Policy Logic That Understands Your Context

Write fine-tuned authorization policies using dynamic attributes from user tokens, session context, organization structure, and tenant metadata. Keymate lets you define what access looks like — per department, role, location, or even device.

Context-Aware Policies that Scale with Your Organization

How Attribute-Based Policy Scoping Works

Authorization decisions in Keymate are made using policy rules that can include attributes such as token.user.department, session.device.trusted, context.tenant, and resource.data_classification. Policies evaluate these attributes in real-time, allowing precise control. Whether you're limiting access to finance data, enforcing country-level restrictions, or isolating tenant boundaries — it's all handled declaratively.

Example Policy

allow if token.user.department == "finance" and context.time < "18:00" and context.tenant == resource.tenant

What Makes Our Attribute-Based Policy Scoping Different?

Multi-Source Attribute Ingestion

Use attributes from tokens, sessions, context, organization metadata, or external enrichment services.

Tenant-Aware Logic

Automatically scope access by tenant or organization without writing custom code.

Fine-Grained Conditions

Attribute filters can target fields like country, role, jobLevel, or delegatedBy.

Reusable Attribute Templates

Define named attribute groups and inject them into DSL with a simple include.

Token Enrichment Hooks

Inject session metadata dynamically using upstream identity sources.

OpenFGA-Compatible Modeling

Extend relationship models with attribute gates, enabling hybrid ReBAC + ABAC scenarios.

Frequently Asked Questions

It refers to defining access control rules using dynamic user, context, or resource attributes — such as role, department, location, or tenant — instead of fixed role mappings. Keymate makes this fully declarative.

Yes. Keymate supports policies based on enriched tokens and session-level metadata, enabling precise runtime decisions across departments or tenants.

While RBAC uses static roles, attribute-based scoping enables dynamic conditions using real-time context. It blends well with ABAC and ReBAC models in Keymate.

Yes. Keymate integrates with Keycloak sessions and models policies compatible with OpenFGA's relationship model extended via attributes.

How to Use This Feature

Follow these steps to implement attribute-based policy scoping.

Implementation Steps

Define attribute sources (token, session, organization) in Admin Console

Enrich tokens using your identity provider or Keymate Hooks

Create policies using DSL with attribute placeholders

Test policies with sample sessions and live context

Monitor policy evaluations with full attribute trace logs

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.