Authoryn
Modern Identity
Control Plane

How it works

Visibility first, then controlled elevation

Start with inventory and owners, then grant time-bound access where policy allows. JIT write-back runs on GitHub, AWS, Entra, and Okta, each limited to allowlists you configure.

01

Ingest assignments

Connectors pull from GitHub, AWS IAM, Entra, and Okta. Privileged grants are matched against allowlists, not guessed by a model.

02

Flag standing and ownerless

Grants without an expiry date and grants without an owner show up in tables. Severity follows rules you configure.

03

Assign owners

Someone accountable gets attached to each privileged grant. Ownerless high-severity items stay visible until that happens.

04

Request, approve, expire

Request temporary access on an allowed target. Another person approves. The grant revokes on schedule and each step is logged.

What ships today

Current pilot builds, aligned with our claims ledger. Grouped by what buyers usually ask about first.

Visibility & governance

  • Connectors: GitHub, AWS IAM (+ Identity Center read-only), Entra, Okta (configured groups)
  • ServiceNow CMDB connector for app-owner alignment and drift signals
  • Privileged and ownerless detection via allowlists
  • Rule-based risk severity (High / Medium / Low / None)
  • Policy simulator on Risk Overview (preview grant classification)
  • Human owner assignment on privileged grants
  • Identity anchor (Entra or Okta) and cross-provider correlation
  • Append-only evidence log, audit report packs (CSV), and connector sync history
  • AI triage panel (rule-based scoring; optional Azure OpenAI for NL queries)
  • Tenant hardening recommendations checklist for operators

JIT, lifecycle & guests

  • JIT write-back: GitHub repo admin; AWS managed policies; Entra group member or directory role; Okta group member
  • Multi-stage approval in-product, hybrid, or ITSM-only
  • Risk-adaptive JIT approval when triage severity warrants an extra stage
  • Named JIT bundles in the access request form
  • Approver inbox on dashboard and mobile-friendly queue for pending items
  • Approver email notifications when SMTP or SendGrid is configured
  • Required expiry, auto-revoke worker, manual revoke
  • Standing-to-JIT migration plans (propose, approve, execute)
  • Lifecycle access termination (preview, plan, execute; ITSM approve path)
  • Guest and contractor onboarding (Entra B2B, Okta basic, sponsor UI)
  • Access recertification with on-demand and optional scheduled campaigns

Integrations & platform

  • Scoped integration API keys (master, request, approve) with in-UI generation
  • ITSM approve/reject API, lifecycle termination callbacks, and outbound webhooks
  • SIEM evidence export: webhooks, HMAC, retries, presets, and scheduled bulk export (JSONL or Azure Blob)
  • Pipeline readiness probe and allowlisted deploy-bot JIT
  • NuGet and TypeScript integration clients for scripted flows
  • Integrations OpenAPI documentation for `/integrations/*` endpoints
  • Governance user SSO and RBAC (requester / approver / viewer / sponsor)
  • Platform operator OIDC, bootstrap setup, forced password change, admin settings hubs
  • Integration health dashboard (sync freshness, webhooks, email delivery)
  • Optional Azure Key Vault or HashiCorp Vault for connector secrets; outbound HTTPS proxy
  • Access revocation options (session terminate, IdP disable, governance suspend)
  • Platform feature switches (JIT automation, AI, evidence export)

Still out of scope

  • JIT and ingestion are allowlist-scoped per provider.
  • No SoD engine, role mining, or HR lifecycle.
  • No effective-permission simulation across AWS SCPs or org-wide policy.
  • Okta sync covers configured security groups, not the full app catalog.
  • Mobile approver inbox is web-only; native push notifications are not shipped.

Fewer knobs on purpose

Flows are fixed so they stay auditable. Allowlists and policies live in config the same way you would manage other platform settings. The UI reads the same APIs you would call from a script.

Typical demo (about five minutes)

  1. 1. Show an ownerless privileged GitHub grant
  2. 2. Assign an owner (logged as an event)
  3. 3. Request JIT on a repo
  4. 4. Approve as someone else; wait for expiry
  5. 5. Pull up the evidence for the whole flow

Also works with

ITSM, SIEM, and pipelines

Inventory and JIT are the core product. If you already run change tickets, a SIEM, or gated deploy pipelines, there are webhooks and APIs to hook in. Authoryn is not trying to replace ServiceNow.

ITSM & change management

Keep approvals in ServiceNow or Jira if that is how your org works. Authoryn sends a webhook when external sign-off is required; your middleware opens the ticket and calls back to approve or reject.

  • Webhooks on JIT and lifecycle termination events
  • Inbound integration API with scoped keys (request vs approve)
  • Hybrid policies: owner approves in-product, security stage in ITSM
  • Manual in-product fallback when ITSM is down (per policy)
  • No ServiceNow or Jira plugin. You wire the HTTP calls.

SIEM & evidence export

Push governance events to Splunk, Sentinel, or any HTTP endpoint. Signed payloads, retries, and presets so security alerts do not look like a full audit firehose.

  • Webhook subscriptions with optional HMAC
  • Scheduled bulk export to local JSONL or Azure Blob
  • Structured envelope for discovery, ownership, connector, and JIT events
  • Retries and dead-letter status in the UI
  • You run the receiver. We do not host a SIEM.

Pipeline & CI/CD

Allowlisted automation accounts can request time-bound elevation from a deploy pipeline. A readiness check can confirm the grant is active before a production step runs.

  • Readiness API for active JIT grants
  • Allowlisted deploy-bot identities with policy gates
  • NuGet and TypeScript clients for scripted request-and-wait
  • Production stays gated. This is not auto-approve for everything.

Integration is HTTP on your side: middleware, a function, or a pipeline step. No packaged ServiceNow app.