Skip to content

System Overview

Verity is an Access Decay Intelligence Platform that continuously scores how "decayed" every access grant has become, then orchestrates reviews and automated remediation. The platform is implemented as a Python 3.12 monorepo containing 19 microservices organised across five processing planes.

High-Level Architecture

The following C4 Context diagram illustrates the major system boundaries, external integrations, and data stores.

C4Context
    title Verity — System Context Diagram

    Person(reviewer, "Access Reviewer", "Reviews flagged access grants and approves or revokes them.")
    Person(admin, "Platform Admin", "Configures connectors, policies, and platform settings.")

    System_Boundary(verity, "Verity Platform") {
        System(api, "API Gateway", "FastAPI — REST API for all client interactions.")
        System(ingest, "Ingest Plane", "Connectors + Ingest Worker — pulls access data from source systems.")
        System(normalise, "Normalise Plane", "Normalise Engine — maps raw events to the canonical model.")
        System(score, "Score Plane", "Decay Engine — computes 6-factor access-decay scores.")
        System(review, "Review Plane", "Review Generator + Workflow Engine — creates and orchestrates reviews.")
        System(remediate, "Remediate Plane", "Remediation Executor — revokes or modifies access in source systems.")
        SystemDb(pg, "PostgreSQL + TimescaleDB", "Operational store — principals, assets, grants, scores, reviews.")
        SystemDb(ch, "ClickHouse", "Audit & analytics — immutable event log, compliance reports.")
        SystemQueue(kafka, "Kafka (KRaft)", "Event streaming backbone between all planes.")
        System(redis, "Redis", "Caching layer — score look-ups, session data, rate limiting.")
        System(temporal, "Temporal", "Durable workflow orchestration for review lifecycle.")
    }

    System_Ext(azuread, "Microsoft Entra ID", "Identity provider & access-data source.")
    System_Ext(snowflake, "Snowflake", "Data warehouse access-data source.")
    System_Ext(databricks, "Databricks", "Analytics platform access-data source.")
    System_Ext(fabric, "Microsoft Fabric", "Data platform access-data source.")
    System_Ext(dashui, "Dashboard UI", "Next.js SPA for reviewers and admins.")

    Rel(reviewer, dashui, "Uses")
    Rel(admin, dashui, "Manages")
    Rel(dashui, api, "HTTPS / JSON")
    Rel(api, pg, "SQL")
    Rel(api, redis, "Cache reads")
    Rel(ingest, azuread, "Microsoft Graph API")
    Rel(ingest, snowflake, "Snowflake SQL API")
    Rel(ingest, databricks, "Databricks REST API")
    Rel(ingest, fabric, "Fabric REST API")
    Rel(ingest, kafka, "Produces raw events")
    Rel(kafka, normalise, "Consumes raw events")
    Rel(normalise, pg, "Writes normalised data")
    Rel(normalise, kafka, "Produces normalised events")
    Rel(kafka, score, "Consumes normalised events")
    Rel(score, pg, "Reads grants / Writes scores")
    Rel(score, kafka, "Produces score events")
    Rel(kafka, review, "Consumes score events")
    Rel(review, temporal, "Starts workflows")
    Rel(review, kafka, "Produces review events")
    Rel(kafka, remediate, "Consumes decided reviews")
    Rel(remediate, azuread, "Revokes access")

Service Inventory

Verity comprises 12 application services and 5 infrastructure components.

