Universal authorization intelligence

Trust starts with clarity.

You can't govern what you can't see. Identity Atlas turns scattered authorization data into something you can actually make sense of — giving analysts, support teams and resource owners the insight they need to understand access, identify risks and make informed decisions.

Self-hosted and open source — your identity data never leaves your environment.

Identity Atlas logo — a shield woven into a neural network
Why we built it

The data already exists. The clarity doesn't.

Sound familiar? You've invested in a capable IGA system — and your analysts still export to Excel to actually make sense of it. The data isn't missing. What's missing is a clear way to understand it.

Fragmented

Azure RBAC, Entra ID and Omada each show a different part of who has access to what — in a different place and in a different way.

Invisible

Over-privileged accounts, eligible-but-unused PIM roles and access that has never been reviewed remain hidden in the gaps between systems.

Unprovable

“Who could do what last quarter?” becomes guesswork once memberships change — because there is no reliable history of access.

The real problem

It's not about finding one needle — that's too narrow a question. It's about making sense of the whole haystack. Identity Atlas helps analysts, support teams and resource owners explore authorization data from different perspectives, discover patterns and answer the question at hand.

Why we opened it up

Fortigi is a Dutch identity and access management consultancy. While working with enterprise organizations, we kept running into the same problem: there was no single reliable answer to “who has access to what,” and no reliable history showing how that access changed over time. So we built the tool we wished we had and opened it up. Identity gets stronger when we build it together.

Make sense of the haystackRole mining and analytics — not spreadsheet archaeology.
Explore it from every angleThe perspective analysts, support teams and resource owners need to answer their questions.
Stay in controlSelf-hosted and free from vendor lock-in — your identity data never leaves.
What it is

Identity Atlas, in one view.

Identity Atlas brings authorization data from connected systems together in one model with full history. It presents this data in a visual access matrix and can assign a risk score to each identity — without identity data leaving your environment.

Unified permission model

Bring permissions from every connected system together in one PostgreSQL model — including groups, roles, application roles, SharePoint permissions and business roles — with a complete row-level audit history.

Visual access review

Explore access by user, role, resource or system. See how each permission was granted — directly, through a group, as an owner, through PIM eligibility, through governance or through an application role. Designed for the way analysts, support teams and resource owners investigate access.

Identity risk scoring

Assign a transparent risk score to each identity. The optional, privacy-preserving risk layer uses LLM assistance based only on publicly available information about the organization.

Multi-system and open

Connect out of the box to Entra ID, Azure RBAC, Omada and midPoint through dedicated crawlers. SailPoint data can be imported through CSV. Identity Atlas is MIT-licensed and runs in your own environment.

One pipeline, self-hosted end to end
Your sources
Entra ID · Azure RBAC · Omada · midPoint · SailPoint · other supported sources
Crawlers and imports
Out-of-the-box crawlers for Entra ID, Azure RBAC, Omada and midPoint. Import SailPoint and other data through CSV, or use the Ingest API.
Unified model and history
PostgreSQL 16 — every change is versioned
Access review and risk
Visual access reviews and optional identity risk scoring

Want more detail on supported systems, current-state versus target-state analysis and the risk-scoring layers? Read the full documentation ↗

How to start

Pick a release channel. Pick a way to run it.

Identity Atlas is delivered as a self-contained stack. Evaluate it in minutes, run it wherever you run containers or deploy it directly into your own Azure subscription.

Edge

The latest development build. Updated after every merge to main. Use Docker tag :edge to explore the newest changes, but expect frequent updates and incomplete features.

Beta

Pre-release builds. For testing upcoming features before they become stable. Use Docker tag :beta.

Stable

Released and tested versions. Recommended for production. Use Docker tag :latest, or pin a specific Major.Minor.Patch.0 version to control when you update.

Docker stack

The fastest way to evaluate Identity Atlas. Start the stack with Docker Compose and open localhost:3001. Run it anywhere you can host containers and load demo data without connecting a tenant.

Deploy to Azure

Deploy Identity Atlas into your own Azure subscription using managed platform services. Deployment takes approximately 15 minutes. Entra SSO is enforced and anonymous access is disabled. A proof-of-concept environment starts at approximately €45 per month.

Portable Windows launcher

Evaluate Identity Atlas on restricted Windows devices without installation, administrator rights or Docker. Run it directly from a folder for a quick and isolated evaluation.

bash — evaluate in under a minute
# Download the Compose file
curl -O https://raw.githubusercontent.com/Fortigi/IdentityAtlas/main/docker-compose.prod.yml

# Start Identity Atlas
docker compose -f docker-compose.prod.yml up -d --pull always

# Open Identity Atlas and add your first crawler
# http://localhost:3001 → Admin → Crawlers → Add Crawler

Need more detailed deployment guidance? Read the deployment documentation ↗

Why you can trust it

Built to be inspected, not taken on faith.

Identity Atlas reads authorization data and keeps it within your environment. Here is how we make that verifiable.

Your infrastructure, your cloud

Identity Atlas is self-hosted end to end and runs entirely within your environment. Deploy it in your own Azure subscription — no Identity Atlas services run on Fortigi infrastructure.

Read-only by design

Identity Atlas reads authorization data but never changes anything in your source systems.

Inspect the code — MIT licensed

The source code is open to inspect, fork, challenge and improve. You choose which version to run and when to update it.

Optional LLM assistance using public context only

LLM-assisted risk scoring is optional. When enabled, it uses only publicly available information about your organization. Identity data is never sent to the model.

Encrypted secrets

LLM keys and crawler credentials are protected with AES-256-GCM envelope encryption using a master key you control.

Authentication enabled from the first deployment

Entra SSO is enforced from the start, and anonymous access is disabled.

Extensive quality assurance

Quality controls include unit tests with Vitest and Pester, increasing code-coverage requirements, file-size and complexity limits, duplication checks, Playwright end-to-end tests and load and soak testing.

Protected software supply chain

Identity Atlas publishes an SBOM, uses Dependabot to keep dependencies current and checks new packages with Socket Firewall before they are introduced.

Built and maintained by an experienced team

Identity Atlas is developed by a team of Fortigi engineers and has evolved over an extended project history. Fortigi is an established Dutch identity and access management consultancy. See the history ↗

Open source · Self-hosted · Stronger together.

Make sense of the whole haystack.

Start the Docker stack with demo data in under a minute — no tenant required — and explore the access matrix yourself.