What is Keymate
Summary
Keymate is a modern access governance platform that builds on Keycloak without replacing it. It adds fine-grained authorization, tenant-aware isolation, risk-adaptive control, and policy observability directly into your existing Keycloak setup. Designed for real-world IAM challenges, Keymate makes it easier to build, simulate, and audit policies across APIs, services, and organizations.
Why It Exists
Enterprise IAM environments commonly face three persistent challenges:
- RBAC role explosion: As systems grow, roles multiply. At scale (hundreds of tenants, dozens of apps), role management becomes the work itself. Intent gets buried under layers of exceptions and ad-hoc grants.
- Multi-tenancy gaps: B2B, B2B2C, and G2C topologies require strict tenant isolation and delegated administration. Without first-class support, operations fall back to spreadsheets and manual approvals.
- Policy invisibility: Authorization decisions happen in the dark. Policies are treated as configuration, not software artifacts. There are no diffs, no reviews, no rollbacks. When access is denied, nobody can explain why.
Keymate was created to address these problems without forcing a risky "rip-and-replace" of your existing identity infrastructure.
Where It Fits in Keymate
Keymate operates as a governed authorization layer on top of Keycloak. It does not replace Keycloak's authentication, user federation, or SSO capabilities. Instead, it extends Keycloak with capabilities that the native platform does not provide:
- Fine-grained, context-aware access decisions (ABAC, ReBAC, RADAC, DSAC)
- Tenant-aware organization management and delegated administration
- Policy lifecycle management (version, review, approve, simulate, rollback)
- Decision observability with full audit trails
- Edge enforcement through API Gateway plugins and service mesh filters
Boundaries
What Keymate does:
- Adds fine-grained authorization models (RBAC, ABAC, ReBAC, RADAC, DSAC, PBAC) on top of Keycloak
- Provides multi-tenant organization management with delegated administration
- Offers policy lifecycle management: authoring, simulation, versioning, approval, and rollback
- Enforces access decisions at the edge (API Gateway, service mesh) and via SDKs
- Delivers full observability through OpenTelemetry integration and audit logging
- Supports parallel run alongside legacy IAM for safe, gradual migration
What Keymate does not do:
- Replace Keycloak or any other identity provider
- Handle authentication, user federation, or SSO (these remain with Keycloak)
- Require user migration or application rewrites
- Act as a "black box." All decisions are explainable and auditable
How It Works
At a high level, every access request flows through three stages:
- Authentication happens in Keycloak as usual. Users authenticate, tokens are issued.
- Authorization is evaluated by Keymate's policy engine. The engine considers the user's roles, attributes, organizational context, risk signals, and data sensitivity to make a context-aware decision.
- Enforcement occurs at the nearest edge: an API Gateway plugin, a service mesh filter, or an application-level SDK call. No application code changes are required when enforcement happens at the gateway or mesh level.
Every decision produces a decision trace: a structured record of which policies were evaluated, which conditions matched, and why access was granted or denied. These traces feed into the observability pipeline for audit, compliance, and debugging.
Example Scenario
Scenario
A finance analyst at Tenant ACME attempts to approve a payment after business hours from an untrusted device.
Input
- Actor: User with
FINANCE_ANALYSTrole, scoped to Tenant ACME - Resource:
invoice:987 - Action:
approve_payment - Context: After-hours (23:18 UTC), VPN active, risk score 7, untrusted device
Expected Outcome
- Decision: Denied
- Why: The RBAC policy permits the role, the ABAC region policy matches, but the RADAC risk policy denies access because
risk_score >= 6and the device is untrusted. The decision trace shows exactly which policy fired the denial.