Overview
Summary
Access Manager is the control plane component that manages policy governance, compilation, and distribution across the Keymate authorization platform. It provides the orchestration layer between policy authoring in Admin Console and policy evaluation in runtime components like Policy Engine and FGA Engine.
Why It Exists
Enterprise authorization systems require more than runtime policy evaluation. Organizations need:
- Governance workflows — Approval processes before policies affect production
- Version control — Track policy changes and enable rollback
- Compilation — Transform policy definitions into optimized runtime artifacts
- Distribution — Coordinate policy deployment across distributed components
- Topology awareness — Map authorization decisions to the correct data contexts
Access Manager addresses these requirements by providing a dedicated control plane for policy lifecycle management.
Where It Fits in Keymate
Access Manager sits between the authoring layer (Admin Console) and runtime components. It receives policy definitions, processes them through governance workflows, compiles them into runtime artifacts, and distributes them to evaluation points.
Boundaries
Access Manager handles:
- Policy lifecycle state transitions
- Governance workflow orchestration
- Policy compilation and artifact generation
- Distribution coordination to runtime components
- Authorization topology metadata management
Access Manager does not handle:
- Runtime policy evaluation (Policy Engine, FGA Engine)
- Request-time authorization decisions (Access Gateway, Permission Gateway)
- Identity authentication (Keycloak)
- User and role administration (Admin Console)
How It Works
Access Manager operates through four interconnected subsystems:
Policy Lifecycle & Governance
Manages policy state transitions from draft through production. Provides approval workflows, version tracking, and audit trails for compliance requirements.
Compile & Artifact Pipeline
Transforms policy definitions into optimized runtime artifacts. Validates policy syntax, resolves references, and generates immutable snapshots for deployment.
Authorization Topology Service
Maintains metadata about authorization contexts and data relationships. Maps policies to the correct evaluation contexts based on resource topology.
Distribution & Activation
Coordinates policy deployment to runtime components. Manages activation state and ensures consistent policy versions across distributed services.
Diagram
Example Scenario
Scenario
A policy author creates a new RBAC policy granting the "editor" role write access to documents. The policy must go through governance approval before reaching production.
Input
- Actor: Policy Author
- Resource: New RBAC policy definition
- Action: Submit for approval
- Context: Staging tenant, document resource type
Expected Outcome
- Result: Policy enters review state
- Why: Governance workflow requires approval before compilation and distribution
Common Misunderstandings
- Access Manager evaluates policies — Access Manager manages policy lifecycle; Policy Engine and FGA Engine perform runtime evaluation
- Policies are immediately active after creation — Policies must complete the governance workflow and be explicitly activated
Access Manager coordinates policy distribution but does not guarantee immediate consistency across all runtime components. Allow for propagation time after activation.
Design Notes / Best Practices
- Use governance workflows for production tenants to maintain audit trails
- Create policy snapshots before major changes to enable rollback
- Monitor distribution status to verify policy propagation
Start with simple policies and governance workflows. Add complexity only when requirements demand it.
Related Use Cases
- Multi-tenant policy isolation
- Staged policy rollout across environments
- Policy versioning and rollback
- Compliance audit for policy changes