Compose Powerful Access Logic with Policy Aggregation

Keymate's PBAC lets you define complex, layered access decisions by combining RBAC, ABAC, ReBAC, and RADAC policies—governed by customizable decision strategies.

How PBAC Works in Keymate

PBAC evaluates multiple policies—each based on different control models—and makes a unified access decision based on a defined strategy.

PBAC Aggregation Flow

Keymate enables the aggregation of diverse policy types (RBAC, ABAC, RADAC) into a single, cohesive PBAC policy. The final decision is determined by a chosen strategy, such as Unanimous, Affirmative, or Consensus.

Example: Visual: Three policy boxes (RBAC, ABAC, RADAC) feeding into a central "PBAC Aggregate Policy (Strategy: Unanimous)". Output shows "Access Granted" if all pass, or "Denied" if any fail.

Key Components:

RBAC Policy

ABAC Policy

RADAC Policy

PBAC Aggregate Policy (Strategy: Unanimous)

✅ Access Granted (all passed) / ❌ Denied (one failed)

Why PBAC in Keymate is Enterprise-Ready

Aggregate Multiple Policy Types

Combine RBAC, ABAC, ReBAC, and RADAC into a single logical policy.

Decision Strategies

Use Affirmative, Consensus, or Unanimous to control how policies are evaluated.

UI + Expression Mode

Define aggregates via UI or use expressions like policy("RBAC:Admin") AND policy("ABAC:SalesOnly").

Simulation & Trace Support

Run test evaluations and see which sub-policy caused allow/deny results.

Versioning & Approval Workflow

Changes to aggregate policies go through diff view, approval steps, and environment-specific deployment.

Policy Reuse

Reference existing policies as reusable modules—no duplication.

Build sophisticated, maintainable, and auditable access control with Keymate PBAC.

Frequently Asked Questions

Understanding Keymate's Policy-Based Access Control (PBAC).

Policy-Based Access Control allows combining multiple access policies (like RBAC, ABAC, ReBAC) to make a unified decision. It's a meta-policy approach that reflects real-world access complexity.

RBAC, ABAC, ReBAC are individual decision models. PBAC lets you define how they should interact, and under what strategy (e.g., Unanimous, Affirmative) a decision should be allowed or denied based on their combined outcomes.

Yes. Keymate provides full simulation and debug logs showing each sub-policy's result and how it contributed to the overall aggregated decision.

Keymate supports strategies like Affirmative (at least one sub-policy must pass), Unanimous (all sub-policies must pass), and Consensus (a majority or specific quorum must pass).

How to Use PBAC in Keymate

Implement powerful, aggregated access policies with Keymate's PBAC.

Steps to Compose and Enforce Aggregate Policies

Create Building Block Policies

Define your individual RBAC, ABAC, ReBAC, and RADAC policies that will serve as components.

Compose into an Aggregate Policy

Combine these individual policies into a single PBAC Aggregate Policy using the Keymate UI or expression language.

Define Decision Strategy

Choose a decision strategy (e.g., Affirmative, Unanimous, Consensus) to govern how the outcomes of sub-policies determine the final decision.

Simulate and Trace Results

Use Keymate's simulation tools to test your aggregate policy. Track which sub-policy outcomes influenced the final grant or deny decision.

Enforce via SDK or Gateway

Integrate with Keymate's SDKs in your applications or use the API Gateway plugin to enforce the aggregate policies in real-time.

Try PBAC in Keymate

Experience the power of PBAC in Keymate. Start building complex, layered access policies today.

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.