Identity & Access Management

Model users, roles, groups, and resources as a graph. Traverse permission chains in milliseconds. Detect privilege escalation paths before attackers do. Audit every access decision with full lineage. One database for your entire IAM infrastructure.

80% of Breaches Involve Compromised Identities

Identity is the new perimeter. In 2024, 80% of data breaches involved stolen or misused credentials, and the average cost of a breach reached $4.88 million. Yet most organizations still manage permissions in spreadsheets, LDAP trees, or relational tables that can't answer a simple question: "What can this user actually access?"

The problem isn't permissions themselves — it's the hidden paths between identities and resources. A user belongs to a group, which inherits from a role, which has access to a resource through a policy that delegates to another role. These multi-hop permission chains are invisible in relational databases because they require recursive JOINs that degrade exponentially with depth.

Graph databases model IAM the way it actually works: identities, roles, groups, policies, and resources as nodes, with permissions, memberships, and delegations as edges. Traversing a permission chain is a single query — no matter how deep.

Permission Graph

Users Groups Roles Resources Alice Engineer Bob Contractor Carol Manager Dave Analyst DevOps Group Platform Admins Deploy Role ReadOnly Role SuperAdmin Role CI/CD Pipeline Customer DB IAM Console Hidden path: Bob → Platform Admins → SuperAdmin → IAM Console 
-- Model your IAM as a graph
CREATE VERTEX TYPE Identity
CREATE VERTEX TYPE Group
CREATE VERTEX TYPE Role
CREATE VERTEX TYPE Permission
CREATE VERTEX TYPE Resource
CREATE VERTEX TYPE Policy

CREATE EDGE TYPE MEMBER_OF
CREATE EDGE TYPE HAS_ROLE
CREATE EDGE TYPE GRANTS
CREATE EDGE TYPE APPLIES_TO
CREATE EDGE TYPE INHERITS_FROM

-- What can this user actually access?
-- Traverse every possible permission path
MATCH (u:Identity {email: '[email protected]'})
      -[:MEMBER_OF*1..5]->(g:Group)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
RETURN res.name AS resource,
       p.action AS action,
       r.name AS via_role,
       g.name AS via_group,
       length(path) AS hops

Permissions Are Relationships — Model Them That Way

An IAM system is fundamentally a network of relationships: users belong to groups, groups inherit roles, roles grant permissions, permissions apply to resources. In a relational database, answering "what can this user actually do?" requires recursive self-joins across 4–5 tables — queries that are slow, fragile, and impossible to optimize beyond 2–3 levels of nesting.

In ArcadeDB, this is a single graph traversal. Follow the edges from a user through groups, roles, and permissions to discover every resource they can access — including indirect access inherited through nested group memberships. The query returns in milliseconds, regardless of how deep the hierarchy goes.

ArcadeDB supports Cypher (OpenCypher), SQL, and Gremlin — your security team can use SQL for compliance reports while your IAM engineers use Cypher for traversal queries, all against the same graph.

Detect Privilege Escalation Before Attackers Do

The most dangerous permissions aren't the ones you assign — they're the ones that emerge from nested group memberships, role inheritance, and transitive delegations. A contractor added to a "DevOps" group might inherit admin access to production databases through a chain of group-to-role-to-permission relationships that no one intended.

These shadow admin paths are invisible in flat permission tables but immediately visible in a graph. ArcadeDB lets you query for every identity that has a path to a sensitive resource, regardless of how many hops that path takes. Detect over-privileged accounts, unintended admin access, and lateral movement opportunities before they become breaches.

Run these queries on every permission change — in real-time, not as a quarterly audit. When a group membership changes, instantly evaluate whether it creates new paths to critical resources. 

-- Find shadow admins: users who reach
-- admin resources through nested groups
MATCH (u:Identity)
      -[:MEMBER_OF*1..6]->(g:Group)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission
        {action: 'admin'})
      -[:APPLIES_TO]->(res:Resource
        {classification: 'critical'})
WHERE u.type = 'contractor'
   OR u.type = 'service_account'
RETURN u.email, u.type,
       res.name AS critical_resource,
       length(path) AS hops,
       [n IN nodes(path) | n.name]
         AS access_chain
ORDER BY hops DESC

-- Result: every contractor and service
-- account with indirect admin access,
-- plus the exact path they take
-- SOX compliance: who accessed financial
-- systems in the last 90 days?
SELECT u.email, u.department,
       r.name AS role,
       res.name AS resource,
       al.action, al.timestamp,
       al.source_ip
FROM Identity AS u
JOIN AccessLog AS al
  ON al.identity_id = u.@rid
JOIN Resource AS res
  ON al.resource_id = res.@rid
JOIN Role AS r
  ON al.role_id = r.@rid
WHERE res.compliance_scope = 'SOX'
  AND al.timestamp > '2025-12-05'
ORDER BY al.timestamp DESC

