Identity & Access Management with ArcadeDB

80% of Breaches Involve Compromised Identities

Identity is the new perimeter. In 2024, 80% of data breaches involved stolen or misused credentials, and the average cost of a breach reached $4.88 million. Yet most organizations still manage permissions in spreadsheets, LDAP trees, or relational tables that can't answer a simple question: "What can this user actually access?"

The problem isn't permissions themselves — it's the hidden paths between identities and resources. A user belongs to a group, which inherits from a role, which has access to a resource through a policy that delegates to another role. These multi-hop permission chains are invisible in relational databases because they require recursive JOINs that degrade exponentially with depth.

Graph databases model IAM the way it actually works: identities, roles, groups, policies, and resources as nodes, with permissions, memberships, and delegations as edges. Traversing a permission chain is a single query — no matter how deep.

Permission Graph

-- Model your IAM as a graph
CREATE VERTEX TYPE Identity
CREATE VERTEX TYPE `Group`
CREATE VERTEX TYPE Role
CREATE VERTEX TYPE Permission
CREATE VERTEX TYPE Resource
CREATE VERTEX TYPE Policy

CREATE EDGE TYPE MEMBER_OF
CREATE EDGE TYPE HAS_ROLE
CREATE EDGE TYPE GRANTS
CREATE EDGE TYPE APPLIES_TO
CREATE EDGE TYPE GOVERNED_BY

-- What can this user actually access?
-- Traverse every possible permission path
MATCH (u:Identity {email: '[email protected]'})
      -[:MEMBER_OF*1..3]->(g:`Group`)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
RETURN res.name AS resource,
       p.action AS action,
       r.name AS via_role,
       g.name AS via_group
ORDER BY resource, action

Permissions Are Relationships — Model Them That Way

An IAM system is fundamentally a network of relationships: users belong to groups, groups inherit roles, roles grant permissions, permissions apply to resources. In a relational database, answering "what can this user actually do?" requires recursive self-joins across 4–5 tables — queries that are slow, fragile, and impossible to optimize beyond 2–3 levels of nesting.

In ArcadeDB, this is a single graph traversal. Follow the edges from a user through groups, roles, and permissions to discover every resource they can access — including indirect access inherited through nested group memberships. The query returns in milliseconds, regardless of how deep the hierarchy goes.

ArcadeDB supports Cypher (OpenCypher), SQL, and Gremlin — your security team can use SQL for compliance reports while your IAM engineers use Cypher for traversal queries, all against the same graph.

Detect Privilege Escalation Before Attackers Do

The most dangerous permissions aren't the ones you assign — they're the ones that emerge from nested group memberships, role inheritance, and transitive delegations. A contractor added to a "DevOps" group might inherit admin access to production databases through a chain of group-to-role-to-permission relationships that no one intended.

These shadow admin paths are invisible in flat permission tables but immediately visible in a graph. ArcadeDB lets you query for every identity that has a path to a sensitive resource, regardless of how many hops that path takes. Detect over-privileged accounts, unintended admin access, and lateral movement opportunities before they become breaches.

Run these queries on every permission change — in real-time, not as a quarterly audit. When a group membership changes, instantly evaluate whether it creates new paths to critical resources.

-- Find shadow admins: contractors and
-- service accounts with admin access
-- to critical resources
MATCH (u:Identity)
      -[:MEMBER_OF*1..5]->(g:`Group`)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission
        {action: 'admin'})
      -[:APPLIES_TO]->(res:Resource
        {classification: 'critical'})
WHERE u.identityType IN
  ['contractor', 'service_account']
RETURN u.email AS identity,
       u.identityType AS identity_type,
       res.name AS critical_resource,
       r.name AS via_role
ORDER BY identity

-- SOX compliance: find governed resources
-- then query access logs
MATCH (res:Resource)
      -[:GOVERNED_BY]->(pol:Policy
        {name: 'SOX-Compliance'})
RETURN res.name AS resource,
       pol.name AS policy

-- Access logs for SOX-scoped resources
SELECT identityEmail, action,
       resourceName, recordedAt, source_ip
FROM AccessLog
WHERE resourceName IN
  ['Financial-DB', 'Trading-System']
  AND recordedAt > '2025-12-01'
ORDER BY recordedAt DESC

-- Separation of duties: users with both
-- "approve" and "execute" permissions
MATCH (u:Identity)
      -[:MEMBER_OF*1..3]->(g:`Group`)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission
        {action: 'approve'})
      -[:APPLIES_TO]->(res:Resource)
RETURN u.email AS identity,
       res.name AS resource,
       r.name AS role

Access Certification & Compliance Audits

Regulations like SOX, GDPR, HIPAA, and PCI-DSS require organizations to prove who has access to what, why they have it, and when they used it. With traditional systems, these audits take weeks of manual work — exporting CSVs, cross-referencing spreadsheets, and hoping nothing was missed.

