Enterprise IAM-aware debugger: trace 403/401 failures through Okta, Active Directory, Ping Identity, and Azure AD — find the exact missing permission or policy block
Project description
oneport-debug-iam
Enterprise IAM-aware authorization debugger. When a user or service gets a
403/401, this traces the failure through your identity provider (Okta,
Active Directory, Azure AD) and re-evaluates the application's RBAC policy
locally — then tells you the exact missing group, scope, or blocking rule, and
how to fix it.
Claude Code and Copilot run with your local privileges and have zero concept of corporate RBAC. This tool understands the permission matrix.
Try it in 60 seconds (no Okta, no API key)
pip install oneport-debug-iam
oneport-iam demo
The demo runs the real RBAC engine on a bundled 403: an engineer is denied
POST /api/v1/payments/charge. You'll see their Okta groups/scopes, the
authorization decision, the exact missing group and scope, the policy rule
that governs the endpoint, and a root-cause analysis.
✖ DENY
Missing group(s): payments-admin
Missing scope(s): payments:write
Add --format json for machine-readable output (Jira/SIEM/access-review pipelines).
Use it on your own identities
export OKTA_ORG_URL=https://corp.okta.com
export OKTA_API_TOKEN=…
oneport-iam trace \
--user jsmith@corp.com \
--app payment-service \
--action POST \
--resource /api/v1/payments/charge \
--policy rbac.yaml
Other commands:
# Who can do this? (blast-radius / access review)
oneport-iam who-can --resource /api/v1/admin/users --action DELETE --policy rbac.yaml
# Decode a token and evaluate what it's actually authorized to do
oneport-iam inspect-token --token eyJhbGci... --policy rbac.yaml --resource /api/v1/payments/charge --action POST
RBAC policy format
rules:
- id: allow-charge
effect: allow # allow | deny (deny wins)
groups: [payments-admin] # OR within the list
scopes: [payments:write] # OAuth scopes (OR); also accepts scope: entries in groups
resources: ["/api/v1/payments/*"] # glob
actions: [POST]
Environment variables
| Provider | Variables |
|---|---|
| Okta | OKTA_ORG_URL, OKTA_API_TOKEN |
| Active Directory | AD_SERVER, AD_BASE_DN, AD_BIND_USER, AD_BIND_PASSWORD (needs the ad extra) |
A provider that isn't configured is skipped; one that fails is logged but doesn't abort the trace (Okta up + AD down still yields a partial analysis).
Optional dependencies
pip install 'oneport-debug-iam[ad]' # Active Directory (LDAP) support
pip install 'oneport-debug-iam[azure]' # Azure AD / Entra ID
The default install is httpx-based (Okta + RBAC) and pulls no LDAP/Azure stack.
Air-gapped / on-prem AI
Set ONEPORT_MODE=local to run the AI analysis against a local model (Ollama /
vLLM) — no data leaves your network. See oneport-debug-local.
Notes
- On Git Bash (Windows), a
--resource /api/...argument may get path-mangled by MSYS. Prefix with//or runMSYS_NO_PATHCONV=1 oneport-iam .... PowerShell, cmd, and Linux/macOS shells are unaffected.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file oneport_debug_iam-0.1.0-py3-none-any.whl.
File metadata
- Download URL: oneport_debug_iam-0.1.0-py3-none-any.whl
- Upload date:
- Size: 20.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a0597f64162f02d2ea9a663d7cfd54d8efc50b61670ed19eb82fb2b47fc44ca9
|
|
| MD5 |
3b60b084780e0e39eeba28a943719ece
|
|
| BLAKE2b-256 |
c86fb478e1200466b8d540786df9dbc55bed54f0e896d8cbf7d62a79fa3fa7d9
|