Multi-Tenancy
Atlas Auth Guard implements a comprehensive multi-tenant architecture that provides complete data isolation between organizations, teams, and projects.
What is Multi-Tenancy?
Multi-tenancy allows a single instance of the application to serve multiple customers (tenants) while keeping their data completely isolated.
┌─────────────────────────────────────────────────────────────────────────────┐
│ ATLAS AUTH GUARD - SINGLE INSTANCE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Organization A │ │ Organization B │ │ Organization C │ │
│ │ (Turing) │ │ (Partner Co) │ │ (Client Inc) │ │
│ │ │ │ │ │ │ │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │ ┌───────────┐ │ │
│ │ │ Team 1 │ │ │ │ Team X │ │ │ │ Team P │ │ │
│ │ │ Team 2 │ │ │ │ Team Y │ │ │ │ Team Q │ │ │
│ │ │ Team 3 │ │ │ └───────────┘ │ │ └───────────┘ │ │
│ │ └───────────┘ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ 🔒 ISOLATED │ │ 🔒 ISOLATED │ │ 🔒 ISOLATED │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ═══════════════════════════════════════════════════════════════════════ │
│ SHARED INFRASTRUCTURE │
│ ═══════════════════════════════════════════════════════════════════════ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Database │ │ Cache │ │ Auth Guard │ │ Backend │ │
│ │ (Postgres) │ │ (Redis) │ │ (FastAPI) │ │ Services │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘Benefits
Cost Efficiency
Shared infrastructure reduces operational costs
Scalability
Single deployment scales for all tenants
Maintenance
One codebase, one deployment, easier updates
Security
Logical isolation enforced at every layer
Tenant Hierarchy
Atlas Auth Guard uses a three-level tenant hierarchy:
Level Details
Organization
Root tenant, billing entity
SSO settings, MFA policies, user domain
Team
Logical user grouping
Service access policy, member management
Project
Isolated workspace
Own API key, data isolation, metadata
Data Isolation
Data isolation is enforced at every layer to ensure tenants cannot access each other's data.
How Isolation Works
Isolation Guarantees
Cross-Org Isolation
org_id checked at every request
Cross-Team Isolation
team_id validated against membership
Cross-Project Isolation
project_id injected in headers, backend filters
API Key Isolation
API keys bound to specific project
Data Isolation
All database queries filtered by tenant IDs
Tenant Identifiers
Every piece of data in the system is tagged with tenant identifiers:
Identifier Hierarchy
Denormalization
We denormalize org_id and team_id into child records for efficient querying:
Team
org_id
Project
org_id, team_id
User Team Role
org_id
User Project Role
org_id, team_id
API Key
org_id, team_id, project_id
Backend Data
org_id, team_id, project_id
This allows efficient queries like:
Access Control
Multi-tenancy integrates with RBAC (Role-Based Access Control):
Role Scope
Access Decision Flow
Team Service Policy
Each team has a service access policy that controls which backend services team members can use:
Policy Bypass
super_admin
✅ Yes - Platform-wide access
org_admin
✅ Yes - Organization-wide access
team_admin
❌ No - Still subject to team policy
team_member
❌ No - Subject to team policy
project_admin
❌ No - Subject to team policy
editor
❌ No - Subject to team policy
viewer
❌ No - Subject to team policy
JWT Token Structure
The JWT token contains the user's tenant context:
Token Context Selection
When a user logs in, they select their team and project context:
Backend Integration
Backend services must properly handle multi-tenancy:
Required Header Usage
Common Mistakes to Avoid
SELECT * FROM objects
SELECT * FROM objects WHERE project_id = ?
Ignoring X-Project-ID header
Always filter by X-Project-ID
Trusting user-provided project_id
Only trust headers from Auth Guard
Not setting tenant IDs on create
Always set org_id, team_id, project_id
Best Practices
For Administrators
One team per department
Clear ownership
Meaningful team names
Easy identification
Review team policies regularly
Ensure appropriate access
Audit cross-team access
Detect anomalies
For Developers
Always filter by project_id
Ensure data isolation
Trust only Auth Guard headers
Security
Log tenant context
Audit trail
Test with multiple tenants
Verify isolation
For Security
Validate tenant IDs
Prevent injection
Monitor cross-tenant attempts
Detect attacks
Regular access reviews
Remove stale access
Encrypt tenant data
Defense in depth
Troubleshooting
"You are not a member of this team"
Cause: User's JWT contains a team_id they're not a member of.
Solution:
Add user to the team
User re-logs in to get new JWT
"Service not allowed for this team"
Cause: Team's service policy doesn't include the requested service.
Solution:
Add service to team's allowed_services
No re-login needed
"Cross-tenant access denied"
Cause: User trying to access resource from different org/team.
Solution:
This is expected behavior
User needs proper membership in the target tenant
"Data not appearing"
Cause: Backend not filtering by project_id.
Solution:
Verify backend uses X-Project-ID header
Check database queries include project_id filter
Last updated