Skip to main content

Authorization

Overview

This section explains how Keymate makes access decisions. Keymate supports multiple authorization models — RBAC, ABAC, ReBAC, PBAC, DSAC, RADAC, and SBAC — and composes them through a unified policy evaluation engine. Each model addresses a different access control pattern, and policies can combine models within a single evaluation. The section also covers delegation, data classification, and the evaluation pipeline that produces GRANT or DENY decisions.

When to Read This Section

Read this section when you need to understand which authorization model fits your access control requirements, how policies evaluate at runtime, how the platform composes multiple models, or how to enforce data-level access restrictions.

Who Should Start Here

  • Architects selecting authorization models for their use cases
  • Developers writing policies or integrating authorization checks
  • Security engineers designing data classification and risk-adaptive controls
  • Operators configuring policy evaluation and enforcement pipelines

Key Topics

Authorization Model

Multi-model architecture and decision strategies

RBAC

Role-based access through role and group membership

ABAC

Attribute-based decisions using contextual conditions

ReBAC

Relationship-based authorization through a fine-grained authorization engine

PBAC

Policy composition with multi-model decision strategies

SBAC

Scope-based authorization through OAuth scope grants

DSAC

Data security controls with classification-driven access

RADAC

Risk-adaptive decisions using contextual risk factors

Policy Evaluation Model

Per-resource, per-scope evaluation pipeline and decision outcomes

Delegation Model

Authority delegation and approval-aware access

Data Classification & Masking

Classification-based data masking and field-level blocking

Representative Journeys

  • I need to choose an authorization model for my use case -> Authorization Model
  • I need to assign permissions through roles -> RBAC
  • I need context-aware attribute conditions -> ABAC
  • I need entity-to-entity relationship checks -> ReBAC
  • I need to compose multiple models in one policy -> PBAC
  • I need OAuth scope-driven authorization -> SBAC
  • I need data classification controls -> DSAC
  • I need risk-based adaptive decisions -> RADAC
  • I need to understand how evaluation produces decisions -> Policy Evaluation Model
  • I need to delegate authority between users -> Delegation Model
  • I need to mask or block data fields -> Data Classification & Masking
  1. Authorization Model — understand the multi-model architecture
  2. RBAC — start with the foundational role-based model
  3. ABAC — add attribute-based conditions
  4. ReBAC — learn relationship-based authorization
  5. PBAC — compose multiple models
  6. SBAC — understand scope-based access
  7. DSAC — explore data security controls
  8. RADAC — explore risk-adaptive decisions
  9. Policy Evaluation Model — understand the evaluation pipeline
  10. Delegation Model — understand authority delegation
  11. Data Classification & Masking — understand field-level controls
  • Policy Model — policy lifecycle, DSL, and simulation
  • Resources & Scopes — protected resources that authorization evaluates against
  • Identity — identity context that authorization consumes
  • Token & Session — tokens carrying claims that feed authorization decisions