This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-tenant-membership-boundary.md

1.3 KiB

Pattern: Tenant Membership Boundary

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, product repos Genesis family: Identity and access

Problem

Multi-tenant systems become unsafe when global user identity is treated as proof of membership, authority, or role inside a tenant.

Context

Use this pattern for invitations, groups, tenant admin roles, product accounts, background jobs, audit events, and tenant-scoped policy.

Forces

  • One human can belong to multiple tenants.
  • Tenant role assignment may be delegated to tenant administrators.
  • Platform roles must not leak into tenant roles.
  • Offboarding must revoke tenant membership without necessarily deleting global identity.

Solution

Represent tenant membership as an explicit relationship separate from global identity. Every tenant-scoped decision uses trusted identity plus membership, role, tenant, and resource context.

Verification

  • Removing tenant membership blocks tenant access while preserving the global account where appropriate.
  • Cross-tenant membership tests fail closed.
  • Tenant admins can manage only delegated tenant-scoped membership.
  • Audit records include global identity and tenant membership context.
  • Tenant Context Propagation.
  • Role Composition.
  • Delegated Authorization.
  • Tenant Isolation.