ArcadeDB makes access certification a graph query. List every user with access to SOX-scoped systems, including the complete chain of groups and roles that grants that access. Detect separation of duties violations — users who can both approve and execute transactions on the same resource — with a single Cypher query.

Store access logs alongside the permission graph to answer audit questions like "who accessed this resource, through which role, and was that access still valid at the time?" Graph + relational + time-based queries in one database.

Enforce Least Privilege with Graph Analytics

Over time, permissions accumulate. Employees change teams but keep old access. Service accounts created for one-off migrations become permanent. Groups acquire roles no one remembers adding. The result: permission sprawl — the #1 vector for privilege escalation.

ArcadeDB's graph model makes it easy to identify over-permissioned identities. Count the number of critical resources each identity can reach. Compare active usage (from access logs) against granted permissions to find dormant access — permissions that exist but haven't been used in months. Flag accounts with unusually high permission counts relative to their role.

Combine graph traversals with time-series analysis on access logs to track permission growth over time. Detect drift: when an identity's effective permissions diverge from its intended baseline. Set alerts when the number of paths to critical resources exceeds a threshold.

-- Find all granted permissions per identity
MATCH (u:Identity)
      -[:MEMBER_OF*1..3]->(g:`Group`)
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
RETURN DISTINCT
       u.email AS identity,
       res.name AS resource
ORDER BY identity

-- Dormant access: identities with no
-- activity in the last 90 days
SELECT DISTINCT identityEmail
FROM AccessLog
WHERE recordedAt > '2025-12-06'
ORDER BY identityEmail

-- Compare: identities with permissions
-- but missing from recent access logs
-- are candidates for access revocation

-- What-if: if we remove Platform-Admins,
-- what permissions are lost?
MATCH (g:`Group`
        {name: 'Platform-Admins'})
      -[:HAS_ROLE]->(r:Role)
      -[:GRANTS]->(p:Permission)
      -[:APPLIES_TO]->(res:Resource)
RETURN r.name AS role,
       p.action AS action,
       res.name AS resource
ORDER BY resource

-- Who is affected? Members of
-- Platform-Admins (direct or transitive)
MATCH (member:Identity)
      -[:MEMBER_OF*1..3]->(g:`Group`
        {name: 'Platform-Admins'})
RETURN DISTINCT
       member.email AS identity
ORDER BY identity

Impact Analysis: Simulate Before You Change

Every IAM change carries risk. Remove a group and you might break a critical service. Add a role and you might create an unintended escalation path. Traditional IAM tools can't answer "what happens if?" questions because they lack the relational context.

ArcadeDB's graph traversals make impact analysis trivial. Before removing a group, query for every user who would lose access and every resource that would become unreachable. Before granting a new role, check whether it creates paths to sensitive resources that didn't exist before.

Run breach simulations: if a specific service account is compromised, how far can an attacker reach through the permission graph? Which resources are within 1 hop, 2 hops, 8 hops? This is the graph-native equivalent of red team exercises — without the cost.

Behavioral Anomaly Detection with Vectors

Not every threat comes from over-privileged accounts. Sometimes a legitimate user's credentials are stolen and used in unexpected ways. Traditional rule-based systems miss these attacks because the actions are technically authorized — they just don't match the user's normal behavior.

ArcadeDB's native JVector engine stores behavioral embeddings that capture each identity's access patterns: what they access, when, from where, and how frequently. When an access request deviates significantly from the user's normal profile, a nearest-neighbor search flags it as anomalous — even if the user has the required permissions.

Combine behavioral vectors with graph context: an anomalous access from a user who is 5 hops away from admin resources is more dangerous than one from a user with no escalation paths. Multi-model analysis catches threats that single-model systems miss.