-- Separation of duties violation:
-- users with both "approve" and "execute"
-- on the same resource
MATCH (u:Identity)
      -[:MEMBER_OF*1..5]->(g1:Group)
      -[:HAS_ROLE]->(r1:Role)
      -[:GRANTS]->(p1:Permission
        {action: 'approve'})
      -[:APPLIES_TO]->(res:Resource),
      (u)-[:MEMBER_OF*1..5]->(g2:Group)
      -[:HAS_ROLE]->(r2:Role)
      -[:GRANTS]->(p2:Permission
        {action: 'execute'})
      -[:APPLIES_TO]->(res)
RETURN u.email, res.name,
       r1.name AS approve_role,
       r2.name AS execute_role

Access Certification & Compliance Audits

Regulations like SOX, GDPR, HIPAA, and PCI-DSS require organizations to prove who has access to what, why they have it, and when they used it. With traditional systems, these audits take weeks of manual work — exporting CSVs, cross-referencing spreadsheets, and hoping nothing was missed.

ArcadeDB makes access certification a graph query. List every user with access to SOX-scoped systems, including the complete chain of groups and roles that grants that access. Detect separation of duties violations — users who can both approve and execute transactions on the same resource — with a single Cypher query.

Store access logs alongside the permission graph to answer audit questions like "who accessed this resource, through which role, and was that access still valid at the time?" Graph + relational + time-based queries in one database.

Enforce Least Privilege with Graph Analytics

Over time, permissions accumulate. Employees change teams but keep old access. Service accounts created for one-off migrations become permanent. Groups acquire roles no one remembers adding. The result: permission sprawl — the #1 vector for privilege escalation.

ArcadeDB's graph model makes it easy to identify over-permissioned identities. Count the number of critical resources each identity can reach. Compare active usage (from access logs) against granted permissions to find dormant access — permissions that exist but haven't been used in months. Flag accounts with unusually high permission counts relative to their role.

Combine graph traversals with time-series analysis on access logs to track permission growth over time. Detect drift: when an identity's effective permissions diverge from its intended baseline. Set alerts when the number of paths to critical resources exceeds a threshold. 

-- Find over-permissioned identities:
-- users with access to more critical
-- resources than their peers
MATCH (u:Identity)
      -[:MEMBER_OF*1..5]->(g:Group)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource
        {classification: 'critical'})
WITH u,
     count(DISTINCT res) AS critical_count,
     collect(DISTINCT res.name)
       AS resources
WHERE critical_count > 10
RETURN u.email, u.department, u.type,
       critical_count, resources
ORDER BY critical_count DESC

-- Dormant access: permissions granted but
-- never used in the last 90 days
SELECT u.email, p.action, res.name
FROM Identity AS u
MATCH (u)-[:MEMBER_OF*1..5]->(g:Group)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
WHERE NOT EXISTS (
  SELECT 1 FROM AccessLog
  WHERE identity_id = u.@rid
    AND resource_id = res.@rid
    AND timestamp > '2025-12-05'
)
-- Breach simulation: if this account is
-- compromised, what can the attacker reach?
MATCH (u:Identity
        {email: '[email protected]'})
      -[:MEMBER_OF|HAS_ROLE|GRANTS
        |APPLIES_TO|INHERITS_FROM
        *1..8]->(target)
WHERE target:Resource
RETURN target.name,
       target.classification,
       target.data_sensitivity,
       length(path) AS distance
ORDER BY target.classification DESC,
         distance ASC

-- What-if: if we remove this group,
-- who loses access to what?
MATCH (u:Identity)
      -[:MEMBER_OF*1..5]->(target:Group
        {name: 'Platform-Admins'})
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
RETURN u.email, r.name AS role,
       res.name AS resource,
       p.action,
       count(*) AS affected_paths

Impact Analysis: Simulate Before You Change

Every IAM change carries risk. Remove a group and you might break a critical service. Add a role and you might create an unintended escalation path. Traditional IAM tools can't answer "what happens if?" questions because they lack the relational context.

ArcadeDB's graph traversals make impact analysis trivial. Before removing a group, query for every user who would lose access and every resource that would become unreachable. Before granting a new role, check whether it creates paths to sensitive resources that didn't exist before.

Run breach simulations: if a specific service account is compromised, how far can an attacker reach through the permission graph? Which resources are within 1 hop, 2 hops, 8 hops? This is the graph-native equivalent of red team exercises — without the cost.

Behavioral Anomaly Detection with Vectors

Not every threat comes from over-privileged accounts. Sometimes a legitimate user's credentials are stolen and used in unexpected ways. Traditional rule-based systems miss these attacks because the actions are technically authorized — they just don't match the user's normal behavior.

ArcadeDB's native JVector engine stores behavioral embeddings that capture each identity's access patterns: what they access, when, from where, and how frequently. When an access request deviates significantly from the user's normal profile, a nearest-neighbor search flags it as anomalous — even if the user has the required permissions.

Combine behavioral vectors with graph context: an anomalous access from a user who is 5 hops away from admin resources is more dangerous than one from a user with no escalation paths. Multi-model analysis catches threats that single-model systems miss. 

