Request passes policy checks and can enter the approval workflow.
Interactive proof
IAM Access Workflow Simulator
A browser-based proof artifact for secure access request lifecycles: policy validation, approval state, auditability, guardrails, and a Microsoft Graph-style execution boundary.
Demo
Request, validate, approve, and execute access changes.
Request
DraftAccess request
Policy
EligibleDecision trace
- Requester
- Cybersecurity · employee
- Resource
- privileged · entra-group
- Role risk
- medium
Identity Governance Access Package is privileged; resource owner approval is required.
High-risk or privileged access requires cybersecurity review.
Required approvalsManager, Resource owner, Cybersecurity
Pending: Manager, Resource owner, Cybersecurity
Traceability
1 eventsAudit log
- draft created
Draft access request created.
Integration
Graph adapter mock
Execution produces a typed Microsoft Graph-style operation after every required approval is recorded.
Architecture
The important logic is pure TypeScript.
The UI is only the inspection surface. The policy checks, workflow transitions, audit events, and mock Graph operation live in testable TypeScript modules.
Policy engine
Validates justification, role availability, duplicate access, separation of duties, sensitivity, and risk.
Workflow state
Moves requests through draft, submitted, blocked, approved, rejected, and executed states.
Audit model
Records every meaningful action as an append-only event with actor, timestamp, request, and metadata.
Graph boundary
Produces a typed Microsoft Graph-style operation without touching a real tenant or secret.
Code walkthrough
Representative implementation details
These excerpts are from the TypeScript modules powering the simulator. They show the policy and workflow shape without requiring access to a private repository.
Separation-of-duties guardrail
const conflict = role.conflictsWith?.find((entitlement) =>
requester.entitlements.includes(entitlement)
);
if (conflict) {
findings.push({
code: "separation_of_duties",
severity: "deny",
message: `${role.name} conflicts with existing entitlement ${conflict}.`
});
}Approval completion rule
const approved = state.request.requiredApprovals.every((required) =>
approvals.some((approval) => approval.type === required)
);
const request = {
...state.request,
approvals,
status: approved ? "approved" : "submitted",
updatedAt: timestamp
};Tests
Validation scenarios covered in Vitest
Policy block
Separation-of-duties conflicts stop unsafe requests before approval.
Approval requirements
Privileged access requires manager, resource owner, and cybersecurity approval.
Execution boundary
Approved requests produce a typed Microsoft Graph-style operation and audit event.
Role alignment
What this is meant to prove
Secure workflow design
Request/approval/execution flow with guardrails, least-privilege thinking, and traceability.
TypeScript implementation
Domain logic is separate from UI state and covered by deterministic tests.
Enterprise integration shape
Graph execution is modeled as a boundary, ready to swap from mock to real adapter in a production design.
Limitations
This is a public-safe simulator.
It does not connect to Microsoft Entra ID, Microsoft Graph, Azure, Okta, Cognito, or any real tenant. The goal is to make the workflow, policy, and engineering approach inspectable without exposing confidential systems or requiring credentials.