Automated Role Assignment, Scoped by Org Context

Ditch static role mapping. With Scoped Role Assignment Mapper, user roles are assigned dynamically based on the organization, department, and contextual attributes during login or sync—enabling policy-aligned, secure access across tenants and units.

Dynamic role assignment based on organizational hierarchy and contextual scopes

How Roles Are Scoped and Assigned Dynamically

During login or external sync, this extension evaluates the user's assigned org unit, their position, and the tenant's role policies to determine which roles to assign. Use cases include:

Dynamic Role Assignment Flow

All mappings are declared centrally, and the mapper respects multi-tenant boundaries.

Example: Roles are assigned based on organizational context, user attributes, and tenant policies.

Key Components:

Assigning "unit-admin" if user belongs to HR department in Org-X

Granting "approver" only if delegation is active and scoped

Setting contextual roles based on title and clearance

Extension Highlights

Hierarchical Role Mapping

Supports nested org trees—roles can be scoped at org, dept, or unit level

Attribute-Aware Mapping

Conditions based on title, position, or custom user attributes

Session-Scoped Role Binding

Applies roles valid only for the current session or login context

Tenant Isolation Built-In

Role mappings are resolved within the current tenant boundary

Admin Console Integration

Roles and mappings managed visually via the Keymate Admin Console

OpenFGA-Compatible Output

Assigned roles are embedded in session context for use in policies

Frequently Asked Questions

No—it complements them. You can use both static and scoped role mappings together.

Yes. All rules are resolved within tenant boundaries and support inheritance from global defaults.

Absolutely. It supports both login-time and user import scenarios.

They're injected into the session/token and fully usable in Keymate DSL or OpenFGA policies.

How to Use This Extension

Implementation Steps

Enable the Scoped Role Assignment Mapper SPI in Keycloak.

Define your mapping rules via Keymate Admin Console or configuration YAML.

Ensure user's org and context attributes are available (via login flow or sync).

On login/sync, the extension evaluates rules and assigns matching roles.

Assigned roles are added to token/session notes for downstream usage.

Policies and APIs can use scoped roles to enforce contextual access.

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.