Platform Mesh separates authentication, authorization data, and control-plane enforcement across several runtime components.
Use this page to understand the conceptual relationship. Use Reference only for concrete component and resource lookup.
| Area | Platform Mesh role |
|---|---|
| Authentication | Keycloak is the default identity provider used by the local setup. |
| Authorization data | The OpenFGA engine holds one IAM store per organization, declared by a Store CR. Account workspaces under that organization share the organization’s store, which carries relationship-based authorization data for the organization, its accounts, and provider-consumer relationships. |
| Enforcement | rebac-authz-webhook participates in kcp authorization decisions. |
| Account lifecycle | Platform Mesh automation wires identity and authorization state as accounts and organizations are created. |
flowchart LR
Account["Account or organization"]
Store["IAM store<br>OpenFGA"]
Webhook["rebac-authz-webhook"]
Kcp["kcp authorizer chain"]
Account --> Store
Store --> Webhook
Webhook --> Kcp
Missing or stale authorization data can surface as authorization failures in kcp, the Kubernetes GraphQL gateway, or the portal.
Every API request that reaches kcp passes through this chain in order. When a request is denied, the deny comes from one of these stages:
SubjectAccessReview to the webhook, which translates it into a Check against the organization OpenFGA store for the target account workspace and returns allow or deny. This is where Platform Mesh’s relationship-based decisions land.If every stage returns “no opinion”, the request is denied by default. The webhook is configured with failurePolicy: NoOpinion so an unreachable webhook does not unilaterally allow traffic.
For the actual AuthorizationConfiguration YAML, the webhook deployment args, and per-workspace OIDC, see Identity and authorization reference.