// case study
Gate IAM
An identity and access management system for 100+ outlets and thousands of users
For gate.shop we built a comprehensive IAM (identity and access management) system that serves as the single source of identities and access permissions for all of the company’s employees. The system records what permissions each employee has and, based on them, controls who has access to what. It consists of a core — an OpenID Connect provider with a user-account store and integration web services — and a backoffice application for managing the entire system.
The brief
gate.shop needed a central place to manage employee identities and their access to internal systems. Off-the-shelf IAM solutions, however, did not cover a key requirement — modeling the company’s organizational reality built around outlets.
The system had to record a list of outlets and, for each outlet, the users assigned to it together with their permissions for that outlet. Part of the requirement was also delegated administration: some users at an outlet act in the role of outlet manager and must be able to manage the other users of their outlet. This model is not natively covered by common IAM tools, which is why we designed and built a custom solution.
Outlets, permissions and delegated administration
At the heart of the data model is the relationship between a user, an outlet and permissions. A user is assigned to one or more outlets and, for each of them, has their own set of permissions. The permissions are fine-grained — they are not handled only through coarse roles but through the specific actions a user is allowed to perform in a given context.
On top of this model sits delegated administration. Within their outlet, the outlet manager has the authority to manage its users — to add them, remove them and set their permissions within the scope of that outlet. Central IT thus does not have to handle every change at the level of an individual outlet, while still retaining a complete overview and control over the entire system.
The core: an OpenID Connect provider
The system’s core serves as an OpenID Connect provider and gives connected applications single sign-on (SSO). We built it on Spring Boot (Java 21), with the role of the actual OAuth2/OIDC engine filled by Ory Hydra, which handles the issuance and validation of tokens.
Hydra delegates login and consent granting back to our core — which manages the user-account store, verifies login credentials and contains all the business logic around outlets and permissions. This separation of responsibilities leaves the standardized protocol foundation to a proven component while keeping full control over identities and the authorization model in the hands of the application.
Integration of connected systems
The key internal systems of gate.shop connect to gate IAM as consumers of identities — the point-of-sale (POS) system, the warehouse system and the ERP system. The integration uses a clean pattern:
- A token for login — a user logs into the connected system via gate IAM (OIDC) and obtains a token that confirms their identity.
- Integration web services for detailed permissions — the connected system then asks, through the integration interfaces, what fine-grained permissions the user has for a specific outlet, and decides what to make available based on the response.
As a result, the authorization logic stays centralized in gate IAM and the individual systems do not have to duplicate it — they query a single reliable source of truth about who is allowed where and to do what.
The backoffice application
The second part of the solution is a backoffice application for managing the entire system. Two levels of users work in it:
- Central administrators — manage the system as a whole: they create outlets and employees, define the permission catalog and assign people to outlets across the entire company.
- Outlet managers — see and manage exclusively their own outlet: its users and their permissions within that outlet.
In the backoffice, besides outlets and users, the permission catalog is also managed, and an audit and change history is available — a complete overview of who changed which access and when. When the system was rolled out, we populated the initial employee database by importing from the previous solution. The application’s frontend is built on Svelte/SvelteKit.
Operations and infrastructure
The whole solution runs on Microsoft Azure, specifically on the Azure Kubernetes Service (AKS) platform. PostgreSQL serves as the store for user accounts, outlets and permissions.
Customer benefits
- A single source of identities and permissions — one central place that manages who is an employee and what they are allowed to do; connected systems draw from a single reliable source of truth.
- Single sign-on (SSO) — employees log into the POS, warehouse and ERP systems with one identity.
- An outlet model with no compromises — the system precisely reflects the organizational reality of gate.shop, which common IAM tools do not cover natively.
- Delegated administration relieves IT — outlet managers manage their own people, so central IT does not have to deal with every change at the outlet level.
- Fine-grained access control — permissions at the level of specific actions for a specific outlet instead of coarse roles.
- Auditability — a complete history of access changes, ready for inspection at any time.
- Easy integration of new systems — thanks to standard OIDC and integration web services, further applications connect to the ready-made authorization model without duplicating logic.