Identity Infrastructure

Provision identities
at infrastructure scale

Accession is the category-defining identity provisioning engine. Create, configure, and govern user lifecycles with a single deterministic operation. Zero drift. Zero ambiguity. Every identity, provisioned right.

Start Provisioning Read the Paper →
14M+ Identities provisioned daily
<2ms Median provisioning latency
99.997% Provisioning success rate
Provisioning Dashboard LIVE
Identity
jchen
Habitat
/home/jchen
Shell
/bin/bash
Groups
dev,docker
Commit
UID 1042
accession-cli
$ accession -m -s /bin/bash -G dev,docker -c "Jun Chen" jchen
Core Capabilities

Every identity parameter,
under deterministic control

Accession exposes a complete provisioning surface for user lifecycle management. Each capability maps to a discrete, auditable operation with predictable outcomes.

Habitat Generation

Automatically provision isolated filesystem environments for each identity. One flag triggers complete home directory scaffolding with inherited skeleton templates.

-m / --create-home

Shell Binding Protocol

Assign deterministic login shell paths at provisioning time. Full control over the initial interactive environment with no post-hoc configuration required.

-s SHELL

Multi-Cohort Enrollment

Associate a single identity with multiple supplementary groups in one atomic operation. Comma-delimited group membership, resolved and committed transactionally.

-G GROUP1,GROUP2,...

Deterministic Identity Addressing

Assign specific numeric identifiers to guarantee reproducible provisioning across environments. Eliminate UID drift between staging and production.

-u UID

Temporal Access Governance

Set account expiration dates at provisioning time. Time-bounded identities for contractors, interns, and project-scoped access — built into the identity primitive itself.

-e YYYY-MM-DD

Template Genome Propagation

Define custom skeleton directories that seed every new environment with org-standard configs, dotfiles, and toolchains. Inherit from any template path.

-k SKEL_DIR

Identity Metadata Injection

Embed GECOS-compliant metadata — full names, team designations, contact details — directly into the identity record at the moment of creation.

-c COMMENT

Infrastructure-Grade Identity

Provision system-level accounts with UID ranges allocated from the reserved system namespace. Purpose-built for daemons, services, and infrastructure agents.

-r / --system
Provisioning Pipeline

Watch an identity materialize
in real time

Every provisioning operation proceeds through a deterministic pipeline. Each stage is observable, auditable, and idempotent.

01

Parameter Resolution

Input flags are parsed, validated against schema, and merged with system defaults from the configuration layer.

02

UID Allocation

A unique numeric identifier is deterministically assigned from the configured range (UID_MIN–UID_MAX) or the explicit value supplied.

03

Group Binding

Primary group is created or resolved. Supplementary group memberships are validated and committed atomically.

04

Habitat Scaffolding

Home directory is created, skeleton templates are propagated, permissions and SELinux Context are applied.

05

Record Commit

Identity is committed to /etc/passwd, shadow records initialized, subuid/subgid allocated. The identity is now live.

Method

First principles identity provisioning

We re-derived identity management from the ground up. No abstraction layers. No YAML. One deterministic command, infinite composition.

01

Define the Identity

Specify the login name, metadata, UID, and group affiliations. Each parameter is a discrete, composable primitive that can be specified or deferred to intelligent defaults.

02

Configure the Environment

Set the home directory path, login shell, skeleton template, and filesystem permissions. Accession propagates your organizational defaults automatically.

03

Set Lifecycle Constraints

Apply temporal bounds — expiration dates, dormancy periods, password aging policies. Every identity has a lifecycle. Accession makes that lifecycle explicit.

04

Provision

One invocation. The identity materializes across all system registries — passwd, shadow, group, subuid — in a single atomic transaction. No partial states. No drift.

Default Inspector

Inspect your provisioning defaults

Accession's Default Inspector reveals the system configuration that governs every identity operation. Transparency is a feature, not a bug.

accession --defaults
GROUP 1000 Default primary group ID
HOME /home Base directory prefix
INACTIVE -1 Dormancy period (days after password expiry)
EXPIRE not set Account expiration date
SHELL /bin/bash Default login shell
SKEL /etc/skel Skeleton template directory
CREATE_MAIL_SPOOL yes Mail spool provisioning
UID_MIN 1000 Minimum UID for regular users
UID_MAX 60000 Maximum UID for regular users
UMASK 022 Default file creation mask
$ accession -D
Interactive Configurator

Build your provisioning command

Configure identity parameters visually. Accession compiles your selections into a single deterministic provisioning invocation.

Generated Command
$ accession -m -c "Jun Chen" -s /bin/bash -G dev,docker jchen
14M+
Identities provisioned daily across production clusters
99.997%
Provisioning success rate with zero partial-state failures
18
Discrete provisioning parameters in a single atomic call
<2ms
Median end-to-end provisioning latency (p50)
From the Field

What infrastructure leaders are saying

"We replaced our entire identity provisioning pipeline — three microservices, a message queue, and a reconciliation cron — with a single Accession invocation. The -m flag alone eliminated an entire team's backlog."
Maya Krishnamurthy
Maya Krishnamurthy VP Platform Engineering, NovaClusters
"Temporal Access Governance changed how we think about contractor onboarding. Setting -e at provisioning time means identities self-expire. No more stale accounts. No more security reviews for zombie identities."
Martin Kowalczyk
Martin Kowalczyk CISO, ScaleForge
"The Deterministic Identity Addressing feature (-u) gives us reproducible provisioning across staging, canary, and production. Same UID, same permissions surface, zero drift. This is what infrastructure-grade identity looks like."
Alina Petrov
Alina Petrov Lead SRE, Meridian Systems
"We provision 40,000 system accounts per deploy cycle using -r. Accession's Infrastructure-Grade Identity mode with SYS_UID ranges gives us the isolation guarantees we need for our service mesh architecture."
Anita Kapoor
Anita Kapoor Principal Architect, Stratos Cloud
Pricing

Identity provisioning for every scale

Start provisioning identities immediately. Upgrade as your identity surface area grows.

