Main Workflows
Goal
The Admin Console is Keymate's central web interface for managing all platform entities across identity, authorization, governance, integrations, and observability. This guide documents the console's navigation structure, the universal CRUD workflow patterns that apply to every module, and the permission model that controls access to each section. After reading this page, you will know how to find any management screen in the sidebar, understand what to expect when creating, viewing, editing, or deleting entities, and determine which permissions a user needs to perform each action.
Audience
- Platform administrators who configure tenants, identity providers, and authorization policies
- IAM operators who manage users, roles, groups, organizations, and access permissions on a day-to-day basis
Prerequisites
- Access to the Admin Console (login URL provided by your platform administrator)
- An assigned role that grants the necessary permissions for the modules you need to manage (see Permission Model below)
Before You Start
The Admin Console enforces a role-based access model that determines which sidebar sections and actions are available to each user. The platform divides modules into two categories:
- Standard modules — Accessible to all authenticated users who hold the required resource permissions. These include modules under Identity, Authorization, Governance, Integrations, and Observability.
- Admin modules — Restricted to users with administrator-level roles. Currently, the Tenants module under Settings is the only admin-only module.
Each sidebar menu item checks a specific resource + scope permission before it appears. If you do not see a section in the sidebar, your assigned role does not grant the read scope for that module's resource. Contact your platform administrator to request the appropriate role assignment.
Console Navigation Structure
The Admin Console sidebar organizes all management screens into seven top-level sections. Each section groups related modules by domain.
Dashboard
The Dashboard (/dashboard) is the landing page that all authenticated users see after login. It provides an at-a-glance summary of platform activity and health metrics.
Identity
The Identity section groups all user and organization management modules:
| Module | Route | Description |
|---|---|---|
| Users | /identity/users | Create, view, edit, and delete user accounts. Access user detail tabs for basic info, attributes, and organization memberships. Supports impersonation and per-user permission views. |
| Roles | /identity/roles | Define and manage realm roles and composite roles. Assign roles to users and groups. |
| Groups | /identity/groups | Organize users into groups. View group overview, manage members, and assign roles to groups. |
| Organizations | /identity/organizations | Build and manage the organization hierarchy. Assign users to organizations. |
| Attribute Definitions | /identity/attribute-definitions | Define custom user attribute schemas that appear on user profiles. Found under the Attributes sub-group. |
| Organization Attributes | /identity/organization-attributes | Define custom property schemas for organizations. Found under the Attributes sub-group. |
Authorization
The Authorization section contains all access-control configuration modules:
| Module | Route | Description |
|---|---|---|
| Resource Servers | /authorization/resource-servers | Register and configure resource servers (APIs) that Keymate protects. |
| Resources | /authorization/resources | Define protected resources within resource servers. Found under the Resource Management sub-group. |
| Resource Types | /authorization/resource-types | Browse and manage resource type classifications. Found under the Resource Management sub-group. |
| Policies | /authorization/policies | Create and manage authorization policies. Supports multiple policy types: RBAC, ABAC, ReBAC, PBAC, RADAC, and Dynamic. |
| Permissions | /authorization/permissions | Link policies to resources to form enforceable permission rules. |
Governance
The Governance section provides template management for standardized configurations:
| Module | Route | Description |
|---|---|---|
| Organization Templates | /governance/templates/organization-templates | Create reusable organizational structure templates. Browse existing templates and create sub-templates from parent templates. Found under the Templates sub-group. |
| Policy Templates | /governance/templates/policy-templates | Define reusable policy templates that operators can instantiate into active policies. Found under the Templates sub-group. |
Integrations
The Integrations section manages external application connections:
| Module | Route | Description |
|---|---|---|
| Clients | /integrations/clients | Register and configure OAuth/OIDC client applications that connect to the platform. |
Observability
The Observability section provides monitoring and audit capabilities:
| Module | Route | Description |
|---|---|---|
| DLT Management | /observability/dlt-management | View and manage Dead Letter Topic (DLT) entries for failed event processing. |
| Sessions | /observability/sessions | Monitor active user sessions across the realm. |
Settings
The Settings section contains platform-wide configuration (admin-only):
| Module | Route | Description |
|---|---|---|
| Tenants | /settings/tenants | Manage tenant configurations. View tenant overview, members, clients, roles, resource servers, attribute definitions, organizations, and organization property templates. Requires administrator role. |
Common Workflow Patterns
All modules in the Admin Console follow a consistent set of CRUD (Create, Read, Update, Delete) workflow patterns. Once you learn the pattern in one module, you can apply the same approach across the entire console.
