What's inside
Vendor catalog, wizard, tier-3 agent โ and the framework underneath.
Most IGA tools sell you a connector library. We sell you the framework that makes new connectors a one-week project โ and a wizard that lets admins onboard them without writing code.
7 SaaS apps via SCIM 2.0 โ live in <5 minutes
Slack, GitHub Enterprise, Atlassian Cloud, Okta SCIM apps, plus directories (Active Directory, OpenLDAP) and vendor-native engines (Microsoft Entra Graph, ServiceNow, Salesforce). One click on a vendor preselects the wizard with the right schema, suggested field mappings, and templates.
๐๏ธ Read-only by default
New target connectors land in visibility mode โ sync identities, accounts, and entitlements without configuring write-back. You see your access surface immediately; provisioning is opt-in, per attribute.
โก 5 minutes instead of 30
Skipping the write-path during initial setup means new targets onboard in ~5 minutes instead of ~30. Customers see the platform discovering their access before committing to provisioning mappings โ much faster path to "this is useful".
๐ Provisioning opt-in
Per-object write_enabled flag controls which targets
accept write-back. Most demos start read-only across the board;
customers enable writes for AD first (where the value is highest),
then expand once they trust the platform.
๐ IVIP mode for visibility-only tenants
Tenants on the ivip_visibility plan get the full
governance read surface (identities, grants, SoD, risk score,
recon) without any provisioning UI. Adopt RapidValue as your
visibility layer first, expand to write-back when ready.
From "click vendor" to "tested credentials" in 4 screens
Picking Entra ID in the catalog pre-loads the vendor template โ 6 object templates, default Graph endpoints, default auth method (OAuth2 client credentials). Steps 1โ6 are guided one-question-at-a-time. By step 7 the connection test runs against Graph and reports the count of accounts + entitlements found, plus a smart prompt: "is there an on-prem AD syncing into this tenant?" โ if yes, IGA auto-configures the routing.
Per-type governance โ not "sync everything"
Entra ID has 6 distinct account types (personal ยท B2B guests ยท disabled ยท privileged admin ยท service accounts ยท system accounts). The wizard asks which types you want and at which governance scope: full IGA workflows (JML + certs + requests), visibility-only (audit + reporting, no workflows), or excluded. Native Graph $filter generated automatically so each type is its own API call โ efficient at 50k+ tenants.
Classification + identity-match from the vendor catalog
For each account type the wizard pre-fills the classification filter (which accounts belong to this type) and the identity-match rule (which identity owns the account). 5 classification rules + 3 ownership rules populated automatically. Privileged admins detected by UPN prefix (a-, adm-, admin-). Service accounts (NHIs) detected by svc-/svc_ prefix. Refine post-onboarding via Systems โ Account Types โ Rules.
Standard + custom mappings ยท Jinja expressions ยท write-back
For each object the wizard generates standard attribute mappings (business_id, name, email, etc.) and supports custom mappings with Jinja expressions for derived values. By the activation step, 13 write-mappings + 3 lookups are configured for create / grant / revoke operations โ without you authoring a single line of JSON. Sync schedule defaults to 4-hourly (the IGA-healthy baseline).
Every connected target โ one operational dashboard
See engine type, health, record count, entitlement count, pending items, last sync. Test, preview, or open mappings for any connector in one click. Onboard a new system from here too โ same wizard.
Schedule every connector โ see what's queued
Per-connector sync schedules (cron-style or interval). Live view of upcoming runs, last completion, and last error. Manual trigger from the dashboard for any system.
Custom attributes, reference data, schema invariants
The schema registry holds tenant-defined custom properties (cost centers, locations, business units), reference catalogs that drive pickers across the UI, and schema invariants enforced at sync-time (e.g., "department must come from HR, never overridden by Entra").
Connect a system โ see your governance gaps
After your first sync, Quick Scan tells you what's broken: orphan accounts, NHIs without owner, high-confidence role proposals waiting, coverage gaps. Each surfaced problem links to the page where you'd fix it. The fastest way to demonstrate value in a POC.
Business-meaningful application records
Applications wrap connectors with business metadata: owner, criticality, data classification, regulatory scope. One application can have multiple connectors (prod + staging + sandbox), and entitlements roll up to the application for cross-environment governance.
