This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-tenant-membership-boundary.md

46 lines
1.3 KiB
Markdown

# Pattern: Tenant Membership Boundary
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, product repos
Genesis family: Identity and access
## Problem
Multi-tenant systems become unsafe when global user identity is treated
as proof of membership, authority, or role inside a tenant.
## Context
Use this pattern for invitations, groups, tenant admin roles, product
accounts, background jobs, audit events, and tenant-scoped policy.
## Forces
- One human can belong to multiple tenants.
- Tenant role assignment may be delegated to tenant administrators.
- Platform roles must not leak into tenant roles.
- Offboarding must revoke tenant membership without necessarily deleting
global identity.
## Solution
Represent tenant membership as an explicit relationship separate from
global identity. Every tenant-scoped decision uses trusted identity plus
membership, role, tenant, and resource context.
## Verification
- Removing tenant membership blocks tenant access while preserving the
global account where appropriate.
- Cross-tenant membership tests fail closed.
- Tenant admins can manage only delegated tenant-scoped membership.
- Audit records include global identity and tenant membership context.
## Related Patterns
- Tenant Context Propagation.
- Role Composition.
- Delegated Authorization.
- Tenant Isolation.