Core Capabilities
Summary
Keymate provides over 50 capabilities organized into seven categories. Each category addresses a distinct aspect of enterprise access governance, from fine-grained authorization models to deployment flexibility and compliance observability. Together, they form a comprehensive platform that extends Keycloak into a full access governance solution.
Why It Exists
Native Keycloak provides strong authentication and basic RBAC, but enterprise environments need more: contextual authorization, tenant-aware isolation, policy lifecycle management, edge enforcement, and deep observability. Keymate fills these gaps without requiring a platform replacement.
How It Works
Advanced Authorization
The authorization engine supports multiple access control models that can be composed together using policy aggregation strategies.
| Capability | Description |
|---|---|
| Role-Based Access Control (RBAC) | Scoped, tenant-aware role assignments with delegated management and real-time enforcement |
| Attribute-Based Access Control (ABAC) | Context-aware policies using user, resource, and environmental attributes (region, department, time) |
| Relationship-Based Access Control (ReBAC) | Graph-based access using entity relationships (owner, collaborator, manager) via the FGA engine |
| Risk-Adaptive Access Control (RADAC) | Dynamic decisions based on risk signals such as device posture, geolocation, and behavioral anomalies |
| Data Security Attribute Control (DSAC) | Fine-grained access based on data sensitivity classification and compliance tags |
| Policy-Based Access Control (PBAC) | Compose sub-policies using decision strategies: unanimous, affirmative, or consensus |
| Visual Policy Simulation | Simulate and trace access decisions with dry-run tools before deployment |
| Dual-Mode Policy Definition | Author policies visually (form UI) or in DSL code. Both modes stay in sync |
| Policy Lifecycle Management | Version, diff, review, approve, test, and roll back policies like software artifacts |
| Just-in-Time Role Elevation | Dynamic privilege elevation with time-bounded access and approval workflows |
| Why-Denied Analysis | Full visibility into every authorization decision. Shows failed conditions and missing attributes |
| Contextual Access Control | Authorization decisions that consider session context, token claims, and organizational structure |
| JavaScript Access Policies | Dynamic policies powered by custom JavaScript logic for complex business rules |
Organization Management
Native multi-tenancy support with organizational hierarchy, delegation, and tenant-aware token enrichment.
| Capability | Description |
|---|---|
| Multi-Tenant IAM | True tenant isolation. Each tenant gets isolated org units, policies, user bases, and delegated admins |
| Delegated Administration | Allow each tenant to manage its own users, roles, and org units within scoped, auditable boundaries |
| Org-Aware Token Enrichment | Enrich identity tokens with organizational context (department, unit, title, session role) for scoped decisions |
| Organization Lifecycle Management | Centralized control over the lifecycle of organizations, departments, and units |
Resource Modeling
Tools for defining, importing, and managing the resources and scopes that policies protect.
| Capability | Description |
|---|---|
| Swagger-Driven Import | Auto-generate API resources and scopes from OpenAPI definitions |
| Bulk Policy and Resource Import | Upload policies and resources at scale with JSON or CSV |
| Policy Templates | Define once, reuse everywhere with parameterized policy templates |
| Metadata-Driven Authorization | Use column-level metadata from the metadata catalog to drive fine-grained API authorization |
Integration
Connect Keymate to your existing infrastructure without application code changes.
| Capability | Description |
|---|---|
| API Gateway Plugins | Native API gateway plugins to enforce access control at the edge. No app code required |
| Service Mesh Filters | Service mesh and sidecar proxy integration for fine-grained access across service-to-service traffic |
| FGA Engine Backend | Managed FGA engine deployment as a dedicated relationship-based authorization backend |
| Risk and HRMS Enrichment | Enrich session tokens with dynamic signals from external risk engines and HRMS platforms |
| Delegation and Leave Events | React to real-time HRMS events for delegation and leave, automatically adjusting permissions |
| Parallel IAM Migration | Safe, staged migration from legacy IAM by operating in parallel mode with token exchange |
| Event Subscription API | Dual-mode (gRPC/REST) API for external systems to stream data into Keymate |
Compliance and Observability
Full auditability and observability across every authorization decision.
| Capability | Description |
|---|---|
| OpenTelemetry Integration | Native instrumentation with the observability backend for end-to-end observability across auth and event pipelines |
| Audit Logging | Comprehensive, structured, queryable logs for compliance, forensics, and operational monitoring |
| Regulatory Compliance | Built-in privacy and security controls aligned with KVKK, GDPR, and ISO 27001 |
| Access Decision Streaming | Stream every access decision into an event bus pipeline in real time |
| Central Audit Server | Immutable, tenant-aware, and fully traceable audit logging |
| Keycloak Extended Logging | Telemetry-ready, policy-aware, multi-tenant logging for IAM core |
Deployment
Flexible deployment options from managed SaaS to air-gapped on-premises installations.
| Capability | Description |
|---|---|
| Kubernetes and Helm | GitOps-friendly deployment on any Kubernetes cluster |
| Air-Gapped and Self-Hosted | IAM that works in offline, highly regulated, and zero-trust environments |
| VPC and Private Cloud | Dedicated deployments fully isolated within your own cloud network |
| Managed SaaS | Fully isolated, SLA-backed IAM hosting delivered as a hard-tenant cloud service |
| Environment Management | Promote, isolate, and govern IAM across dev, test, and production environments |
Platform
Administrative tools and developer experience for managing the entire access governance lifecycle.
| Capability | Description |
|---|---|
| Admin Console | Centralized, secure, tenant-aware UI for IAM governance |
| Frontend Framework | React/Next.js framework optimized for secure, scalable IAM admin interfaces |
| Policy Expression Editor | Advanced expression editor with real-time syntax validation and autocomplete |
| Customizable Admin Modules | Modular console components for tenant-specific governance needs |
Example Scenario
Scenario
An architect evaluating Keymate needs to understand how capabilities work together for a B2B2C fintech platform.
How Capabilities Compose
- Organization Management sets up tenant isolation for each partner bank
- RBAC + ABAC defines scoped roles enriched with attributes (region, data classification)
- ReBAC via the FGA engine models document ownership and collaboration relationships
- RADAC adds risk-adaptive controls for sensitive operations (payment approvals)
- API Gateway Plugin enforces decisions at the edge without app code changes
- Policy Simulation lets the team test new policies before production deployment
- OpenTelemetry + Audit Logging provides full observability and compliance evidence