generated from coulomb/repo-seed
46 lines
1.3 KiB
Markdown
46 lines
1.3 KiB
Markdown
# Pattern: Tenant Membership Boundary
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, product repos
|
|
Genesis family: Identity and access
|
|
|
|
## Problem
|
|
|
|
Multi-tenant systems become unsafe when global user identity is treated
|
|
as proof of membership, authority, or role inside a tenant.
|
|
|
|
## Context
|
|
|
|
Use this pattern for invitations, groups, tenant admin roles, product
|
|
accounts, background jobs, audit events, and tenant-scoped policy.
|
|
|
|
## Forces
|
|
|
|
- One human can belong to multiple tenants.
|
|
- Tenant role assignment may be delegated to tenant administrators.
|
|
- Platform roles must not leak into tenant roles.
|
|
- Offboarding must revoke tenant membership without necessarily deleting
|
|
global identity.
|
|
|
|
## Solution
|
|
|
|
Represent tenant membership as an explicit relationship separate from
|
|
global identity. Every tenant-scoped decision uses trusted identity plus
|
|
membership, role, tenant, and resource context.
|
|
|
|
## Verification
|
|
|
|
- Removing tenant membership blocks tenant access while preserving the
|
|
global account where appropriate.
|
|
- Cross-tenant membership tests fail closed.
|
|
- Tenant admins can manage only delegated tenant-scoped membership.
|
|
- Audit records include global identity and tenant membership context.
|
|
|
|
## Related Patterns
|
|
|
|
- Tenant Context Propagation.
|
|
- Role Composition.
|
|
- Delegated Authorization.
|
|
- Tenant Isolation.
|