Distribution & Activation
Summary
Distribution & Activation coordinates the deployment of compiled policy artifacts to runtime components. It manages the propagation of policy snapshots to Policy Engine, FGA Engine, and Access Gateway instances, and controls when policies become active for evaluation.
Why It Exists
Compiled policy artifacts must reach all runtime components that evaluate authorization decisions. This requires:
- Coordinated distribution — All instances must receive the same artifact version
- Controlled activation — Policies should become active at a predictable time
- Status visibility — Operators need to know which policies are active where
- Rollback capability — Failed deployments must be recoverable
Distribution & Activation provides these capabilities through event-driven coordination.
Where It Fits in Keymate
Distribution & Activation is the final stage in the Access Manager pipeline:
Boundaries
This component handles:
- Artifact distribution to runtime components
- Activation state management
- Distribution status tracking
- Rollback coordination
This component does not handle:
- Policy compilation (Compile & Artifact Pipeline)
- Runtime policy evaluation (Policy Engine, FGA Engine)
- Request-time authorization (Access Gateway)
How It Works
Distribution Flow
Distribution States
| State | Description |
|---|---|
| Pending | Snapshot ready, distribution not started |
| Distributing | Artifact being sent to runtime components |
| Distributed | All target components have received the artifact |
| Failed | Distribution failed to one or more components |
Activation States
| State | Description |
|---|---|
| Inactive | Policy distributed but not evaluating requests |
| Activating | Activation in progress across components |
| Active | Policy evaluating authorization requests |
| Deactivating | Deactivation in progress |
Activation Control
Activation is separate from distribution:
- Distribute first — Artifact reaches all components
- Activate when ready — Operator or automation triggers activation
- Gradual rollout — Activation can target specific components or percentages
Status Tracking
Distribution & Activation maintains status for:
- Per-component distribution state
- Per-component activation state
- Overall policy deployment status
- Historical deployment records
Rollback
When issues occur after activation:
- Deactivate the problematic policy
- Reactivate the previous snapshot version
- All changes generate audit events
Diagram
Example Scenario
Scenario
An operator activates a newly compiled policy for a production tenant. The policy must reach all Policy Engine instances before becoming active.
Input
- Actor: Operator
- Resource: Compiled policy snapshot
- Action: Activate
- Context: Production tenant, 3 Policy Engine instances
Expected Outcome
- Result: Policy active across all instances
- Why: Distribution completed successfully, activation confirmed on all targets
Common Misunderstandings
- Distribution means activation — Distribution delivers the artifact; activation enables evaluation. These are separate steps.
- Activation is instantaneous — Activation propagates across distributed components; allow time for full propagation
Avoid activating untested policies in production. Use staging environments to validate policy behavior before production activation.
Design Notes / Best Practices
- Use staged activation for high-impact policy changes
- Monitor distribution status before activating
- Maintain rollback snapshots for critical policies
- Configure alerts for distribution failures
Automate distribution and activation for standard policy updates. Reserve manual activation for sensitive or high-risk changes.
Related Use Cases
- Zero-downtime policy updates
- Gradual policy rollout
- Multi-region policy synchronization
- Emergency policy rollback