generated from coulomb/repo-seed
1.3 KiB
1.3 KiB
Pattern: Tenant Membership Boundary
Status: seed Readiness target: RL3 production Primary owners: NetKingdom, product repos Genesis family: Identity and access
Problem
Multi-tenant systems become unsafe when global user identity is treated as proof of membership, authority, or role inside a tenant.
Context
Use this pattern for invitations, groups, tenant admin roles, product accounts, background jobs, audit events, and tenant-scoped policy.
Forces
- One human can belong to multiple tenants.
- Tenant role assignment may be delegated to tenant administrators.
- Platform roles must not leak into tenant roles.
- Offboarding must revoke tenant membership without necessarily deleting global identity.
Solution
Represent tenant membership as an explicit relationship separate from global identity. Every tenant-scoped decision uses trusted identity plus membership, role, tenant, and resource context.
Verification
- Removing tenant membership blocks tenant access while preserving the global account where appropriate.
- Cross-tenant membership tests fail closed.
- Tenant admins can manage only delegated tenant-scoped membership.
- Audit records include global identity and tenant membership context.
Related Patterns
- Tenant Context Propagation.
- Role Composition.
- Delegated Authorization.
- Tenant Isolation.