This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-tenant-context-propagation.md

78 lines
2.4 KiB
Markdown

# Pattern: Tenant Context Propagation
Status: draft
Readiness target: RL3 production
Primary owners: NetKingdom, product repos, Railiance platform
## Problem
Tenant isolation breaks when request handlers, background jobs, events,
storage access, or audit records lose the tenant context that justified
the action.
## Context
Use this pattern for APIs, workers, queues, schedulers, event streams,
data stores, object storage, audit events, and admin workflows.
## Forces
- Tenant context must be explicit and authenticated.
- Some actions are platform-scoped and must not masquerade as tenant
actions.
- Background jobs often outlive the original request.
- Logs and policy decisions need the same tenant correlation.
## Solution
Carry tenant context as a required field in trusted request, job, event,
authorization, storage, and audit envelopes. Derive it from identity or
controlled platform context, not from arbitrary user input.
## Implementation Sketch
1. Define tenant id and platform-scope semantics.
2. Add tenant context to API, job, and event envelopes.
3. Require flex-auth decisions to include tenant scope.
4. Persist tenant context through queues and background workers.
5. Include tenant id in audit and detection events.
6. Reject ambiguous or conflicting tenant context.
## Failure Modes
| Failure | Mitigation |
| --- | --- |
| Tenant id is passed as untrusted parameter | derive from trusted identity/session claims |
| Worker jobs omit tenant id | require typed job envelopes and tests |
| Platform job uses tenant scope accidentally | distinguish platform-scope explicitly |
| Audit records miss tenant | make tenant field required for tenant actions |
## Related Capabilities
- Tenant isolation.
- Authorization and access control.
- Application and API security.
- Observability, detection, and audit.
## Maturity
Draft. This is foundational for multi-tenant correctness and should be
promoted with product conformance tests.
## Verification
- Request, job, event, policy, and audit envelopes include tenant scope.
- Ambiguous tenant context fails closed.
- Platform-scope operations are explicitly marked and reviewed.
- Cross-tenant propagation tests fail for APIs and workers.
## Research Basis
Seeded by tenant context propagation, tenant identity boundary,
tenant-scoped authorization, and tenant data partitioning.
## References
- Initial exploration: Tenant isolation patterns.
- Initial exploration: Application and API security.