Skip to main content

Attribute Value Inheritance

Summary

Keymate resolves attribute values through two parallel inheritance mechanisms. User attributes follow a three-level priority chain: a user-specific value overrides a tenant-scoped value, which overrides a global value. Attribute value defaults follow a separate chain: a tenant-type-scoped value overrides a global-for-tenant-type value. Each mechanism produces one effective value per attribute definition, and the resolved values feed into policy evaluation, token projection, and admin interfaces.

Why It Exists

Managing attribute values independently for every user and every context does not scale. A global deployment with thousands of users across multiple tenants needs sensible defaults that propagate automatically while allowing targeted overrides where specific contexts require different values. Inheritance lets administrators set a value once at the appropriate scope and have it apply to all entities below, reducing configuration effort and ensuring consistency.

Where It Fits in Keymate

Attribute value inheritance sits between attribute definitions (which declare the schema) and the consumers that use resolved values:

  • Policy Engine — evaluates authorization decisions against the effective attribute values for a user in a given context.
  • Token projectiontoken claims include the resolved effective value, not the raw per-scope values.
  • Admin interfaces — display the effective value alongside an indication of which scope provided it.

Boundaries

Attribute value inheritance covers:

  • How the platform resolves one effective value per attribute definition
  • The priority order within each inheritance mechanism
  • The distinction between user attributes and attribute value defaults

Attribute value inheritance does not cover:

How It Works

User attribute inheritance

User attributes represent values assigned to a specific user, optionally scoped to a tenant. When the platform resolves a user's effective attribute value in a tenant context, it evaluates three levels in descending priority:

  1. User-specific value — a value explicitly set for this user without any scope restriction. Takes highest priority.
  2. Tenant-scoped value — a value set for this user within a specific tenant. Used when no user-specific value exists.
  3. Global value — a platform-wide value for this user that applies when neither a user-specific nor a tenant-scoped value exists.

The platform selects the highest-priority non-empty value and returns it as the effective value. Each attribute definition produces exactly one effective value per user per context.

Attribute value defaults

Attribute value defaults provide pre-configured values based on tenant type. These defaults operate independently of user attributes and follow their own priority chain:

  1. Tenant-type-scoped value — a value set for a specific tenant type. Takes priority over the global default for that tenant type.
  2. Global for tenant types — a default value that applies to all tenants of a particular type.

Attribute value defaults establish baseline configurations before any user-level values are assigned. For example, a "preferred language" attribute might default to Turkish for tenants of a particular type and to English globally.

How the two mechanisms relate

User attributes and attribute value defaults serve different purposes:

  • Attribute value defaults establish the starting point — what values apply when no user-level assignment exists.
  • User attributes represent actual assignments — values that users, tenant administrators, or automated processes have explicitly set.

When resolving what a user sees or what a policy evaluates, the platform uses the user attribute inheritance chain. Attribute value defaults feed into this process as the baseline from which tenant-scoped and user-specific overrides diverge.

After resolving effective user attribute values, the platform applies legal restriction masking. If a user has an active legal restriction, attributes whose definitions are not marked as visible under legal restrictions return a masked value instead of the actual value. See Sensitive Data & Compliance Tags for details.

Diagram

Example Scenario

Scenario

A platform administrator configures a "preferred language" attribute across multiple scopes. The global default is set to English. A specific tenant serving a Turkish-speaking user base overrides this at the tenant level. One user within that tenant has an explicit preference for German.

Input

  • Actor: User user@example.com in the Acme Corp tenant
  • Resource: Attribute definition preferred-language
  • Action: Resolve effective value
  • Context: Global value = en, Acme Corp tenant-scoped value = tr, user-specific value = de

Expected Outcome

  • Effective value: de
  • Why: The user-specific value takes highest priority. If the user had no explicit preference, the effective value would be tr (the tenant-scoped value for Acme Corp). If neither existed, the global default en would apply.

Common Misunderstandings

  • "Attribute values follow a four-level chain: global → tenant → organization → user." — The platform uses two separate inheritance mechanisms, each with its own scope levels. User attributes resolve through user-specific, tenant-scoped, and global levels. Attribute value defaults resolve through tenant-type-scoped and global-for-tenant-type levels. There is no organization level in the inheritance chain.
  • "User attributes and attribute value defaults are the same thing." — They serve different purposes. User attributes are per-user assignments with optional tenant context. Attribute value defaults are pre-configured baseline values based on tenant type. They operate through separate resolution paths.
  • "The broadest scope always wins." — The opposite is true. The most specific (narrowest) scope takes priority. A user-specific value overrides a tenant-scoped value, which overrides a global value.
warning

Removing a value at a narrow scope causes the platform to fall back to the next broader scope. Deleting a user-specific value does not leave the attribute empty — it exposes the tenant-scoped or global value instead. Verify the fallback value before deleting narrow-scope overrides.

Design Notes / Best Practices

  • Set global defaults first. Establish sensible platform-wide values before configuring tenant-scoped or user-specific overrides. This ensures every user has a reasonable effective value even before targeted configuration.
  • Override only where the default does not apply. Avoid setting the same value at multiple scopes. If the global default is correct for a tenant, do not duplicate it at the tenant scope — duplication creates maintenance overhead with no behavioral benefit.
  • Use attribute value defaults for tenant-type baselines. When tenants of a particular type share common attribute values, configure these at the tenant-type scope rather than repeating them per tenant.
  • Audit effective values after scope changes. When modifying a value at a broad scope (global or tenant), review the effective values for users at narrower scopes to confirm the change produces the intended result.
tip

When troubleshooting unexpected attribute values, check all scopes in the inheritance chain. The effective value comes from the narrowest scope that has a non-empty value — a tenant-scoped override may be masking a recent global change.

  • Setting platform-wide defaults for attributes like preferred language, notification preferences, or display density
  • Overriding a global default at the tenant level for tenants with specific regulatory or business requirements
  • Assigning user-specific attribute values during onboarding or profile updates
  • Configuring tenant-type defaults for attributes that vary by tenant category

Attribute Definition Model

Schema-driven attribute definitions that govern what values the platform accepts

Sensitive Data & Compliance Tags

Compliance metadata that applies to attribute values across all scopes

Policy Evaluation Model

How resolved attribute values feed into authorization decisions

Glossary — Attribute

Platform-wide definition of an attribute