Monitor Authorization Decisions—As They Happen

Keymate streams every access decision—grants, denials, reasons, token context, and matched policies—into a Kafka-based event pipeline in real time. This enables instant observability, threat detection, analytics, and downstream automation.

Every Access Decision, Streamed Live for Observability, Security & Compliance

Live Visibility Into What's Granted—and What's Denied

Keymate generates a structured access-decision event for every authorization outcome, including: FGAC, RBAC, PBAC, or risk-based decisions. Denied attempts with full match/fail reasons. Matching policy ID and evaluation path. User, session, org-unit, delegated role, resource context. Session attributes, request metadata, and risk score. Correlation IDs for traceability. These decision events are streamed to Kafka in real time and can be consumed by: SIEMs for anomaly detection. Dashboards (e.g., SigNoz) for trend analysis. Security rules for live alerting. ML pipelines for behavioral profiling. Data warehouses for access pattern reporting.

Real-Time Access Decision Streaming

Real-time access decision streaming enables instant observability, threat detection, analytics, and downstream automation through Kafka-based event pipeline.

Example: Stream every authorization decision with full context for observability and security

Key Components:

Kafka Event Pipeline

Decision Context Streaming

SIEM Integration

Real-time Analytics

Multi-tenant Isolation

What Makes It Unique

Per-Decision Event Streaming

Every grant/deny is published with policy, actor, and reason

Kafka-Based Integration

Events flow through Keymate Event Hub, consumable by any Kafka client

Full Context Emission

Events include token, session, resource, org, role, and trace metadata

Low Latency, High Volume

Optimized for sub-100ms streaming even under load

Policy Evaluation Transparency

See which policy matched and which condition failed

Security Operations Ready

Can trigger alerts or auto-remediation flows for suspicious patterns

Downstream Analytics Friendly

Stream to ClickHouse, Elasticsearch, or Data Lake for custom dashboards

Multi-Tenant Isolation

Decision events are partitioned and tagged per tenant/org context

Frequently Asked Questions

Yes. Every FGAC/RBAC/PBAC decision—grant or deny—is emitted with full context.

Yes. Streaming can be scoped per tenant, policy, or resource pattern.

No. Audit logs are stored after the fact. This is real-time streaming for monitoring, alerting, and analytics.

Streams are encrypted and can be partitioned per tenant. Only authorized consumers can subscribe via Kafka ACLs.

Absolutely. These events are perfect inputs for behavior models, risk scoring, or policy refinement analysis.

How to Use This Feature

Follow these steps to enable real-time access decision streaming.

Implementation Steps

Enable Decision Streaming in Admin Console (per tenant or global)

Connect to Kafka topic keymate.access.decisions via your preferred consumer

Configure real-time dashboards, alerts, or analysis pipelines

Tag each event with session, tenant, trace, and org-unit metadata for traceability

Store decision streams in ClickHouse, Elastic, or S3-compatible data lake for long-term insights

Use decision patterns to refine access policies or detect suspicious usage

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.