← Internal hub
internal · architecture

Architecture diagrams

Mermaid-rendered. Source lives in marketing/diagrams/architecture.md. Click each block to expand. Use these for whiteboard sessions, due-diligence decks, and onboarding new hires.
Diagrams rendered client-side via Mermaid v10. View source for raw mermaid text — copy/paste into mermaid.live for PNG/SVG export.

System maps

1. High-level architecture — sources → IGA core → targets 
graph LR
    subgraph sources["Authoritative sources"]
        HR[HR System
Workday / SAP HCM]
        AD[Active Directory]
        ENTRA[Entra ID]
        EXT[External feeds
contractor portals]
    end
    subgraph core["RapidValue IGA Core"]
        IDENT[Identity Store]
        ENT[Entitlement Catalog]
        POL[Policy Engine
access-grant + SoD]
        RECON[Reconciliation
SOL/IST snapshots]
        WORK[Workflow Engine
JML / Access Request]
        NHI[NHI Discovery
4-tier + ownership]
        EVENTS[Event Bus
identity / grant]
        NOTIF[Notification platform]
    end
    subgraph targets["Target systems"]
        APPHUB[SaaS apps
Salesforce / GitHub]
        AD2[AD / LDAP]
        ENTRA2[Entra ID]
        SAP[SAP / Workday]
        CUSTOM[Custom apps
REST]
        MANUAL[ServiceNow
Manual prov tasks]
    end
    HR --> IDENT
    AD --> IDENT
    ENTRA --> IDENT
    EXT --> IDENT
    IDENT --> POL
    ENT --> POL
    POL --> WORK
    POL --> RECON
    NHI --> IDENT
    WORK --> APPHUB
    WORK --> AD2
    WORK --> ENTRA2
    WORK --> SAP
    WORK --> CUSTOM
    WORK --> MANUAL
    EVENTS -.-> WORK
    EVENTS -.-> NOTIF
2. Tier-3 hybrid model — agent in customer VPC + CP in vendor 
graph TB
    subgraph customer["Customer VPC / on-prem"]
        AGENT[Tier-3 agent
Python single file]
        VAULT[agent-vault.json
local credentials]
        LDAP[LDAP / AD]
        ENTRA_LOCAL[Entra connector
via agent]
        REST_LOCAL[Internal REST APIs]
    end
    subgraph vendor["RapidValue SaaS (eu-west-1)"]
        CP[Control plane
FastAPI]
        DB[(RDS PostgreSQL)]
        REDIS[Task queue]
        UI[Frontend
React]
    end
    USER[Admin user] --> UI
    UI -- HTTPS --> CP
    CP -- task queue --> REDIS
    REDIS -- agent polls --> AGENT
    AGENT -- HTTPS callback --> CP
    AGENT --> LDAP
    AGENT --> ENTRA_LOCAL
    AGENT --> REST_LOCAL
    AGENT --> VAULT
    CP --> DB
3. JML flow — Joiner / Mover / Leaver lifecycle 
sequenceDiagram
    participant HR as HR System
    participant IGA as IGA Core
    participant POL as Policy Engine
    participant WORK as Workflow
    participant TARGET as Target System
    HR->>IGA: identity.created (joiner)
    IGA->>POL: evaluate birthright policies
    POL->>WORK: create access-grant tasks
    WORK->>TARGET: provision accounts + grants
    Note over IGA,WORK: ── Mover ──
    HR->>IGA: identity.updated (department change)
    IGA->>POL: re-evaluate SOL
    POL->>WORK: revoke obsolete + grant new
    WORK->>TARGET: account_modify + grant + revoke
    Note over IGA,WORK: ── Leaver ──
    HR->>IGA: identity.terminated
    IGA->>WORK: spawn offboarding workflow
    WORK->>TARGET: disable account + revoke all
    WORK->>IGA: complete + audit-trail
4. Reconciliation pipeline — SOL → IST → drift → tasks 
flowchart LR
    SOL[SOL calculator
policy + role evaluation]
    IST[IST collector
connector list_grants]
    COMPARE{Compare}
    DRIFT[Drift findings]
    AUTOFIX[Auto-fix path]
    TASK[ManualProvTask
iga_op_admin]
    SOL --> COMPARE
    IST --> COMPARE
    COMPARE -->|missing in target| AUTOFIX
    COMPARE -->|drift / unapproved| TASK
