Keymate Logo

Adapt Instantly to Delegation and Absence Events

Keymate reacts to real-time events from your HRMS and workforce systems—enriching sessions, adjusting permissions, and ensuring scoped access for delegated or absent users. No manual updates, no security gaps.

Adapt Instantly to Delegation and Absence Events

Why Real-Time HRMS Integration Matters

In most IAM systems, organizational changes like temporary delegation or leave of absence are either manually handled—or worse, ignored. This leads to: Over-permissioned users acting outside their scope. Delayed deactivation of access during leave. Gaps in compliance and auditability. With Keymate, these risks are eliminated by processing delegation and leave events in real time, directly from your HRMS or workforce platform.

Delegation Events In, Scoped Sessions Out

Real-time HRMS event processing eliminates manual IAM updates and security gaps by automatically adjusting permissions based on delegation and leave events.

Example: Real-time processing of HRMS delegation and leave events

Key Components:

HRMS Event Integration
EventHub Processing
Session Enrichment
Scoped Access Control
Automated Compliance

From HRMS Events to Intelligent Access Control

From HRMS platforms like SAP SuccessFactors, Workday, Oracle HCM, or any external HR integration, Keymate ingests events such as: delegationStart / delegationEnd, leaveRequestApproved / returnFromLeave, temporaryAssignment. These are processed through the EventHub (via gRPC or REST), and: Session notes are updated with delegated "hat" or leave status. Tokens are re-enriched at next login (or in real-time). OpenFGA policies can evaluate delegated.role, user.onLeave, etc. Scoped access decisions are instantly applied without code changes.

Event-Driven Access Management

HRMS events flow through EventHub to automatically update session contexts and enable scoped authorization decisions.

Example: Seamless integration from HRMS events to access control

Key Components:

SAP, Workday, Oracle HCM
Real-time Event Processing
Session Context Updates
Token Re-enrichment
Policy Evaluation

What Makes It Unique

HRMS Event Integration

Supports real-time delegation and leave events from systems like SAP, Workday, INKA, etc.

Session-Aware Role Substitution

Temporarily assigns delegated roles scoped to org/unit without overriding the user's base identity

Leave-Aware Token Enrichment

Automatically flags users on leave and adjusts authorization context accordingly

OpenFGA-Compatible Context

Delegation and absence status mapped to OpenFGA relationship models

Auditable Transitions

All delegation and leave transitions logged with actor, duration, and scope details

Flexible Event Triggering

Processed during login, on event arrival, or per session update via webhook/API

Frequently Asked Questions

Any system that can send delegation/leave events via REST or gRPC. Common examples include SAP, Workday, Oracle, INKA.
Yes. Events are processed instantly via EventHub, with fallback during session/token refresh.
Yes. Time-bound scopes are enforced automatically via policy or token expiration.
Tokens are updated or revoked on next login or session sync. Admins can also trigger early revocation.
Absolutely. All delegation and leave data is available in the policy context.

How to Use This Feature

Follow these steps to enable real-time delegation and leave awareness.

Implementation Steps

1

Ensure your HRMS system can emit delegation/leave events

2

Connect to Keymate EventHub via gRPC or REST

3

Register event schema for delegation & leave

4

Define how delegation maps to roles, scope, or "hat"

5

Enrich session notes and tokens automatically

6

Write policies using delegatedRole, user.onLeave, or scope filters

7

Audit all transitions via Admin Console or SIEM integration

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.