ACCESS AUTOMATION

IGA Connectors

Bridge the gap between governance decisions and real provisioning. 35+ pre-built connectors turn approvals from SAP GRC, ServiceNow, and Jira into executed access — with batch fulfillment, flat-file ingestion for legacy systems, and an Entitlement Ledger that prevents over-revocation.

IGA EngineersIAM OpsSAP GRC AdminsIT Security

Book demo Talk to us

Orchestration Service → Virtual Directory Server →

IGA Connectors pipeline bridging governance approvals to target system provisioning

Key advantages

Zero portal migration — keep SAP GRC, ServiceNow, or Jira; add automated fulfillment

Governance spine: AccessDirective → FulfillmentJob → ExecutionReceipt with tamper-evident proof

Batch fulfillment reduces HTTP traffic by 80–99% — 500 revocations in 25 API calls

Entitlement Ledger with reference counting prevents over-revocation across multi-source grants

The fulfillment gap

"Access governance tools are excellent at deciding who should have access. But the moment an approval is granted, the automation stops. A ticket lands in a queue, an admin copies values between screens, the employee waits hours, and the audit trail is a forwarded email." — Director of IAM, Fortune 500

Approval-to-provisioning gap

Access approved in GRC but manually provisioned hours or days later — employees sit idle, projects stall.

Scattered audit trails

Approval in SAP GRC, ticket in ServiceNow, actual change in Azure AD — no single chain of evidence.

Legacy blind spots

AS/400, mainframes, and file-based systems hold real access data but can't participate in governance workflows.

Bulk revocation failures

Quarterly access reviews produce 50–500 revocations that hit API rate limits, fail silently, or time out.

Over-revocation risk

Revoking access granted by multiple sources without reference counting removes more than intended.

Unknown state on failure

Custom scripts fire provisioning calls but have no rollback, no retry, and no way to determine what happened.

Why alternatives fall short

SAP GRC alone

SAP-only fulfillment

Best-in-class risk analysis and approvals — but cannot provision non-SAP systems. Azure AD, Salesforce, and LDAP remain manual.

SailPoint / Saviynt

Portal migration required

Full IGA suites that require portal migration and user retraining. Orgs invested in SAP GRC can't justify a second approval portal.

Custom scripts / RPA

Fire-and-forget · ungoverned

No structured audit trail, no idempotency, no retry logic, no reference counting. On failure, no one knows what was provisioned.

How it works

When someone approves an access request, nothing should stand between that decision and real provisioning. IGA Connectors detects approvals within 30 seconds and provisions target systems automatically — with batch optimization and cryptographic proof.

Detect

→Monitor SAP GRC, ServiceNow, and Jira in near-real-time
→Generate structured AccessDirective within 30 seconds of approval
→Includes identity, entitlement, approval reference, and intended action

Batch & fulfill

→Match to 35+ pre-built connectors with API-aware schema translation
→Group operations by target, type, and tenant for batch execution
→Graph $batch, SCIM bulk, LDAP pipelined — 80–99% fewer HTTP calls

Prove & reconcile

→ExecutionReceipt with JWS signature for each provisioned operation
→Entitlement Ledger updates reference counts per grant source
→Dependency resolver ensures correct provisioning/deprovisioning order

Performance & proof

35+

pre-built connectors

99%

HTTP request reduction

200K+

active ledger rules

<3 min

approval to provisioned

100+

Azure connector commands

50K

rows per flat-file import

Capabilities

Six capabilities that close the gap between governance decisions and real provisioning.

Core access automation

Approval-driven · birthright · full JML lifecycle

Approval-driven provisioning (detect GRC/ServiceNow/Jira decisions), birthright provisioning (attribute-triggered), and full joiner/mover/leaver lifecycle automation across all connected systems.

Detect approvals within 30 seconds
Birthright rules triggered by identity attributes
JML lifecycle automation covers join, move, and leave transitions

Azure / Entra connector v2.1

100+ commands · PIM · Access Packages · Admin Units

100+ commands covering PIM role activation, Access Packages, Administrative Units, Conditional Access policies, and Copilot license assignment. 185+ test cases with 100% endpoint verification.

53 new commands in v2.1.0
Full PIM lifecycle: eligible, active, extend, deactivate

Batch fulfillment engine

Graph $batch · SCIM bulk · 5x–60x speedup

Microsoft Graph $batch (20 ops/call), SCIM bulk PATCH, LDAP bulk bind. Automatic grouping by tenant, system, and operation type. Per-item result tracking for partial failure handling.

500 user revocations → 25 batched calls (~2s vs ~50s)
Per-item tracking: successes recorded, failures retried individually

Flat-file connector

CSV · JSON · YAML · XLSX · 50K rows/import

Legacy systems (AS/400, mainframes) that export flat files become first-class governance participants. Schema inference, column mapping, and validation handle up to 50,000 rows per import.

