A Python + Flask platform simulating SailPoint IdentityIQ-style Identity & Access Management — built to demonstrate enterprise IAM concepts including Lifecycle Management, RBAC, Access Certifications, SoD enforcement, AI Risk Scoring, Non-Human Identity management, and Just-In-Time access.
Author: Gaurav Gurbani
Stack: Python · Flask · SQLAlchemy · SQLite/MS SQL · REST API
Version: 2.0.0
| Feature | Description |
|---|---|
| 🔁 Lifecycle Management | Joiner / Mover / Leaver workflows with auto-provisioning |
| 🎭 RBAC Engine | Role → Entitlement mapping across 7 business roles |
| 📝 Access Requests | Single + Bulk CSV requests with approval workflow |
| 🚫 SoD Enforcement | Automatic conflict detection before any provisioning |
| 📋 QAR Certification | Quarterly Access Review with SOX/PCI compliance reports |
| 🤖 AI Risk Scoring | ML-style risk engine scoring every identity 0–100 |
| 👻 NHI Manager | Service accounts, API tokens, bots with expiry tracking |
| ⏱️ JIT Access | Time-limited role grants with automatic expiry |
| 🧠 IAM Copilot | AI agent — ask anything in natural language |
| 📜 Audit Trail | Immutable SOX/PCI audit logs for every action |
iam-governance-simulator/
├── app.py # Flask app factory
├── config.py # DB configuration
├── extensions.py # Shared SQLAlchemy instance
│
├── models/ # Database tables
│ ├── user.py # Identity object
│ ├── role.py # Role + UserRole (RBAC)
│ ├── entitlement.py # Fine-grained permissions
│ ├── audit_log.py # Immutable audit trail
│ ├── access_request.py # Access request tracking
│ ├── certification.py # QAR campaigns
│ ├── risk_score.py # AI risk scores
│ ├── nhi.py # Non-Human Identities
│ └── jit_access.py # Just-In-Time grants
│
├── workflows/ # SailPoint LCM-style logic
│ ├── joiner.py
│ ├── mover.py
│ └── leaver.py
│
├── routes/ # REST API blueprints
│ ├── user_routes.py
│ ├── lifecycle_routes.py
│ ├── access_routes.py
│ ├── certification_routes.py
│ ├── audit_routes.py
│ ├── risk_routes.py
│ ├── nhi_routes.py
│ ├── jit_routes.py
│ └── copilot_routes.py
│
├── utils/
│ ├── logger.py # SOX/PCI audit logger
│ ├── sod_engine.py # SoD conflict detection
│ └── risk_engine.py # AI risk scoring engine
│
├── integrations/
│ └── mock_connectors.py # AD, Entra, GitHub, ServiceNow, Salesforce, AWS
│
├── policies/
│ └── sod_rules.json # SoD conflict rules
│
└── templates/
└── index.html # Full dashboard UI
# 1. Clone
git clone https://github.com/<your-username>/iam-governance-simulator.git
cd iam-governance-simulator
# 2. Virtual environment
python -m venv venv
venv\Scripts\activate # Windows
source venv/bin/activate # Mac/Linux
# 3. Install
pip install -r requirements.txt
# 4. Run
python app.pyOpen http://localhost:5000
POST /api/lifecycle/joiner
{
"username": "john.doe",
"full_name": "John Doe",
"email": "[email protected]",
"department": "Engineering"
}Auto-provisions: AD account → Entra ID → GitHub → AWS → ServiceNow ticket
POST /api/lifecycle/mover
{ "username": "john.doe", "new_department": "Finance" }Revokes old role → SoD check → Assigns new role → Updates AD groups
POST /api/lifecycle/leaver
{ "username": "john.doe" }Revokes all roles → Deprovisions all 6 systems → SOX evidence generated
{
"Finance_User": ["Finance_Approver"],
"HR_Admin": ["Payroll_Approver"],
"IT_Admin": ["Viewer"]
}Any request violating these rules is automatically BLOCKED_SOD.
POST /api/jit/grant
{
"username": "john.doe",
"role_name": "IT_Admin",
"hours": 2,
"justification": "Emergency production fix"
}Role is automatically revoked after 2 hours.
Natural language AI agent with live IAM data access:
- "Who has Finance_Approver role?"
- "Show high risk users"
- "What JIT access is active?"
- "Any SoD violations?"
Built a full-stack IAM Lifecycle & Access Governance Simulator in Python (Flask + SQLAlchemy) simulating SailPoint IdentityIQ — featuring LCM workflows (Joiner/Mover/Leaver), RBAC engine, QAR certifications, SoD enforcement, AI risk scoring, Non-Human Identity management, Just-In-Time access, and a natural language IAM Copilot agent — with mock connectors for Active Directory, Entra ID, GitHub, ServiceNow, Salesforce, and AWS.