Tenant Isolation
Multi-tenant data architecture where one user's data cannot be read or written by another user, enforced at multiple layers.
Multi-tenant data architecture where one user's data cannot be read or written by another user, enforced at multiple layers.
Tenant isolation guarantees that in a multi-user system, one user’s data cannot be accessed or modified by another user, regardless of application bugs or query mistakes. Effective isolation is multi-layer: each layer catches failures the previous layer misses. A single-layer approach (application-only, or database-only) leaves a class of bugs that can leak data across tenants.
How It Works
The four-layer pattern: (1) a base repository class that scopes every query by user_id before execution, (2) a scoped bundle that vends only pre-scoped repository instances to business logic, (3) a route audit that verifies every API endpoint accepts and threads an authenticated user identity, (4) database-level row-level security (RLS) that rejects cross-tenant queries even if the application layers fail. Each layer is independently auditable.
Example
Jobs-apply shipped 4-layer tenant isolation in a single day (Apr 11): UserScopedRepository base class, ScopedRepos bundle, 47-route audit, Postgres RLS on 12 tables. 20 tenant-isolation tests verified that cross-tenant reads, writes, and deletes all fail. The prior DB had 607 orphaned applications and 3,912 orphaned jobs with user_id=NULL: evidence that application-only scoping had silently failed.
Related
- OAuth: identity layer that feeds the isolation chain
- Regression Testing
- Snapshot Testing