This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-tenant-context-propagation.md

2.4 KiB

Pattern: Tenant Context Propagation

Status: draft Readiness target: RL3 production Primary owners: NetKingdom, product repos, Railiance platform

Problem

Tenant isolation breaks when request handlers, background jobs, events, storage access, or audit records lose the tenant context that justified the action.

Context

Use this pattern for APIs, workers, queues, schedulers, event streams, data stores, object storage, audit events, and admin workflows.

Forces

  • Tenant context must be explicit and authenticated.
  • Some actions are platform-scoped and must not masquerade as tenant actions.
  • Background jobs often outlive the original request.
  • Logs and policy decisions need the same tenant correlation.

Solution

Carry tenant context as a required field in trusted request, job, event, authorization, storage, and audit envelopes. Derive it from identity or controlled platform context, not from arbitrary user input.

Implementation Sketch

  1. Define tenant id and platform-scope semantics.
  2. Add tenant context to API, job, and event envelopes.
  3. Require flex-auth decisions to include tenant scope.
  4. Persist tenant context through queues and background workers.
  5. Include tenant id in audit and detection events.
  6. Reject ambiguous or conflicting tenant context.

Failure Modes

Failure Mitigation
Tenant id is passed as untrusted parameter derive from trusted identity/session claims
Worker jobs omit tenant id require typed job envelopes and tests
Platform job uses tenant scope accidentally distinguish platform-scope explicitly
Audit records miss tenant make tenant field required for tenant actions
  • Tenant isolation.
  • Authorization and access control.
  • Application and API security.
  • Observability, detection, and audit.

Maturity

Draft. This is foundational for multi-tenant correctness and should be promoted with product conformance tests.

Verification

  • Request, job, event, policy, and audit envelopes include tenant scope.
  • Ambiguous tenant context fails closed.
  • Platform-scope operations are explicitly marked and reviewed.
  • Cross-tenant propagation tests fail for APIs and workers.

Research Basis

Seeded by tenant context propagation, tenant identity boundary, tenant-scoped authorization, and tenant data partitioning.

References

  • Initial exploration: Tenant isolation patterns.
  • Initial exploration: Application and API security.