Mainframe roles visible in governance UI — requestable, recertifiable
Updated CSV generated for systems that will never have an API

Entitlement Ledger

Reference counting · dependency resolver · 5 coexistence modes

Reference-counted entitlement store supporting 200K+ active rules. Bulk import of 176K rules in under 1 hour. Five coexistence modes for migration: NATIVE, LEGACY_PROXY, SHADOW_COMPARE, DUAL_WRITE, and LEGACY_OVERRIDE.

Birthright + request + delegation tracked independently per entitlement
Topological sort ensures correct provisioning/deprovisioning order

Data owner integration

6 methods · Quick Populate API · delegated admin

Six methods for data owners to define and manage entitlements: manual curation, bulk upload, Quick Populate API, connector discovery, Role Intelligence suggestions, and delegated administration.

Quick Populate API enables programmatic seeding for migrations
Role Intelligence feeds data-driven entitlement suggestions

Business impact

99%

Fewer HTTP calls

500 revocations → 25 batched API calls

<3 min

Approval to access

Hours or days of manual work → minutes

Portal migration

Keep SAP GRC, ServiceNow, or Jira intact

100%

Audit evidence

Every operation has tamper-evident proof

Connects to your stack

Governance sources, 35+ target system connectors, and the full EmpowerNow platform.

SAP GRC / IAS

Azure AD / Entra ID

ServiceNow

Active Directory

Salesforce

Workday / SaaS

Flat files (CSV/JSON)

SCIM 2.0 / LDAP

Frequently asked questions

Do we need to replace SAP GRC or ServiceNow?

No. IGA Connectors sits behind your existing approval engine, not replace it. Approvals stay in SAP GRC, ServiceNow, or Jira — IGA Connectors adds the automated fulfillment layer. Zero portal migration, zero user retraining.

How does batch fulfillment handle partial failures?

Each item in a batch is tracked individually. If 3 out of 25 operations in a $batch call fail, the 22 successes are recorded as ExecutionReceipts, and the 3 failures are retried with exponential backoff. The Entitlement Ledger is only updated for confirmed successes.

What happens if a target system is unreachable?

The FulfillmentJob enters a retry queue with configurable backoff (default: 5 retries over 30 minutes). The AccessDirective remains in "pending" state with full visibility in the operations dashboard. After retry exhaustion, the job is escalated with the complete context of what was attempted and why it failed.

How does reference counting prevent over-revocation?

Each entitlement assignment in the Ledger tracks its grant sources independently. If a user has an Azure AD group membership granted by both a birthright rule and a manual request, the reference count is 2. Revoking the manual request decrements to 1 — the access remains because the birthright source is still active. Only when all sources are revoked (count reaches 0) is the actual deprovisioning executed.

Can we integrate legacy systems that only export flat files?

Yes. The flat-file connector supports CSV, JSON, YAML, and XLSX with automatic schema inference and column mapping. Files up to 50,000 rows are ingested per import. Entitlements from flat-file systems become fully governed — visible in access reviews, requestable in the catalog, and trackable in the Entitlement Ledger.

Standards & protocols

Protocols

SCIM 2.0 MS Graph LDAP OAuth 2.0 SAML REST Kafka

Observability

AuthZEN OpenTelemetry Prometheus

Compliance-ready

SOX GDPR HIPAA SOC 2

Use cases

SAP GRC approval → provisioning

Manager requests Azure AD group + Salesforce permission set through SAP GRC. GRC runs risk analysis, approver grants. IGA Connectors detects within 30 seconds, provisions both systems via batched API calls, records ExecutionReceipts. Under 3 minutes.

Manager never left SAP GRC · Admin never touched a ticket

Bulk access review revocation

Quarterly review produces 500 revocations. Without IGA Connectors: 500 individual API calls (~50s, rate-limit risk). With batch: 25 $batch calls (~2s). Reference counting ensures users with entitlements from another source aren't over-revoked.

96% fewer HTTP requests · Zero over-revocation

Legacy mainframe integration

AS/400 exports nightly CSV of 12,000 role assignments. Flat-file connector ingests, maps to entitlement schema, imports to Ledger. Mainframe roles become requestable, recertifiable, and subject to the same access reviews as cloud entitlements.

No API required · Full governance loop

Ready to see it live?

Book a 15-minute walkthrough with an engineer. We'll map IGA Connectors to your architecture, show real event flows, and answer every technical question.

Book demo Talk to us

Read the docs

API reference, configuration guides, and architecture deep-dives.

Explore standards

AuthZEN, OAuth, DPoP, SCIM, and the protocols that power the platform.

Talk to a specialist

Map the solution to your domain model and get a tailored integration plan.