OrbisID
OrbisID is a Privileged Access Management (PAM) Detection Tool for enterprise environments. It automatically scans your infrastructure to discover privileged accounts and entitlements, links them to identities, and generates Key Risk Indicators (KRIs) and compliance reports.
What OrbisID Does
Most organisations know they have privileged accounts spread across Active Directory, Linux servers, databases, and other systems. What they often lack is a single, accurate view of where those accounts are, who owns them, and whether they are managed in a PAM tool.
OrbisID solves this by:
- Discovering privileged accounts across Active Directory, Linux, SQL Server, and custom systems
- Classifying accounts as Human or Non-Human using configurable policy rules
- Linking accounts to real-world identities so every privileged account has an owner
- Measuring risk through Key Risk Indicators (KRIs) with RAG (Red/Amber/Green) status
- Reconciling discovered accounts against your PAM tool inventory to find gaps
- Reporting on compliance posture with exportable reports
Architecture Overview
OrbisID is deployed as a set of Docker containers behind an Nginx reverse proxy:
| Component | Purpose |
|---|---|
| Frontend | Web UI built with React and PrimeReact |
| Backend | REST API and scanning engine (Spring Boot) |
| PostgreSQL | Stores all configuration, scan results, and audit history |
| Nginx | TLS termination and reverse proxy |
| Scan Agent | Optional remote agent for scanning systems in segmented networks |
Key Concepts
Target Systems
A target system is any infrastructure component that OrbisID scans for privileged accounts. Supported types include Active Directory, Linux (SSH), SQL Server, CSV imports, and custom scripts.
Accounts and Entitlements
An account is a user or service account discovered on a target system. Each account has entitlements (group memberships, permissions, roles) that determine its privilege level.
Identities
An identity represents a real person or service owner. Linking accounts to identities answers the question "who owns this privileged account?"
Key Risk Indicators (KRIs)
KRIs are metrics that measure your privileged access risk posture. Each KRI has Green, Amber, and Red thresholds. Examples include:
- Privileged Without Owner - privileged accounts not linked to an identity
- Not in PAM Tool - privileged accounts not managed by your PAM solution
- Standing Privileges - always-on privileged access that should be just-in-time
PAM Reconciliation
OrbisID compares its discovered privileged accounts against the inventory from your PAM tool (CyberArk, BeyondTrust, Delinea, etc.) to identify unmanaged accounts that should be onboarded.
Scan Policies
A scan policy defines which systems to scan, when to scan them, and which classification rules to apply. Policies can run on-demand or on a schedule (daily, weekly, monthly, quarterly).
Policy Rules
Policy rules use Spring Expression Language (SpEL) to classify accounts. For example, a rule might mark any account that is a member of Domain Admins as PRIVILEGED.
Editions
OrbisID is available in three editions:
| Capability | Community | Pro | Enterprise |
|---|---|---|---|
| Max systems | 2 | 5 | Unlimited |
| Max users | 1 | 5 | Unlimited |
| Scheduled scans | - | 1 | Unlimited |
| Active Directory scanning | Yes | Yes | Yes |
| Linux scanning | Yes | Yes | Yes |
| SQL Server scanning | - | Yes | Yes |
| CSV import scanning | - | Yes | Yes |
| Custom script scanning | - | - | Yes |
| KRI monitoring | Basic (4 KRIs) | Full | Full |
| KRI snapshots and exceptions | - | Yes | Yes |
| CSV report export | - | Yes | Yes |
| API access and keys | - | - | Yes |
| SSO / OIDC authentication | - | - | Yes |
| PAM reconciliation | Yes | Yes | Yes |
See Licensing for full details.
Next Steps
- Requirements - check what you need before installing
- Quick Start - get OrbisID running in minutes
- User Guide - learn how to use the application