Application Services

# Service Language / Framework Plane Port Description
1 api-gateway Python 3.12 / FastAPI Cross-cutting 8000 REST API — authentication, routing, rate limiting.
2 connector-azure-ad Python 3.12 Ingest 8010 Pulls users, groups, roles, and sign-in logs from Microsoft Entra ID via Graph API.
3 connector-snowflake Python 3.12 Ingest 8011 Extracts grants and query history from Snowflake.
4 connector-databricks Python 3.12 Ingest 8012 Extracts workspace permissions and audit logs from Databricks.
5 connector-fabric Python 3.12 Ingest 8013 Extracts workspace items and permissions from Microsoft Fabric.
6 ingest-worker Python 3.12 Ingest Consumes raw connector events and fans out to normalisation.
7 normalise-engine Python 3.12 Normalise Maps platform-specific schemas to the Verity canonical model.
8 decay-engine Python 3.12 / Polars Score Computes access-decay scores using the 6-factor formula; batch scoring via Polars.
9 review-generator Python 3.12 Review Creates review packets when scores exceed policy thresholds.
10 workflow-engine Python 3.12 / Temporal Review Orchestrates the review lifecycle as durable Temporal workflows.
11 remediation-executor Python 3.12 Remediate Executes approved revocations and modifications in source systems.
12 dashboard-ui TypeScript / Next.js Cross-cutting 3000 Reviewer and admin web interface.

Infrastructure Components

# Component Version Purpose
1 PostgreSQL + TimescaleDB 16 + 2.x Operational data store — time-series scores and events.
2 ClickHouse Latest Immutable audit log and compliance analytics.
3 Apache Kafka (KRaft) 3.7+ Event streaming backbone — no ZooKeeper dependency.
4 Redis 7.x Caching, rate limiting, and session data.
5 Temporal Latest Durable workflow engine for review orchestration.

Technology Stack

Layer Technology Notes
Language Python 3.12 All backend services
Web Framework FastAPI API Gateway, connector health endpoints
Task / Streaming aiokafka, confluent-kafka Async Kafka consumers and producers
Data Processing Polars High-performance batch scoring in decay-engine
Workflow Engine Temporal (Python SDK) Review lifecycle orchestration
ORM / SQL SQLAlchemy 2.0 + asyncpg Async PostgreSQL access
Database PostgreSQL 16 + TimescaleDB Hypertables for access_events, access_scores
Analytics DB ClickHouse Columnar OLAP for audit queries
Streaming Apache Kafka (KRaft mode) All inter-service communication
Caching Redis 7 Score cache, rate limiting
Frontend Next.js + TypeScript Dashboard UI
Containerisation Docker Multi-stage builds, distroless base images
Orchestration Kubernetes + Helm Production deployment
CI/CD GitHub Actions Lint → Test → Build → Deploy pipeline
Observability Prometheus + Grafana Metrics, dashboards, alerting
Logging structlog (JSON) Structured logging across all services
Security Scanning Trivy, Bandit, Semgrep Container, SAST, and pattern-based scanning

The Five Planes

Verity's processing pipeline is organised into five sequential planes. Each plane is independently scalable and communicates exclusively through Kafka topics.

flowchart LR
    subgraph INGEST["① Ingest Plane"]
        direction TB
        CAD[connector-azure-ad]
        CSF[connector-snowflake]
        CDB[connector-databricks]
        CFB[connector-fabric]
        IW[ingest-worker]
        CAD --> IW
        CSF --> IW
        CDB --> IW
        CFB --> IW
    end

    subgraph NORMALISE["② Normalise Plane"]
        NE[normalise-engine]
    end

    subgraph SCORE["③ Score Plane"]
        DE["decay-engine<br/><small>scoring.py — 6-factor formula</small><br/><small>batch.py — Polars batch</small>"]
    end

    subgraph REVIEW["④ Review Plane"]
        RG[review-generator]
        WE["workflow-engine<br/><small>(Temporal)</small>"]
        RG --> WE
    end

    subgraph REMEDIATE["⑤ Remediate Plane"]
        RE[remediation-executor]
    end

    INGEST -- "verity.events.raw.*" --> NORMALISE
    NORMALISE -- "verity.events.normalised" --> SCORE
    SCORE -- "verity.scores.updated" --> REVIEW
    REVIEW -- "verity.reviews.decided" --> REMEDIATE

    subgraph CROSSCUT["Cross-Cutting Services"]
        AG[api-gateway]
        AW[audit-writer]
        CR[compliance-reporter]
        DU[dashboard-ui]
    end

