Keymate Logo

EventGuard: Policy-Driven Access for Real-Time Streams

Keymate's upcoming EventGuard module brings fine-grained authorization to event-driven architectures. Define contextual policies for subscriptions based on event type, source, and metadata—ensuring secure data flow across Kafka, Pulsar, and beyond.

Keymate's upcoming EventGuard module brings fine-grained authorization to event-driven architectures. Define contextual policies for subscriptions based on event type, source, and metadata—ensuring secure data flow across Kafka, Pulsar, and beyond.

Event Streams as First-Class Access-Controlled Resources

Traditional IAM solutions focus on HTTP APIs. But modern systems stream sensitive data via Kafka, Pulsar, or MQTT. With EventGuard, event streams are policy-enforced resources. EventGuard ensures that sensitive data doesn't just move—it moves securely and accountably.

Secure Event Stream Authorization

With EventGuard, you can: Register Kafka topics and define event types as resources, Bind authorization policies to topic, event type, and payload metadata, Support subscription-level and per-event enforcement, Leverage OpenMetadata integration for PII and classification filtering, Simulate subscription decisions and trace rejections in audit dashboards, and Use dynamic masking or message blocking per subscriber context.

Example: Define contextual policies for subscriptions based on event type, source, and metadata.

Key Components:

Kafka & Pulsar Integration
Event-as-Resource Modeling
Contextual Policies
OpenMetadata Integration
Real-time Audit

What Makes It Unique

Event-as-Resource Modeling

Topics and events treated like API resources for authorization purposes

Contextual Subscription Checks

Authorize based on event type, classification, ownership, or stream source

Per-Message Filtering (Optional)

Mask or block specific messages based on metadata or token attributes

OpenMetadata Integration

EventGuard auto-detects PII, classification, and sensitivity in messages

DSL-Based Policy Rules

Use event context and token claims to write rich policies

Dual Enforcement Modes

Check at subscribe-time or for every streamed message

Observability & Audit Logs

Trace which policies were applied and why access was granted/denied

Frequently Asked Questions

EventGuard is a planned module. You can preview its architecture and sign up for early access.
Yes. You can apply masking or deny access per event, based on its metadata and user context.
Not mandatory, but highly recommended. EventGuard leverages metadata like classification, piiType, owner for fine-grained control.
It's Kafka-first, but designed to support other brokers like Pulsar, MQTT, and GCP Pub/Sub.

How to Use This Feature (Planned)

This feature will be available through the upcoming EventGuard module.

Implementation Steps

1

Register your Kafka topics and message schemas

2

Define event resources using topic + eventType + metadata mappings

3

Write policies with DSL using token, resource, and event context

4

Choose enforcement mode: subscribe-time or per-event

5

Configure optional masking or blocking rules

6

Observe access logs and simulate stream permissions in the admin console

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.