Dynamic Group Engine
Replace static group management with ABAC rules that evaluate identity attributes in real time. Every membership change is computed, delta-tracked, and provenance-signed — auditors get evidence, not spreadsheets.
Key advantages
The static group problem
"We have 40,000 employees across 6 countries. When someone transfers departments, their old group memberships linger for months. The auditors flag it every quarter, and our IAM team spends weeks fixing what automation should handle." — VP Identity, Global Enterprise
Manual add/remove at scale
Operational burden scales linearly with headcount — admins hand-manage thousands of memberships across systems.
Stale memberships
Orphaned access grants persist for months after role changes. SOX and GDPR auditors flag them every cycle.
Inconsistent decisions
Different admins apply different judgment — employees with identical attributes get different access.
No audit trail
Manual changes leave no structured evidence. Compliance teams get spreadsheets and screenshots instead of proof.
Rubber-stamped reviews
Managers certify 10,000 assignments because they cannot evaluate each one individually. Approval fatigue erodes governance.
Onboarding delays
New hires wait hours or days for group memberships to be manually provisioned. Productivity lost from day one.
Why alternatives fall short
How it works
Define membership with rules, not manual adds. DGE continuously evaluates identity attributes against ABAC policies, computes precise membership deltas, and emits governed fulfillment directives — with a cryptographic proof chain for every change.
Author rules
- →JSON expression trees with 12 operators, compound AND/OR, up to 50 conditions
- →Preview impact before publishing — warning if >50,000 identities affected
- →Role Intelligence can suggest DGE-ready rules from access pattern analysis
Evaluate & delta
- →Two trigger paths: policy change (full recompute) or identity attribute change (inline)
- →SQL EXCEPT on staging tables — precise additions and removals without loading sets into memory
- →Sparse membership model: row exists = member, absence = not member — eliminates boolean drift
Fulfill & prove
- →AccessDirectives stream to Kafka at 1,000/sec in batches of 100 with idempotency keys
- →Orchestration Service provisions via target APIs with per-item result tracking
- →ExecutionReceipt with JWS signature, receipt_hash, and assignment_key for truth-spine joins
Performance & proof
Capabilities
Six core capabilities that transform static group management into governed, evidence-backed automation.
ABAC rule engine
12 operators · compound logic · short-circuit evaluation
ABAC rule engine
JSON expression trees with 12 operators (equals, in, starts_with, contains, etc.), compound AND/OR logic, and up to 50 conditions per rule. referenced_fields index enables efficient policy-to-identity matching without full-scan evaluation.
- Example:
country = "DE" AND department = "IT" - Short-circuit evaluation reduces unnecessary computation
- Impact preview before publishing — shows additions and removals
Observed vs. computed assignments
Actual access vs. intended access · governance_ref linking
Observed vs. computed assignments
ObservedAssignment tracks what access actually exists (via connectors). DGE computes what should exist. governance_ref links observed to governed — critical for anti-poisoning in Role Intelligence.
- ClickHouse analytics with ReplacingMergeTree for observed assignments
- Governed access weighted higher than discovered in Role Intelligence
Permission grants
Neo4j fine-grained permissions · drift detection
Permission grants
Fine-grained (Role)-[:HAS_PERMISSION]->(PermissionGrant)-[:IN_APP]->(App) in Neo4j. Each grant carries operation_ref_id (verb) and resource_id (noun) with source_hash for drift detection.
- Drift detection via source_hash comparison
- Enables PDP queries via Resource Index Service PIP
Provenance tracking
AccessDirective → FulfillmentJob → ExecutionReceipt → Proof
Provenance tracking
Three-table chain with full lineage: source_policy_id, source_policy_version, source_run_id, and correlation_id. Receipts include receipt_hash, receipt_jws (JWS signature), and receipt_kid for cryptographic proof via ReceiptVault.
- Idempotency keys:
{policy_id}:{identity_id}:{type}:{version} - Truth-spine joins via
assignment_key_v1
Resource collections
Static + dynamic groupings · materialized for PDP
Resource collections
Static (admin-managed) and dynamic (rule-driven) resource groupings stored in Neo4j, materialized in the Resource Index Service for real-time PDP queries. Authorization policies can reference groups of resources rather than individual items.
- Enables policy like "all Finance team apps" instead of listing each one
- Both admin-curated and rule-computed collections
Role assignment model
Neo4j MEMBER_OF edges · full audit fields
Role assignment model
Person-to-AppRole assignments carry granted_by, granted_at, decision_id, request_id, expires_at, and revocation audit fields as relationship properties on Neo4j MEMBER_OF edges.
- Time-based access via
expires_at - Full decision lineage on every edge
Business impact
Weeks of admin effort → automated rule evaluation
Every change has cryptographic proof chain — no spreadsheets
Attribute change to group membership update — not days
Continuous evaluation eliminates lingering access grants
Connects to your stack
Target system fulfillment, internal platform services, and analytics — all from a single engine.
Entra ID (Graph) 
SAP IAS (SCIM) 
Active Directory How DGE compares
Frequently asked questions
How is DGE different from Entra ID dynamic membership rules?
Entra dynamic groups are limited to Entra-only targets and offer limited rule expressiveness. DGE evaluates ABAC rules across all connected systems, syncs to Entra, SAP IAS, and AD from a single engine, and provides full provenance tracking with cryptographic receipts. DGE also integrates with the complete EmpowerNow governance stack — Role Intelligence, access reviews, and the Entitlement Ledger.
How does DGE prevent over-revocation during migration?
The sparse membership model (row exists = member) combined with idempotency keys ensures that duplicate directives never cause double-revocations. Batch fulfillment with per-item result tracking handles partial failures gracefully. The Entitlement Ledger's reference counting adds an additional safety layer for multi-source grant management.
What happens if the DGE service restarts mid-evaluation?
Computation jobs use SELECT FOR UPDATE SKIP LOCKED for atomic claiming with heartbeat monitoring. Stale jobs (no heartbeat for 30 minutes) are automatically reclaimed by another worker. The staging table pattern ensures no partial results are committed — evaluation is all-or-nothing per job.
Can DGE handle time-based access?
Yes. Role assignments carry expires_at fields. Policies can include time-based conditions. The evaluation pipeline re-evaluates on attribute changes, which includes temporal triggers when integrated with the UEAS event engine.
Standards & protocols
Protocols
Observability
Compliance-ready
Use cases
Related reading
Ready to see it live?
Book a 15-minute walkthrough with an engineer. We'll map Dynamic Group Engine to your architecture, show real event flows, and answer every technical question.