    AG -. "REST API" .-> INGEST
    AG -. "REST API" .-> SCORE
    AG -. "REST API" .-> REVIEW
    AW -. "verity.audit.all" .-> CROSSCUT

    subgraph STORAGE["Data Stores"]
        PG[(PostgreSQL + TimescaleDB)]
        CH[(ClickHouse)]
        KF[[Kafka — KRaft]]
        RD[(Redis)]
        TM[Temporal Server]
    end

Plane Details

① Ingest Plane

Service Responsibility
connector-azure-ad Polls Microsoft Graph API for users, groups, app-role assignments, and sign-in logs.
connector-snowflake Queries ACCOUNT_USAGE views for grants and query history.
connector-databricks Calls Databricks REST API for workspace ACLs and audit events.
connector-fabric Calls Fabric REST API for workspace items, capacities, and permissions.
ingest-worker Consumes raw events from per-platform Kafka topics; deduplicates, validates, and forwards to normalisation.

② Normalise Plane

Service Responsibility
normalise-engine Transforms platform-specific payloads into the Verity canonical model (Principal, Asset, AccessGrant, AccessEvent). Resolves identities and classifies assets.

③ Score Plane

Service Responsibility
decay-engine scoring.py — Implements the 6-factor decay formula (time since last use, peer comparison, privilege level, resource sensitivity, anomaly signals, compliance weight). batch.py — Polars-based batch processing for full-estate re-scoring.

④ Review Plane

Service Responsibility
review-generator Monitors score changes; creates review packets when scores exceed configurable policy thresholds.
workflow-engine Manages the review lifecycle as a Temporal workflow: assignment → notification → decision → escalation → remediation.

⑤ Remediate Plane

Service Responsibility
remediation-executor Executes approved access changes (revoke, downgrade, time-box) in the originating source system via connector APIs.

Shared Libraries

All services depend on a set of shared libraries in the libs/ directory.

Library Path Contents
verity-common libs/verity-common/ Domain models, configuration loading, Kafka producer/consumer helpers, Prometheus metrics, structured logging, database session management.
verity-sdk libs/verity-sdk/ ConnectorBase abstract class — the extension point for building new connectors.
verity-testing libs/verity-testing/ Shared pytest fixtures, factory functions, and test utilities (Kafka mocks, database seeding).

Deployment Topology

flowchart TB
    subgraph K8S["Kubernetes Cluster"]
        subgraph ns_verity["namespace: verity"]
            api[api-gateway ×2]
            cad[connector-azure-ad ×1]
            csf[connector-snowflake ×1]
            cdb[connector-databricks ×1]
            cfb[connector-fabric ×1]
            iw[ingest-worker ×3]
            ne[normalise-engine ×2]
            de[decay-engine ×2]
            rg[review-generator ×1]
            we[workflow-engine ×1]
            re[remediation-executor ×1]
            aw[audit-writer ×2]
            cr[compliance-reporter ×1]
            du[dashboard-ui ×2]
        end
        subgraph ns_infra["namespace: verity-infra"]
            pg[(PostgreSQL + TimescaleDB)]
            ch[(ClickHouse)]
            kf[[Kafka Brokers ×3]]
            rd[(Redis Sentinel)]
            tm[Temporal Server]
        end
    end
    api --> pg
    api --> rd
    iw --> kf
    ne --> kf
    ne --> pg
    de --> pg
    de --> kf
    rg --> kf
    we --> tm
    re --> kf
    aw --> ch
    aw --> kf

Each service is deployed as a Kubernetes Deployment with horizontal pod autoscaling (HPA) based on CPU and Kafka consumer lag. Infrastructure components run in a dedicated verity-infra namespace with StatefulSet controllers.