Case Study - Entitlement Governance Platform

Problem

Five thousand employees, and the answer to "who has access to what?" lived in spreadsheets. Multiple spreadsheets, actually — different teams had different versions, and reconciling them was its own recurring project.

An analyst would pull data from the IDP, cross-reference it against the spreadsheet, flag discrepancies, and spend days chasing entitlement owners for confirmation. One review cycle took weeks. And the spreadsheets themselves were unreliable: duplicate entries, missing fields, entitlements still assigned to people who had left months earlier.

Approach

FastAPI backend, Aurora PostgreSQL, OIDC auth through their existing IDP, and an admin dashboard for entitlement owners. Nothing exotic — the interesting problem was the data, not the stack.

The interesting design problem: the company had years of messy legacy entitlement data that could not be cleaned up overnight, but new entitlements needed strict validation from day one. We solved this with a strategy-pattern validation framework — relaxed constraints for legacy records during a cleanup window, strict rules for anything created after launch. This let the team migrate gradually instead of doing a terrifying data quality sprint before going live.

90+ automated checks now cover field completeness, policy compliance, ownership, and cross-reference consistency against the IDP. Every change gets event-driven audit logging. No more manually maintained changelogs.

The dashboard gives entitlement owners direct visibility into their data quality. Problems surface as they happen, not in a quarterly review cycle three months later.

Outcome

Nobody opens the spreadsheets anymore.

Audit evidence that used to take weeks to assemble is now a database query. The audit trail captures who changed what, when, and why — no analyst maintaining a changelog by hand.

One source of truth, one set of validation rules, and problems that surface the moment they happen instead of during the next review cycle.

Handoff

We trained two administrators over a week-long handoff. They manage entitlement records, interpret validation failures, and write new checks as governance requirements change. Adding a validation check means writing a function and registering it — no deployment needed.

The platform runs in their existing infrastructure with their existing monitoring and deployment tooling. Database migrations, runbooks, and dashboards were all part of the delivery. They have not called us since.