List View
Every module opens to a list view that displays all entities the current user has permission to read. List views provide:
- Search — Filter entities by name or other key fields (for example, users support search by name, username, and email)
- Filters — Narrow results by status, type, or other domain-specific criteria (for example, policies support filtering by policy type, status, and tags)
- Sorting — Order results by column headers
- Pagination — Navigate through large result sets using page controls with configurable page sizes
Create
Select the Create action (typically a button in the top-right area of the list view) to open a creation form or multi-step wizard.
- Forms — Most modules use a single-page form. For example, creating a role requires a name and an optional description.
- Wizards — Modules with complex entities use multi-step wizards. For example, creating a user walks through basic information, attribute assignment, and organization membership steps.
The create action requires the create scope on the module's resource. If you do not see the create button, your role does not grant this permission.
Detail View
Select any entity from the list view to open its detail view. Detail views display all entity properties and related data, often organized into tabs. For example, the user detail view includes tabs for:
- Basic — Core user properties (username, email, name, status)
- Attributes — Custom attribute values
- Organizations — Organization memberships
The detail view requires the read scope on the module's resource.
Edit
From the detail view, select the Edit action to modify an existing entity. The edit form pre-populates with the entity's current values. Save your changes to update the entity.
The edit action requires the update scope on the module's resource.
Delete
Remove entities through two methods:
- Single delete — From the detail view or via an action menu on a list row, delete one entity at a time.
- Bulk delete — Select multiple entities in the list view using checkboxes, then choose the bulk delete action.
The delete action requires the delete scope on the module's resource. Both single and bulk delete operations prompt for confirmation before executing.
Permission Model
The Admin Console uses a resource-and-scope permission model enforced through Keycloak. Every module maps to a resource, and every action maps to a scope. The platform checks the combination of resource + scope to determine whether the current user can view a sidebar item or perform an action.
Scopes
Four scopes control all module actions:
| Scope | Action | Description |
|---|---|---|
read | View / List | Access list views and detail pages |
create | Create | Open create forms and submit new entities |
update | Edit | Modify existing entities |
delete | Delete | Remove entities (single and bulk) |
Resources
Each module is protected by a permission resource. The following table lists all protected modules and the sidebar section where they appear:
| Module | Sidebar Section | Category |
|---|---|---|
| User Management | Identity > Users | Standard |
| Roles | Identity > Roles | Standard |
| Groups | Identity > Groups | Standard |
| Organizations | Identity > Organizations | Standard |
| User Attributes | Identity > Attribute Definitions | Standard |
| Organization Properties | Identity > Organization Attributes | Standard |
| Resource Servers | Authorization > Resource Servers | Standard |
| Resources | Authorization > Resources, Resource Types | Standard |
| Policies | Authorization > Policies | Standard |
| Permissions | Authorization > Permissions | Standard |
| Organization Templates | Governance > Organization Templates | Standard |
| Policy Templates | Governance > Policy Templates | Standard |
| Clients | Integrations > Clients | Standard |
| DLT Management | Observability > DLT Management | Standard |
| Sessions | Observability > Sessions | Standard |
| Tenant Management | Settings > Tenants | Admin-only |
All standard modules support four permission scopes: read, create, update, and delete. Tenant Management also supports all four scopes but is restricted to users with administrator-level roles.
To grant a user read-only access to a module, assign a role that includes the read scope for that module. The create, edit, and delete buttons will not appear in the console for that user.
Validation Scenario
Scenario
After logging in to the Admin Console, confirm that you can navigate the sidebar, view entity lists, and perform a basic create operation.
- Log in to the Admin Console with a user account that has full permissions.
- Expand each top-level sidebar section (Identity, Authorization, Governance, Integrations, Observability, Settings) and verify that all expected modules appear.
- Navigate to Identity > Groups.
- Select Create and enter a test group name such as
validation-test-group. - Save the new group.
- Return to the Groups list view.
Expected Result
- Every sidebar section and module listed in the Console Navigation Structure table is visible.
- The create form opens without errors.
- After saving, the new group
validation-test-groupappears in the groups list.
How to Verify
- Scroll through the sidebar to cross-check each section against the navigation diagram above.
- Open the groups list view and confirm
validation-test-groupis present. - Optionally, delete the test group after validation to keep the environment clean.
Troubleshooting
- Missing sidebar section — Verify that the user's role includes the
readscope for the corresponding module resource. Check role assignments under Identity > Roles. - Create button not visible — The user's role does not include the
createscope for that resource. Request a role update from the platform administrator. - "Forbidden" error on action — The user attempted an action without the required scope. Review the permission mapping in the Resources table above and adjust role assignments.
Next Steps
After familiarizing yourself with the console layout and common workflows, explore the dedicated guide for each module:
- User and Role Management — detailed workflows for managing users and roles
- Policy Management — create and configure authorization policies
- Organization Management — build and manage organization hierarchies