-- Store behavioral access embeddings
CREATE PROPERTY Identity.access_pattern_vec
  VECTOR(384)
CREATE INDEX ON Identity (access_pattern_vec)
  TYPE HNSW SIMILARITY cosine

-- Detect anomalous access: compare current
-- session behavior to user's baseline
SELECT u.email, u.department,
       vectorDistance(u.access_pattern_vec,
         :currentSessionVec) AS deviation
FROM Identity AS u
WHERE u.email = '[email protected]'
  AND vectorDistance(u.access_pattern_vec,
    :currentSessionVec) > 0.7

-- Find identities with similar access
-- patterns (potential role consolidation)
SELECT u.email, u.department, u.title,
       vectorDistance(u.access_pattern_vec,
         :targetVec) AS similarity
FROM Identity AS u
WHERE u.access_pattern_vec NEAR
  :targetVec
  AND u.department = 'Engineering'
LIMIT 20

IAM Applications by Model

Identity and access management generates data in every model: permission hierarchies (graph), access logs over time (time series), behavioral profiles (vectors), policies and compliance docs (documents + full-text). ArcadeDB handles all of them natively.

Application Graph Time Series Vectors Full-Text
Permission Resolution User → group → role → resource
Privilege Escalation Multi-hop path detection Permission change tracking
Compliance Audits Access chain lineage Access log timeline Policy document search
Anomaly Detection Escalation path context Access frequency trends Behavioral embeddings
Least Privilege Effective vs. needed access Usage frequency analysis Role similarity matching
Breach Simulation Blast radius traversal Historical breach patterns Attack vector similarity
Separation of Duties Conflicting permission paths Regulation clause search
Role Mining Common permission patterns Usage pattern analysis Access profile clustering

Why ArcadeDB for IAM

IAM requires traversing permission hierarchies (graph), monitoring access patterns over time (time series), detecting behavioral anomalies (vectors), and searching policies and regulations (full-text). Most solutions require 3–4 separate systems. ArcadeDB is one.

Capability ArcadeDB Neo4j Memgraph Amazon Neptune
Graph Traversal ✓ SQL + Cypher + Gremlin ✓ Cypher ✓ Cypher ✓ Gremlin + SPARQL
Native Time Series ✓ Full engine + Grafana
Native Vector Search ✓ JVector (HNSW + DiskANN) ✓ Vector index ✓ Neptune Analytics
Native Full-Text Search ✓ Built-in ✓ Lucene-based ✓ OpenSearch integration
Permission Path Queries ✓ Variable-length traversal ✓ Variable-length paths ✓ BFS/DFS traversal ✓ Gremlin repeat steps
Access Log Analytics ✓ Time series + SQL ○ Property queries only ○ Kafka stream triggers ○ External analytics
Deployment Anywhere (self-hosted) AuraDB or self-hosted Cloud or self-hosted AWS only
License Apache 2.0 (forever) GPL / Commercial BSL / Enterprise Proprietary (AWS)

Open Source. Apache 2.0. Forever.

Your identity data is the keys to your kingdom. You should own the infrastructure that protects it — the data, the database, and the freedom to deploy on-premises, in your private cloud, or air-gapped. ArcadeDB is licensed under Apache 2.0, and we've made a public commitment: we will never change it.

No surprise license switches. No cloud-only features. No vendor lock-in. Read our commitment →

Enterprise Deployment Success

"We migrated our IAM authorization layer from a relational system to ArcadeDB's graph model. Permission resolution queries that took 800ms with recursive SQL now complete in under 5ms. More importantly, we discovered 47 shadow admin paths that our existing tools had missed — including 3 contractor accounts with indirect access to production databases through nested group memberships."

— Director of Identity Security, Fortune 500 Financial Services
(Details limited by confidentiality agreement)

Impact Metrics:

  • 160x faster permission resolution (800ms → 5ms)
  • 47 shadow admin paths detected and remediated
  • Compliance audit preparation reduced from 3 weeks to 2 hours
  • 250,000 identities with 1.2 million permission relationships mapped
  • 3 separate systems (graph DB + SIEM + policy engine) replaced by 1

Industries Using IAM Graphs

  • Financial Services: SOX compliance, trading system access control, fraud-linked IAM
  • Healthcare: HIPAA access audits, patient data authorization, role-based clinical access
  • Government & Defense: Clearance management, compartmented access, need-to-know enforcement
  • Technology: Cloud infrastructure permissions, API gateway authorization, DevOps access governance
  • Telecommunications: Network element access, subscriber data protection, regulatory compliance
  • Energy & Utilities: SCADA system access, NERC CIP compliance, operational technology security
  • Retail & E-commerce: PCI-DSS compliance, multi-tenant access, customer data protection
  • Manufacturing: OT/IT convergence access control, supply chain partner access, ISO 27001

Ready to Secure Your Identity Infrastructure?

Model permissions as a graph, detect escalation paths in milliseconds, audit access with full lineage, and detect behavioral anomalies with vectors — all in a single Apache 2.0 database. No integration headaches. No vendor lock-in.

Get Started Read Documentation