KeycloakCon Japan 2025

As organizations undergo digital transformation and adopt zero-trust security models, traditional role-based access control (RBAC) is becoming insufficient.
The new, volatile landscapes we face necessitate precise and context-based authorizations—thus the advent of attribute-based access control (ABAC) is here!This session will take IAM professionals through the real journey from RBAC to ABAC using Keycloak. We will highlight that it is possible to utilize an approach that eliminates static roles and also place policies on user attributes, resource exceptionalities, times, locations, etc. Participants will see real-world scenarios—like prohibiting financial transactions elevated by the age of an accounting account, or only allowing access to healthcare records when an active shift is scheduled—and how to design, deploy, and govern access control policies programmatically and at scale.The session will substantiate my experiences with building access control policies by addressing common struggles we all share—policy complexity, policy performance, etc.—and demonstrate how to extend Keycloak's policy authority into external policy engines for advanced policing. It aims to provide useful operational strategies and tested patterns for those either modernizing legacy technologies or creating cloud-centric applications to deliver compliant and secure access control.