# Pattern: Tenant Membership Boundary Status: seed Readiness target: RL3 production Primary owners: NetKingdom, product repos Genesis family: Identity and access ## Problem Multi-tenant systems become unsafe when global user identity is treated as proof of membership, authority, or role inside a tenant. ## Context Use this pattern for invitations, groups, tenant admin roles, product accounts, background jobs, audit events, and tenant-scoped policy. ## Forces - One human can belong to multiple tenants. - Tenant role assignment may be delegated to tenant administrators. - Platform roles must not leak into tenant roles. - Offboarding must revoke tenant membership without necessarily deleting global identity. ## Solution Represent tenant membership as an explicit relationship separate from global identity. Every tenant-scoped decision uses trusted identity plus membership, role, tenant, and resource context. ## Verification - Removing tenant membership blocks tenant access while preserving the global account where appropriate. - Cross-tenant membership tests fail closed. - Tenant admins can manage only delegated tenant-scoped membership. - Audit records include global identity and tenant membership context. ## Related Patterns - Tenant Context Propagation. - Role Composition. - Delegated Authorization. - Tenant Isolation.