Empower Tenants Without Losing Control

Allow each tenant to manage its own users, roles, and org-units — within clearly scoped, auditable boundaries. Keymate gives your partners control, while you keep governance.

How Delegated Administration Works in Keymate

Keymate enables fine-grained tenant self-administration by assigning scoped admin roles. Each delegated admin can manage users, organizations, and access within their tenant's boundary — but not beyond. All actions are logged, isolated, and enforced at the UI, API, and backend levels.

Scoped Administration Model

A “Partner Admin” in tenant Acme Corp can add users to their organization tree. A “Unit Admin” can only manage specific departments. Tenant admin's actions are always isolated by tenantId in session and audit logs.

What Makes It Unique

Scoped Admin Roles

Assign admin roles that are bound to specific tenants and org-units.

Tenant-Isolated Console Views

UI automatically filters and hides unauthorized sections per admin scope.

API-Level Context Enforcement

Every admin API call is context-validated against session tenant & scope.

Role & Org Assignment Tools

Admins can assign users to roles and org-units directly in their own context.

Impersonation for Support

Allow central admins to impersonate tenant admins for troubleshooting (with logs).

Full Auditability

Every delegated action is recorded with actorType: tenant-admin for compliance traceability.

Frequently Asked Questions

It's the ability to assign administrative capabilities to tenant-level users without exposing system-wide access. Keymate implements this securely with scope-aware controls.

Delegated admins only manage their assigned tenant. They can't see or affect other tenants, users, or policies.

Yes. Within their boundary, delegated admins can create users, assign roles, and manage org-units — fully audit-tracked.

Yes. Support admins can impersonate tenant admins for limited operations. All actions are logged with impersonation context.

How to Use This Feature

Follow these simple steps to enable delegated administration.

Implementation Steps

Create a new role with type: tenant-admin

Assign role to a user under a specific tenant

User logs in and sees scoped admin console

All operations are isolated and validated via session tenant context

Audit all delegated actions per tenant via console or API

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.

Empower Tenants Without Losing Control

How Delegated Administration Works in Keymate

Scoped Administration Model

What Makes It Unique

Scoped Admin Roles

Tenant-Isolated Console Views

API-Level Context Enforcement

Role & Org Assignment Tools

Impersonation for Support

Full Auditability

Frequently Asked Questions

What is delegated administration in IAM?

How is this different from global admin roles?

Can tenant admins manage organization and roles?

Is impersonation supported for support teams?

How to Use This Feature

Implementation Steps

Create a new role with type: tenant-admin

Assign role to a user under a specific tenant

User logs in and sees scoped admin console

All operations are isolated and validated via session tenant context

Audit all delegated actions per tenant via console or API

Ready to Transform Your Keycloak Experience?