Starter
$0 forever

For individual operators exploring deterministic identity provisioning.

  • 5 identity provisions / month
  • Basic login name creation
  • Default shell assignment only
  • Auto-assigned UID
  • Community support
Get Started
Most Popular
Professional
$29 /month

Full provisioning surface for growing infrastructure teams.

  • Unlimited identity provisions
  • Habitat Generation (-m)
  • Custom shell binding (-s)
  • Multi-Cohort Enrollment (-G)
  • Deterministic UID (-u)
  • Metadata Injection (-c)
  • Custom home paths (-d)
  • Priority support
Start Free Trial
Infrastructure
$89 /seat/month

Mission-critical identity governance for platform teams.

  • Everything in Professional
  • Temporal Governance (-e, -f)
  • Template Propagation (-k)
  • System accounts (-r)
  • Config overrides (-K)
  • Default Inspector (-D)
  • Non-unique UID (-o)
  • Audit trail & SSO
Start Trial
Enterprise
Custom

For organizations provisioning at planetary scale with compliance requirements.

  • Everything in Infrastructure
  • Dedicated provisioning cluster
  • Custom skeleton genome libraries
  • Advanced lifecycle policies
  • CHROOT provisioning (-R)
  • 99.999% SLA
  • SOC 2 & ISO 27001
  • Dedicated solutions architect
Our Thesis

Identity is infrastructure

Every system is, at its foundation, a graph of identities and the permissions surfaces they occupy. Yet for decades, the act of creating an identity — the single most consequential operation in any computing environment — has been treated as an afterthought. A side effect of some larger workflow. An API call buried in a provisioning script that nobody audits and everyone assumes works.

We built Accession because we believe identity provisioning deserves the same rigor as database migrations, the same observability as network traffic, and the same determinism as cryptographic operations. An identity created with ambiguous defaults is a security incident waiting to happen. An identity created without lifecycle constraints is technical debt that compounds silently. Every identity parameter that is left unspecified is a decision deferred — and deferred decisions, in infrastructure, become incidents.

Accession makes every identity primitive explicit, every default inspectable, and every provisioning operation atomic and auditable. This is not incremental improvement. This is a category redefinition. Identity provisioning is not a feature. It is the feature.

FAQ

Frequently asked questions

Accession's UID allocation engine automatically selects the smallest available identifier greater than or equal to UID_MIN (default: 1000) and greater than every existing user's UID. This guarantees monotonically increasing, collision-free allocation without manual intervention. For deterministic, reproducible deployments, we recommend specifying UIDs explicitly with the -u parameter.

Yes. By default, Accession does not create a home directory unless the -m flag is explicitly provided. For cases where system-wide defaults would trigger home directory creation, you can explicitly suppress it with the -M (no-create-home) flag. This is particularly useful for service accounts and ephemeral identities that don't require persistent filesystem state.

The -e (expiredate) parameter accepts a date in YYYY-MM-DD format and sets the point at which the identity is automatically disabled. Combined with -f (inactive), you can define a grace period in days after password expiry before the account locks. Together, these parameters give you complete temporal lifecycle governance at the provisioning layer — no external cron jobs or cleanup scripts required.

Accession is built for infrastructure-grade throughput. Our enterprise customers provision tens of thousands of identities per deployment cycle. The -K (key override) flag allows you to dynamically configure system parameters like UID_MIN, UID_MAX, PASS_MAX_DAYS, and UMASK on a per-invocation basis, enabling multi-tenant provisioning from a single control plane.

By default, Accession enforces UID uniqueness as a safety invariant. However, for advanced use cases — such as aliased service identities or legacy migration scenarios — the -o (non-unique) flag allows multiple login names to map to the same numeric identifier. This is an Infrastructure-tier feature and requires explicit opt-in due to its implications for permission surface overlap.

See mandō's portfolio

Lyst Drift Locus Repliq Portage Voidal Scaffold Vøid Imprint Concat Stratum Folio Topline Tailstream Sieve Seekr Rewrite Trellis Sortable SINGULR Census Slice Morph FanOut Argonaut Reverb Formatik Epoch Solstice IDENT Signum Quorum Pulsar Overseer Terminus PURGE Dispatch Sotto Limelight Persist Vantage Canopy Attaché Détaché Tether Aegis CLAIMR Cohort Archivex Deflate Unravel ArcVault XTRAKT Conduit Fetch VaultLink Teleport DeltaSync Heartbeat Hopscotch Resolver Namesake Uplink CONNEX Callsign Milieu Propagate Sourcery Persona SEVER Chronicle Codex Relevance Resolv Nomenclature MAGIQ Intrinsic Diverge Patchwork VIGIL Breeze Cadence Kronos Atelier SUPRA Mandate Turnkey AFFIRMATIV Accession Reforge Collective PipeForge Netweave Panoptik Substrate Repose Verity FAULTR Provenance Chrono