-- Store behavioral access embeddings
CREATE PROPERTY Identity.access_pattern_vec
  LIST
CREATE INDEX ON Identity
  (access_pattern_vec) LSM_VECTOR
  METADATA { dimensions: 8,
    similarity: 'COSINE' }

-- Rank employees by how similar their
-- access pattern is to a baseline
SELECT email, department, identityType
FROM Identity
WHERE identityType = 'employee'
ORDER BY vectorNeighbors(
  'Identity[access_pattern_vec]',
  [0.5, 0.5, 0.3, 0.1,
   0.2, 0.1, 0.1, 0.1], 10
) DESC
LIMIT 10

IAM Applications by Model

Identity and access management generates data in every model: permission hierarchies (graph), access logs over time (time series), behavioral profiles (vectors), policies and compliance docs (documents + full-text). ArcadeDB handles all of them natively.

Application	Graph	Time Series	Vectors	Full-Text
Permission Resolution	User → group → role → resource	—	—	—
Privilege Escalation	Multi-hop path detection	Permission change tracking	—	—
Compliance Audits	Access chain lineage	Access log timeline	—	Policy document search
Anomaly Detection	Escalation path context	Access frequency trends	Behavioral embeddings	—
Least Privilege	Effective vs. needed access	Usage frequency analysis	Role similarity matching	—
Breach Simulation	Blast radius traversal	Historical breach patterns	Attack vector similarity	—
Separation of Duties	Conflicting permission paths	—	—	Regulation clause search
Role Mining	Common permission patterns	Usage pattern analysis	Access profile clustering	—

Why ArcadeDB for IAM

IAM requires traversing permission hierarchies (graph), monitoring access patterns over time (time series), detecting behavioral anomalies (vectors), and searching policies and regulations (full-text). Most solutions require 3–4 separate systems. ArcadeDB is one.

Capability	ArcadeDB	Neo4j	Memgraph	Amazon Neptune
Graph Traversal	✓ SQL + Cypher + Gremlin	✓ Cypher	✓ Cypher	✓ Gremlin + SPARQL
Native Time Series	✓ Full engine + Grafana	✗	✗	✗
Native Vector Search	✓ JVector (HNSW + DiskANN)	✓ Vector index	✗	✓ Neptune Analytics
Native Full-Text Search	✓ Built-in	✓ Lucene-based	✗	✓ OpenSearch integration
Permission Path Queries	✓ Variable-length traversal	✓ Variable-length paths	✓ BFS/DFS traversal	✓ Gremlin repeat steps
Access Log Analytics	✓ Time series + SQL	○ Property queries only	○ Kafka stream triggers	○ External analytics
Deployment	Anywhere (self-hosted)	AuraDB or self-hosted	Cloud or self-hosted	AWS only
License	Apache 2.0 (forever)	GPL / Commercial	BSL / Enterprise	Proprietary (AWS)

Open Source. Apache 2.0. Forever.

Your identity data is the keys to your kingdom. You should own the infrastructure that protects it — the data, the database, and the freedom to deploy on-premises, in your private cloud, or air-gapped. ArcadeDB is licensed under Apache 2.0, and we've made a public commitment: we will never change it.

No surprise license switches. No cloud-only features. No vendor lock-in. Read our commitment →

Enterprise Deployment Success

"We migrated our IAM authorization layer from a relational system to ArcadeDB's graph model. Permission resolution queries that took 800ms with recursive SQL now complete in under 5ms. More importantly, we discovered 47 shadow admin paths that our existing tools had missed — including 3 contractor accounts with indirect access to production databases through nested group memberships."

— Director of Identity Security, Fortune 500 Financial Services
(Details limited by confidentiality agreement)

Impact Metrics:

160x faster permission resolution (800ms → 5ms)
47 shadow admin paths detected and remediated
Compliance audit preparation reduced from 3 weeks to 2 hours
250,000 identities with 1.2 million permission relationships mapped
3 separate systems (graph DB + SIEM + policy engine) replaced by 1

Industries Using IAM Graphs

Financial Services: SOX compliance, trading system access control, fraud-linked IAM
Healthcare: HIPAA access audits, patient data authorization, role-based clinical access
Government & Defense: Clearance management, compartmented access, need-to-know enforcement
Technology: Cloud infrastructure permissions, API gateway authorization, DevOps access governance
Telecommunications: Network element access, subscriber data protection, regulatory compliance
Energy & Utilities: SCADA system access, NERC CIP compliance, operational technology security
Retail & E-commerce: PCI-DSS compliance, multi-tenant access, customer data protection
Manufacturing: OT/IT convergence access control, supply chain partner access, ISO 27001

Identity & Access Management