Fine-Grained Authorization with OpenFGA

Model complex permission logic across users, resources, actions, and context—powered by OpenFGA and deeply integrated with Keymate.

Contextual Authorization with Relationship-Based Access Control

Why It Matters

Role-based access control (RBAC) is no longer sufficient for modern applications. Organizations today require:

Keymate brings all of this to life with its native OpenFGA integration and SDK support.

Key Components:

Context-aware authorization (department, location, role)

Resource-specific policies (only owner or manager can edit)

Temporal and risk-aware conditions (time-based access, MFA escalation)

Hierarchical relationships (orgs, units, delegated roles)

Relationship-Based Access Decisions—Backed by OpenFGA

Use Cases: User can approve invoice only if they are in the finance department, Inspector can view reports of assigned orgs, but not edit them, Deputy can act on behalf of supervisor for 7 days.

Key Components:

Policies are modeled using Keymate DSL and pushed to OpenFGA

At request time, user → resource → action mapping is checked

Context from the token/session (org, dept, hat, risk) is evaluated

OpenFGA returns ALLOW or DENY

Result is cached and traced for auditability

Integration Highlights

DSL-to-OpenFGA Mapping

Keymate DSL is compiled into OpenFGA schema and tuples

SDK Integration

Quarkus/Spring SDKs simplify usage in apps and services

Context-Aware Inputs

Tokens enriched with org, risk, hat, etc. feed into authorization

Custom Actions

Beyond CRUD—define actions like approve, transfer, lock

Tracing & Auditing

All access decisions are logged and traceable with OpenTelemetry

Admin Console Integration

Visual policy builder + expression editor to manage FGAC rules

Frequently Asked Questions

Yes. We use OpenFGA as the decision engine. It's open-source and highly scalable.

Yes. You can write directly in OpenFGA syntax or use our DSL, which compiles to it.

Absolutely. Local + distributed caching is included via Infinispan or Redis.

Use the Policy Simulator and Trace Viewer in the Admin Console to inspect each decision step.

How to Use This Integration

Implementation Steps

Deploy OpenFGA server or use a managed one

Connect Keymate SDK or API Gateway plugin to the OpenFGA service

Write policies using Keymate DSL or use the visual builder

Add token enrichers to feed context into the check

Monitor decisions via logs and OpenTelemetry traces

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.