Smarter Access with Attributes That Matter

Keymate brings policy-based access control to life with real-time attribute evaluation, advanced policy modeling, and enterprise-grade observability.

How Attribute-Based Access Works in Keymate

Keymate evaluates access policies in real time using attributes from tokens, sessions, and request context. With DSL-based policies, OpenFGA enforcement, and Gateway/SDK-level integration, attribute logic stays secure and observable.

Real-Time ABAC Evaluation Flow

Keymate leverages a powerful combination of real-time attribute sourcing, a flexible policy language, and robust enforcement mechanisms to deliver fine-grained, context-aware access control.

Example: Example: User Emre attempts to Approve invoice:987. Policy checks user.department (finance) and risk_score (<3) from token/session. Access Granted based on matching attributes.

Key Components:

Token Attributes (user.department, risk_score)

Request Context (IP, time, device)

DSL Policy: allow if user.department == "finance" and user.risk_score < 3

OpenFGA Enforcement

Gateway/SDK Integration

Real-time Observability

What Makes Keymate ABAC Different

Keymate's ABAC goes beyond basic attribute checks, offering a comprehensive suite of tools for modern, scalable, and auditable access control.

Attribute Mapping Engine

Map claims from tokens or request context using JSONPath expressions, simplifying attribute ingestion.

Context-Aware Enforcement

Policies can utilize user, resource, and environmental attributes—like time, IP, or location—for truly dynamic decisions.

Realtime Attribute Evaluation

Enforce policies via API Gateway or SDK without touching frontend code, ensuring consistency and security.

Dry-Run & Simulation Tools

Safely test attribute logic and policy changes before going live using built-in simulators and what-if analysis.

Visual DSL + Audit Logs

Understand why an attribute-based decision was made with a clear DSL and full traceability through comprehensive audit logs.

ABAC + RBAC Hybrid

Combine the strengths of ABAC and RBAC. Use attribute checks within role-scoped decisions for layered and flexible access logic.

Empowering enterprises with flexible, observable, and secure attribute-based access.

Try Attribute-Based Access Control in Action

Simulate real-world ABAC decisions using token attributes, DSL policies, and contextual data. Preview outcomes and debug results in one place.

Configure ABAC Simulation:

User (with Attributes):

Resource (with Attributes):

Action:

Policy to Evaluate:

Context: IP Address

Context: Time (0-23hr)

Policy Evaluation Result:

✅ Access Granted

All policy conditions met.

Active Policy DSL: (Finance Document Access Policy)

allow if
  (action == "read" or action == "approve") and
  user.department == "finance" and
  user.riskScore < 3 and
  (resource.sensitivity == "high" ? user.country == "TR" : true) and
  context.ip not in BLACKLIST_IP_RANGE

Frequently Asked Questions

Common questions about Keymate's Attribute-Based Access Control, its features, and how it compares.

ABAC (Attribute-Based Access Control) is an access control model that makes decisions based on attributes of the user, the resource they are trying to access, and the environment. It allows for flexible and fine-grained policies.

Keymate offers scoped evaluation of attributes, dry-run testing capabilities, robust OpenFGA-powered policy enforcement, and real-time observability—all designed for enterprise scale and without frontend code dependency.

Attributes can be sourced from various places: JWT tokens (e.g., Keycloak claims like department or role), request metadata (IP address, time of day), or dynamically enriched session data (like a calculated risk level or impersonation status).

Yes, absolutely. This is a common and powerful pattern. You can enforce roles (RBAC) to determine broad access permissions and then apply finer-grained attribute checks (ABAC) within those role-defined scopes for more precise control.

How to Use ABAC in Keymate

Follow these steps to integrate and leverage Keymate's advanced ABAC capabilities in your applications.

Implementing Keymate ABAC in Your Ecosystem

Define Attribute-Based Policies

Write your access policies using Keymate's expressive DSL, referencing user, resource, and environment attributes.

Configure Attribute Mapping

Use the mapping engine to extract and normalize attributes from JWT tokens, API request context, or other session data sources.

Deploy Policies to OpenFGA

Manage and deploy your policies to the OpenFGA authorization service using the Keymate Admin Console or programmatically via APIs.

Enforce with SDK or Gateway

Integrate Keymate's SDKs in your applications or use the API Gateway plugin to evaluate policies in real-time at the edge.

Monitor & Simulate

Track every access decision through detailed logs and OpenTelemetry. Use the Admin Console to simulate policy changes and understand their impact.

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.