity logs.
applicationaccount and identity - Application & IdP users
role - Roles & permission sets
usergroup - Groups & teams
person - HR person records
employee - HR employee records
department - Departments & org units
activity_analysis - Audit logs & events
application_instance - IdP-managed applications

Minimum viable example

The simplest possible config - application users and roles, with a membership relationship:

Full example (HR system)

This example models an HR export with employees, departments, and org hierarchy:
Complete sample data - each includes a ready-to-use config.yaml and matching CSV files:

Grant Oleria Access to Your S3 Bucket

Oleria reads your data using a dedicated AWS IAM role. You need to add a bucket policy that allows this role to read your files.
Do not make your S3 bucket public. Oleria accesses your bucket securely using a private IAM role - no public access is required or recommended. Oleria only needs read-only access and will never write to, modify, or delete any files in your bucket. If this policy is not in place, your integration will appear connected in the UI but no data will be synced.
1

Get the Oleria IAM role ARN

Your Oleria Customer Success team will provide you with the exact IAM role ARN for your environment. The role follows this format:
2

Add a bucket policy

Go to your S3 bucket in the AWS ConsolePermissions tab → Bucket policyEdit, and paste the following policy. Replace the placeholders with your values and select Save changes.
3

Update the KMS key policy (if applicable)

If your S3 bucket is encrypted with a customer-managed KMS key, update the KMS key policy. Go to AWS KMS → select your key → Key policyEdit, and add the following statement:
Without this KMS policy, Oleria will not be able to decrypt and read your files even if the bucket policy is correctly configured.

Connect the Integration in Oleria

1

Open the integration

Go to your Oleria workspace, select Integrations → select Custom Application.Integrations page showing the Custom Application option
2

Complete the connection form

Fill in the connection form that appears:
  • Application Name - a label for this integration in Oleria. Use a name that describes your data source (for example: Lattice HR, Databricks Prod, Internal App).
  • S3 Data Path - the full S3 URL to the root folder of your data. This is the folder that contains your config/ and rawdata/ subfolders. Example: s3://your-bucket-name/your-prefix/ Connection form with Application Name and S3 Data Path fields
3

Authenticate

Select Authenticate. Oleria will verify it can reach your S3 bucket and read your configuration file.
4

Confirm the connection

Once connected, find your integration in the Connected Integrations section of the Integrations page. Oleria will sync based on the intervals defined in your config.yaml - by default, access data every 3 hours and activity logs every 1 hour. You can override these using rbac_sync_interval_hours and activity_sync_interval_hours in your config. Oleria will only process data when new files are available.Connected Integrations section showing Custom Application as active

Contact us

For questions about this integration, contact us at support@oleria.com.