Skip to main content

Enterprise IAM-aware debugger: trace 403/401 failures through Okta, Active Directory, Ping Identity, and Azure AD — find the exact missing permission or policy block

Project description

oneport-debug-iam

Enterprise IAM-aware authorization debugger. When a user or service gets a 403/401, this traces the failure through your identity provider (Okta, Active Directory, Azure AD) and re-evaluates the application's RBAC policy locally — then tells you the exact missing group, scope, or blocking rule, and how to fix it.

Claude Code and Copilot run with your local privileges and have zero concept of corporate RBAC. This tool understands the permission matrix.

Try it in 60 seconds (no Okta, no API key)

pip install oneport-debug-iam
oneport-iam demo

The demo runs the real RBAC engine on a bundled 403: an engineer is denied POST /api/v1/payments/charge. You'll see their Okta groups/scopes, the authorization decision, the exact missing group and scope, the policy rule that governs the endpoint, and a root-cause analysis.

✖ DENY
Missing group(s):  payments-admin
Missing scope(s):  payments:write

Add --format json for machine-readable output (Jira/SIEM/access-review pipelines).

Use it on your own identities

export OKTA_ORG_URL=https://corp.okta.com
export OKTA_API_TOKEN=…

oneport-iam trace \
  --user jsmith@corp.com \
  --app payment-service \
  --action POST \
  --resource /api/v1/payments/charge \
  --policy rbac.yaml

Other commands:

# Who can do this? (blast-radius / access review)
oneport-iam who-can --resource /api/v1/admin/users --action DELETE --policy rbac.yaml

# Decode a token and evaluate what it's actually authorized to do
oneport-iam inspect-token --token eyJhbGci... --policy rbac.yaml --resource /api/v1/payments/charge --action POST

RBAC policy format

rules:
  - id: allow-charge
    effect: allow                       # allow | deny (deny wins)
    groups: [payments-admin]            # OR within the list
    scopes: [payments:write]            # OAuth scopes (OR); also accepts scope: entries in groups
    resources: ["/api/v1/payments/*"]   # glob
    actions: [POST]

Environment variables

Provider Variables
Okta OKTA_ORG_URL, OKTA_API_TOKEN
Active Directory AD_SERVER, AD_BASE_DN, AD_BIND_USER, AD_BIND_PASSWORD (needs the ad extra)

A provider that isn't configured is skipped; one that fails is logged but doesn't abort the trace (Okta up + AD down still yields a partial analysis).

Optional dependencies

pip install 'oneport-debug-iam[ad]'      # Active Directory (LDAP) support
pip install 'oneport-debug-iam[azure]'   # Azure AD / Entra ID

The default install is httpx-based (Okta + RBAC) and pulls no LDAP/Azure stack.

Air-gapped / on-prem AI

Set ONEPORT_MODE=local to run the AI analysis against a local model (Ollama / vLLM) — no data leaves your network. See oneport-debug-local.

Notes

  • On Git Bash (Windows), a --resource /api/... argument may get path-mangled by MSYS. Prefix with // or run MSYS_NO_PATHCONV=1 oneport-iam .... PowerShell, cmd, and Linux/macOS shells are unaffected.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oneport_debug_iam-0.1.0-py3-none-any.whl (20.6 kB view details)

Uploaded Python 3

File details

Details for the file oneport_debug_iam-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for oneport_debug_iam-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a0597f64162f02d2ea9a663d7cfd54d8efc50b61670ed19eb82fb2b47fc44ca9
MD5 3b60b084780e0e39eeba28a943719ece
BLAKE2b-256 c86fb478e1200466b8d540786df9dbc55bed54f0e896d8cbf7d62a79fa3fa7d9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page