Connector capability matrix — RapidValue IGA (internal)

Reading legend. ✓ = fully implemented. ~ = partial (works for common paths, edge cases missing). ✗ = not implemented. soon = planned for upcoming sprint.

Read capabilities

Engine	List accounts	List entitlements	List grants	Wizard test (fetch_raw_object)	Usage data (last_used)	Link seeder (transitive)
Microsoft Entra ID	✓	✓	✓	✓	✓	✓
LDAP / Active Directory	✓	✓	✓	✓	✗	soon
SCIM 2.0	✓	✓	✓	✓	✗	✗
Salesforce	✓	✓	✓	✓	✗	✗
ServiceNow	✓	✓	✓	✓	✗	✗
Generic REST	✓	✓	✓	✓	✗	✗
RapidValue (internal)	✓	✓	✓	N/A	N/A	N/A

Usage-data only Entra today (Graph audit-logs / signIns). For non-Entra targets, dormant grants are detected via inactivity heuristics, not real sign-in events.

Write / provisioning

Engine	Create identity	Update identity	Disable identity	Grant group	Revoke group	JIT grant (birthright)	Enable / disable account
Microsoft Entra ID	soon	✓	soon	✓	✓	✗	✗
LDAP / Active Directory	✓	✓	✗	✓	✓	✗	✗
SCIM 2.0	✓	✓	✓	✓	✓	✗	✗
Salesforce	✗	✓	✗	✓	✓	✗	✗
ServiceNow	✗	✓	✗	✓	✓	✗	✗
Generic REST	✓	✓	✗	✓	✓	✗	✗
RapidValue (internal)	N/A	N/A	✓	✓	✓	N/A	N/A

Identity create is heaviest for sales-call exposure. For Entra: handled today via Graph PATCH-with-create-onMembership; full create_identity path lands in upcoming sprint. For ServiceNow + Salesforce: hand off to admin via manual-provisioning-task (workflow follows).

Deployment modes

Engine	in_process (SaaS-native)	agent (tier-3 hybrid)	tunnel (transport-bridge)
Microsoft Entra ID	✓	✓	✗ (blocked — Graph)
LDAP / Active Directory	✓	✓	✗ (raw TCP not bridgeable)
SCIM 2.0	✓	✓	✓
Salesforce	✓	✓	✗ (proprietary auth)
ServiceNow	✓	✓	✗ (proprietary auth)
Generic REST	✓	✓	✓
RapidValue (internal)	✓	N/A	N/A

Tunnel mode = real connector runs in CP, HTTP calls bridge through the agent. Only RestEngine + ScimConnector accept transport injection today. LDAP/AD are hard-blocked from tunnel (raw TCP, not HTTP).

Wizard onboarding

Engine	Vendor template (catalog)	Auto-passthrough (Map editor)	Sync strategy (filter Q)	Attribute picker (per object)	Deep-link (?vendor=)
Microsoft Entra ID	✓	✓	✓ (on-prem AD)	✓	✓
Workday HR	✓	✓	✓ (payroll feed)	✓	✓
SuccessFactors HR	✓	✓	✓ (BizX parallel)	✓	✓
Salesforce	✓	✓	✗	✓	✓
ServiceNow	✓	✓	✗	✓	✓
LDAP / AD	✓	✓	✗	✓	✓
SCIM 2.0 (generic)	✓	✓	✗	✓	✓
Generic REST	~ (manual)	✗	✗	✗	✗

Sync strategy waypoint is vendor-gated via KnownSystem.sync_strategy spec. New vendors plug into the same pattern without service code changes.

What's not implemented yet

Be explicit in sales conversations:

SAP HCM / SAP S/4HANA — coming-soon catalog entry, not implemented. Custom-connector path or wait for sprint.
Workday provisioning (only HR-read today). For write-back to Workday, manual-prov-task fallback.
Slack / GitHub / Atlassian SCIM — catalog entries via SCIM 2.0 engine, but vendor-specific quirks not yet covered.
Just-in-time access across all engines — birthright + scheduled grants today; on-demand JIT (Conductor One-style) is roadmap.
Account create on Entra via Graph User.Create — uses workaround today.
Account disable / enable across most engines — only Entra + SCIM today, others raise NotImplementedError.
Custom SAML/OIDC SSO per tenant — JWT-only today. SSO integration is Enterprise-tier roadmap.

Internal · re-audit when adding/removing engines · run the sniff script: grep -l "def fetch_raw_object" backend/app/connectors/*.py
→ workflow packages · → demo cheat sheet · ← hub