    COMPARE -->|writable attribute drift| AUTOFIX
    AUTOFIX -->|success| AUDIT[Audit event]
    AUTOFIX -->|failure| TASK
    TASK --> AUDIT
5. IVIP risk pipeline — signals → risk-score → IVIP surfaces 
graph TB
    subgraph signals["Signal sources"]
        USAGE[Usage events
Entra sign-in logs]
        ADV[Advisor findings
dormant / outlier / SoD]
        RECON_S[Recon drift]
        CERT[Cert pending]
        WARN[Identity warnings]
    end
    subgraph compute["Risk-score compute"]
        SWEEP[Scheduler sweep
30 min / tenant]
        SCORE[14-component
weighted sum
0-100]
        HIST[Risk history
append-only]
    end
    subgraph surfaces["IVIP surfaces"]
        BADGE[RiskBadge on drawer]
        TILES[IvipSummaryTiles
Executive dashboard]
        TREND[30-day trend chart]
        PACK[Audit-pack templates
SOX / ISO / HIPAA / GDPR]
        RR[Resource risk score
per Entitlement]
    end
    USAGE --> SCORE
    ADV --> SCORE
    RECON_S --> SCORE
    CERT --> SCORE
    WARN --> SCORE
    SWEEP --> SCORE
    SCORE --> BADGE
    SCORE --> TILES
    SCORE --> TREND
    SCORE --> HIST
    SCORE --> RR
    HIST --> PACK
6. Scheduler loop — per-tenant cadence sweeps 
graph TB
    LOOP[Scheduler loop
1 min tick]
    LOOP --> TENANTS[For each tenant]
    TENANTS --> SCHED_W[scheduled workflows
fire if due]
    TENANTS --> RISK[risk-score sweep
30 min]
    TENANTS --> RES[resource-risk
1 h]
    TENANTS --> EP[effective permissions
1 h]
    TENANTS --> TREND[risk-trend snapshot
24 h]
    TENANTS --> USAGE[usage ingest
6 h / connector]
    TENANTS --> RECO[advisor scan
per detector interval]
    TENANTS --> SN[ServiceNow ticket state
15 min]
    TENANTS --> CERT[cert sweep
per CertRule]
    TENANTS --> ARCH[batch auto-archive
24 h]
    TENANTS --> BACKUP[tier backups
24 h, business+ only]
7. Deployment topology — AWS eu-west-1 stack 
graph TB
    USER[User browser]
    R53[Route 53
app.rapidvalue.eu
+ wildcard]
    ALB[Application Load Balancer]
    EC2_A[EC2 t3.small
nginx + frontend + backend
AZ-a]
    EC2_B[EC2 t3.small
AZ-b]
    RDS[(RDS PostgreSQL 16
Multi-AZ)]
    S3[(S3
backups + exports)]
    SM[Secrets Manager
vault key + DB pw]
    SES[SES
notifications]
    USER --> R53
    R53 --> ALB
    ALB --> EC2_A
    ALB --> EC2_B
    EC2_A --> RDS
    EC2_B --> RDS
    EC2_A --> S3
    EC2_B --> S3
    EC2_A --> SM
    EC2_A --> SES

Component breakdown

Backend (FastAPI)

  • Domain modules: ~50 directories under backend/app/domain/, one per business concept (identity, entitlement_grant, certification, risk_score, …)
  • Multi-tenant: every ORM row has tenant_id; principal-derived from JWT
  • Lifespan auto-upgrade: alembic runs on boot — no manual migration command in dev
  • Scheduler loop: single asyncio task in app/scheduler/loop.py; per-tenant sweep dispatching

Frontend (React + Vite)

  • Single SPA for both tenant app + ops portal (App.tsx routes on hostname)
  • TanStack Query for server state; no Redux
  • shadcn/ui for primitives; teal brand --brand: #0d9488
  • i18n: every user-visible string → frontend/src/i18n/locales.ts with EN/NL/FR/DE

Connectors

  • Engines: 7 (Entra, LDAP, SCIM, Salesforce, ServiceNow, REST, RapidValue internal)
  • Execution modes: in_process / agent / tunnel (per CLAUDE.md tier-3 section)
  • Capability matrix: see connector-matrix.html

Agent (tier-3)

  • Single Python file agent/tier3_agent.py + supervisor
  • Keypair auth (ECDSA P-256) or bearer fallback
  • WebSocket push for low-latency task notifications
  • Provisioning thresholds + local vault