Remediation Service¶
Path:
services/remediation/· Type: Worker
The Remediation Service executes REVOKE decisions by removing access in the originating source systems. It acts as the enforcement arm of the review workflow, translating platform-agnostic revocation commands into platform-specific API calls.
Architecture¶
graph LR
WE[Workflow Engine] -->|revocation request| RS[Remediation Service]
RS --> AAD[Azure AD]
RS --> SF[Snowflake]
RS --> DB[Databricks]
RS --> FB[Microsoft Fabric]
RS -->|verity.remediations.completed| K{{Kafka}}
RS --> PG[(PostgreSQL)]Execution Flow¶
sequenceDiagram
participant WE as Workflow Engine
participant RS as Remediation Service
participant Source as Source System
participant PG as PostgreSQL
participant Kafka
WE->>RS: Revocation request (grant_id, platform)
RS->>PG: Load grant details
RS->>RS: Select platform executor
RS->>Source: Execute REVOKE API call
Source-->>RS: Confirmation
RS->>PG: Update grant status → REVOKED
RS->>Kafka: Publish verity.remediations.completed
RS-->>WE: Revocation completePlatform Executors¶
Each source platform has a dedicated executor that handles the specifics of revoking access:
| Platform | Executor | Revocation Method |
|---|---|---|
| Azure AD | AzureADExecutor |
Remove group membership, revoke app role assignment via Graph API |
| Snowflake | SnowflakeExecutor |
REVOKE SQL statements against roles and object grants |
| Databricks | DatabricksExecutor |
Remove Unity Catalog grants and workspace permissions via REST API |
| Fabric | FabricExecutor |
Remove workspace role assignments via Fabric REST API |
Safety Mechanisms¶
- Dry-run mode: When
REMEDIATION_DRY_RUN=true, executors log the intended action without performing it. - Pre-flight validation: Verifies the grant still exists in the source system before attempting revocation.
- Idempotency: Revocations are idempotent — re-executing a revocation for an already-revoked grant is a no-op.
- Rollback window: Revoked grants are soft-deleted with a configurable retention period (default: 30 days) before permanent removal.
Configuration¶
| Variable | Required | Default | Description |
|---|---|---|---|
REMEDIATION_KAFKA_BOOTSTRAP |
Yes | — | Kafka bootstrap servers |
REMEDIATION_DATABASE_URL |
Yes | — | PostgreSQL connection string |
REMEDIATION_DRY_RUN |
No | false |
Enable dry-run mode |
REMEDIATION_ROLLBACK_DAYS |
No | 30 |
Days to retain soft-deleted grants |
REMEDIATION_LOG_LEVEL |
No | INFO |
Python log level |
Platform-specific credentials are inherited from the corresponding connector configuration.
Observability¶
| Metric | Type | Description |
|---|---|---|
remediation_executions_total |
Counter | Revocations executed (by platform, outcome) |
remediation_duration_seconds |
Histogram | Time to complete a revocation |
remediation_errors_total |
Counter | Failed revocation attempts |
remediation_dry_run_total |
Counter | Dry-run revocations logged |