Access decisions in business language.

What's inside

Approvals, role mining, SoD — one unified flow.

Everything that decides who-gets-what lives here. From the employee requesting access to the manager approving it, the security gate catching an SoD conflict, and the role mining engine proposing the pattern they all share — same data model, same audit chain.

Self-service access requests

Approvals queue

My requests, requests for me, all-tenant — one queue

Approvers see only what they're responsible for. Each request shows the full chain — who already approved, who's next, why the SoD check passed or flagged. Decision metadata is captured for the audit chain.

Active approvals

Visual approval-chain tracking

Operators see every in-flight request with its current step, quorum status, time-to-deadline, and routing rationale. Filter by approver role, target system, or rule that matched. Re-route stuck requests without breaking the audit trail.

Approval rules & policies

Approval rules

Multi-step chains with quorum semantics

Manager → Security team (any-1-of) → Resource owner. Quorum types: all, any, n-of-m. Conditions evaluated server-side with the shared filter DSL. Stop-on-first-match priority ordering so rules don't cascade unpredictably.

Policies

Auto-grant policies + birthright access

Access-grant policies that say "everyone in Finance gets app X, role Y". They evaluate continuously — when someone joins Finance, their access updates automatically. When they leave Finance, the policy revokes it. No manual maintenance.

Policy wizard

Guided policy authoring — no DSL knowledge required

Visual builder walks admins through condition selection, target resources, and approval routing. Live preview shows who'd be affected before you save. The shared filter DSL underneath is audit-friendly and version-controlled.

Business role mining

Role mining proposals

Opportunities, not algorithm metrics

Mining surfaces proposals in plain language: "40 people in 'RapidValue NV' share this access. Formalize as a role — reduces 16 ungoverned grants." Confidence + impact + cohort size displayed up front. One-click formalize.

Roles catalog

Business roles + application roles + birthright

One taxonomy for all role types. Business roles bundle entitlements for a function ("Finance analyst"). Application roles wrap target-side groups. Each role has its own re-cert cadence, membership model, and ownership.

SoD & transfer rules

SoD rules

Separation of duties — preflight + continuous

SoD checks run before grants are submitted (preflight) and on a schedule across existing access (continuous). Toxic combinations are blocked or routed to compensating control. The conflict surface shows you who has what conflicting pairs and why.

Transfer rules

Department change → access recalculated

When someone changes department or job title, transfer rules govern what stays, what gets revoked, what gets granted, and what fires a smart-cert review. The new manager confirms; the old access doesn't silently linger.

Entitlement catalog

Entitlements

Every permission, every system, owner-attributed

Entitlements imported from target systems become first-class objects with owner, description, risk rating, and review cadence. Group them into business-meaningful roles or expose them in the self-service catalog for direct requests.