IAM Please

You are the Gatekeeper.

It's your first week at a fast-growing cloud company, and you've been assigned to the Access Review Bureau. Your job: review incoming IAM access requests and stamp them APPROVE or DENY. Sounds simple — until an intern asks for production database access "just to look around," a developer wants wildcard permissions to "ship faster," and an admin needs emergency break-glass access with a 30-minute window.

IAM Please is a Papers, Please–inspired browser game that teaches cloud security through document-inspection gameplay. Review access request tickets, consult your rulebook, and make the call. Get it right and you keep the company safe. Get it wrong and... well, that's how breaches happen.

How it works

Each day, a stack of access request tickets lands on your desk. Every ticket shows who's asking, what they want, why they need it, and what resources they're after. Your rulebook tells you what each role is allowed to do. Your job is to cross-reference the request against the rules and stamp your decision — then pick a rationale code explaining why.

Approve something too broad? That's a dangerous false approval. Deny something legitimate? You're blocking the team. Both cost you points.

What you'll learn (without realizing it)

• Implicit deny: no allow means no access
• Least privilege: grant only what's needed, nothing more
• RBAC basics: roles define what actions are permitted on which resources
• ABAC tag policies: environment, team, and data classification constraints
• Permission boundaries and SCPs: guardrails that cap what anyone can do, regardless of role
• Break-glass access: when and how emergency privileges should work
• PassRole traps: why broad delegation permissions are dangerous

Progressive difficulty across 10+ days

• Days 1–3: Straightforward role-based decisions. Learn the matrix.
• Days 4–7: ABAC tags enter the picture. Environment scoping, team boundaries, data classification.
• Days 8–10: Guardrails activate. Permission boundaries and org-wide SCPs override your role matrix.
• Beyond: Break-glass scenarios, PassRole traps, and incomplete requests that test your instincts.

Features

• Papers, Please–style document inspection gameplay
• Deterministic decision engine — every scenario has exactly one correct answer
• Immediate feedback after every stamp explaining what you got right or wrong
• End-of-day debriefs showing patterns in your mistakes
• Keyboard-first controls (A to approve, D to deny, Tab to navigate)
• Leaderboard to compete with other gatekeepers
• Runs entirely in your browser — no install, no account required
• Built with vanilla HTML/CSS/JS, no frameworks

Who is this for?

• Cloud engineers who want to sharpen their IAM instincts
• Security teams looking for a fun training tool
• Students learning about access control and authorization
• Anyone who's ever wondered "should I approve this?"

Play it. Learn least privilege. Don't let the wildcards through.