Why | Questions It Answers | Why It Is Different | Quick Start | Support Matrix | Install
Who has access. Why it exists. What changes if you remove it.
GrantPath is a graph-powered, self-hosted Access Path Intelligence Platform for IAM, Active Directory and file server permissions. It shows who has access, explains why that access exists through groups, ACLs and inheritance, and helps teams simulate changes before they break production.
GrantPath is built for a problem teams hit constantly:
- access is inherited through layers of groups, ACLs and exceptions
- static permission reports do not explain why an access path exists
- cleanup work is risky when nobody knows what will break
GrantPath turns that mess into something operational:
who has access: find effective access across principals, groups, resources and inheritancewhy it exists: inspect explainable paths instead of guessing from raw ACLswhat changes if you remove it: run safe what-if simulations before touching productionreview and report: generate access reviews, remediation plans and scheduled reportsself-hosted: run it in Docker, Windows or Linux without paid platform dependencies
These are the kinds of questions that make GrantPath interesting in practice:
- Why does
mario.rossistill have write access to Finance? - Which groups and ACLs make this share reachable?
- Who loses access if we remove this nested group or ACE?
- Which resources are overexposed right now?
- Which review decisions can we export for audit or remediation?
| Static ACL auditor | GrantPath |
|---|---|
| dumps permissions | explains effective access |
| shows raw ACLs | reconstructs why access exists |
| weak at nested group reasoning | follows paths across groups, ACLs and inheritance |
| risky cleanup decisions | supports what-if simulations before changes |
| report-first | operator-first and investigation-friendly |
| often cloud-only or product-led | self-hosted and usable on local infrastructure |
GrantPath is an explainable, graph-powered control plane for access analysis, entitlement visibility and permission cleanup.
- it shows who can reach a resource or permission boundary
- it explains why that access exists across identities, nested groups, ACLs and inheritance
- it helps teams understand what changes if a grant, path or group is removed
- it turns review and cleanup work into something operators can act on quickly
It is built for self-hosted environments where access visibility, operational reporting and explainability matter more than static audit exports.
GrantPath is built for teams that need to answer:
- who has access
- why that access exists
- what changes if a grant, group or ACL path is removed
It is built as an explainable control plane, not as a static ACL auditor.
GrantPath is still an early public preview, not a finished enterprise suite. The core flows are already real and useful, but broader enterprise depth is still being built out.
Where it already feels strong:
- local admin bootstrap with MFA
LDAPandOIDCintegration paths- live filesystem collection
- raw snapshot retention
- normalization pipeline
- graph-backed explainability
- materialized access index
who-has-access,why,what-if,risk,changes- access review campaigns and remediation plans
- scheduled reports
- worker split
all / api / worker - RBAC inside the application
- Docker, Windows package, Linux installer
What is still evolving:
- full cloud/runtime validation for
Graph,Azure,Okta,AWS,Google,CyberArk - deeper multi-tenant isolation
- broader enterprise governance and analytics
If you discover GrantPath through GitHub search, the right expectation is:
- already useful for
filesystem + explainability + access review + reporting - still maturing for deeper enterprise breadth and broader connector coverage
Start here:
Recommended install paths:
- Docker appliance
- Windows release package
- Linux system install
Core documentation:
- Install Guide
- Support Matrix
- Official Integration Notes
- Enterprise Readiness Review
- GitHub Launch Kit
GrantPath follows a layered design:
Connector / Collector LayerRaw Snapshot StoreNormalization PipelineGraph EngineMaterialized Access IndexQuery / API GatewayWeb UI
Main query surfaces:
SearchSvcEntitlementSvcExplainSvcRiskSvcWhatIfSvcGraphSvcChangesSvc
The UI is task-oriented rather than scanner-oriented:
HomeInvestigateGovernSourcesOperations
Current stack in the repository:
- backend:
FastAPI - frontend:
React + TypeScript - primary production store:
PostgreSQL - optional runtime integrations:
Neo4j,OpenSearch,ClickHouse,Valkey - observability base:
OpenTelemetry
Important compatibility note:
- internal configuration prefixes still use
EIP_*for backward compatibility
cd <repo-root>
.\.venv\Scripts\python.exe -m uvicorn app.main:app --host 127.0.0.1 --port 8000 --reload --app-dir .\backendcd <repo-root>\frontend
npm run devUI:
http://127.0.0.1:5173
cd <repo-root>
.\.venv\Scripts\python.exe -m pip install -r .\backend\requirements-dev.txt
.\.venv\Scripts\python.exe -m pytest backend/tests
.\.venv\Scripts\python.exe -m bandit -r backend/app -ll
.\.venv\Scripts\python.exe -m pip_audit -r backend/requirements.txt
cd .\frontend
npm run lint
npm run build
npm audit --omit=devSupported packaging paths:
- Docker appliance / production compose
- Windows packaged executable
- Linux install script
Key files:
- backend/Dockerfile
- backend/requirements-dev.txt
- frontend/Dockerfile
- Dockerfile.appliance
- docker-compose.production.yml
- docker-compose.enterprise.yml
- scripts/build-windows.ps1
- scripts/install-linux.sh
- scripts/install-from-source.ps1
- scripts/install-from-source.sh
At a high level:
supported: local filesystem investigation, explainability, reporting, review, scheduling, self-hosted deploymentpartial: enterprise connector runtime coverage, analytics depth, tenant isolationblueprint: some cloud connectors modeled from official documentation but not fully live in this runtime
See the full matrix in docs/support-matrix.md.
Please read SECURITY.md before reporting vulnerabilities.
Contribution guidelines are in CONTRIBUTING.md.
This repository is prepared for publication under the Apache-2.0 License.