search

Multi-Tenancy

Atlas Auth Guard implements a comprehensive multi-tenant architecture that provides complete data isolation between organizations, teams, and projects.

hashtag
What is Multi-Tenancy?

Multi-tenancy allows a single instance of the application to serve multiple customers (tenants) while keeping their data completely isolated.

┌─────────────────────────────────────────────────────────────────────────────┐
│                    ATLAS AUTH GUARD - SINGLE INSTANCE                        │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐              │
│  │  Organization A │  │  Organization B │  │  Organization C │              │
│  │  (Turing)       │  │  (Partner Co)   │  │  (Client Inc)   │              │
│  │                 │  │                 │  │                 │              │
│  │  ┌───────────┐  │  │  ┌───────────┐  │  │  ┌───────────┐  │              │
│  │  │  Team 1   │  │  │  │  Team X   │  │  │  │  Team P   │  │              │
│  │  │  Team 2   │  │  │  │  Team Y   │  │  │  │  Team Q   │  │              │
│  │  │  Team 3   │  │  │  └───────────┘  │  │  └───────────┘  │              │
│  │  └───────────┘  │  │                 │  │                 │              │
│  │                 │  │                 │  │                 │              │
│  │  🔒 ISOLATED    │  │  🔒 ISOLATED    │  │  🔒 ISOLATED    │              │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘              │
│                                                                              │
│  ═══════════════════════════════════════════════════════════════════════    │
│                     SHARED INFRASTRUCTURE                                    │
│  ═══════════════════════════════════════════════════════════════════════    │
│                                                                              │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐        │
│  │  Database   │  │   Cache     │  │  Auth Guard │  │  Backend    │        │
│  │  (Postgres) │  │   (Redis)   │  │  (FastAPI)  │  │  Services   │        │
│  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘        │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

hashtag
Benefits

Benefit
Description

Cost Efficiency

Shared infrastructure reduces operational costs

Scalability

Single deployment scales for all tenants

Maintenance

One codebase, one deployment, easier updates

Security

Logical isolation enforced at every layer

hashtag
Tenant Hierarchy

Atlas Auth Guard uses a three-level tenant hierarchy:

hashtag
Level Details

Level
Purpose
Key Features

Organization

Root tenant, billing entity

SSO settings, MFA policies, user domain

Team

Logical user grouping

Service access policy, member management

Project

Isolated workspace

Own API key, data isolation, metadata

hashtag
Data Isolation

Data isolation is enforced at every layer to ensure tenants cannot access each other's data.

hashtag
How Isolation Works

hashtag
Isolation Guarantees

Guarantee
Implementation

Cross-Org Isolation

org_id checked at every request

Cross-Team Isolation

team_id validated against membership

Cross-Project Isolation

project_id injected in headers, backend filters

API Key Isolation

API keys bound to specific project

Data Isolation

All database queries filtered by tenant IDs

hashtag
Tenant Identifiers

Every piece of data in the system is tagged with tenant identifiers:

hashtag
Identifier Hierarchy

hashtag
Denormalization

We denormalize org_id and team_id into child records for efficient querying:

Record Type
Contains

Team

org_id

Project

org_id, team_id

User Team Role

org_id

User Project Role

org_id, team_id

API Key

org_id, team_id, project_id

Backend Data

org_id, team_id, project_id

This allows efficient queries like:

hashtag
Access Control

Multi-tenancy integrates with RBAC (Role-Based Access Control):

hashtag
Role Scope

hashtag
Access Decision Flow

hashtag
Team Service Policy

Each team has a service access policy that controls which backend services team members can use:

hashtag
Policy Bypass

Role
Bypasses Team Policy?

super_admin

✅ Yes - Platform-wide access

org_admin

✅ Yes - Organization-wide access

team_admin

❌ No - Still subject to team policy

team_member

❌ No - Subject to team policy

project_admin

❌ No - Subject to team policy

editor

❌ No - Subject to team policy

viewer

❌ No - Subject to team policy

hashtag
JWT Token Structure

The JWT token contains the user's tenant context:

hashtag
Token Context Selection

When a user logs in, they select their team and project context:

hashtag
Backend Integration

Backend services must properly handle multi-tenancy:

hashtag
Required Header Usage

hashtag
Common Mistakes to Avoid

❌ Wrong
✅ Correct

SELECT * FROM objects

SELECT * FROM objects WHERE project_id = ?

Ignoring X-Project-ID header

Always filter by X-Project-ID

Trusting user-provided project_id

Only trust headers from Auth Guard

Not setting tenant IDs on create

Always set org_id, team_id, project_id

hashtag
Best Practices

hashtag
For Administrators

Practice
Reason

One team per department

Clear ownership

Meaningful team names

Easy identification

Review team policies regularly

Ensure appropriate access

Audit cross-team access

Detect anomalies

hashtag
For Developers

Practice
Reason

Always filter by project_id

Ensure data isolation

Trust only Auth Guard headers

Security

Log tenant context

Audit trail

Test with multiple tenants

Verify isolation

hashtag
For Security

Practice
Reason

Validate tenant IDs

Prevent injection

Monitor cross-tenant attempts

Detect attacks

Regular access reviews

Remove stale access

Encrypt tenant data

Defense in depth

hashtag
Troubleshooting

hashtag
"You are not a member of this team"

Cause: User's JWT contains a team_id they're not a member of.

Solution:

  1. Add user to the team

  2. User re-logs in to get new JWT

hashtag
"Service not allowed for this team"

Cause: Team's service policy doesn't include the requested service.

Solution:

  1. Add service to team's allowed_services

  2. No re-login needed

hashtag
"Cross-tenant access denied"

Cause: User trying to access resource from different org/team.

Solution:

  1. This is expected behavior

  2. User needs proper membership in the target tenant

hashtag
"Data not appearing"

Cause: Backend not filtering by project_id.

Solution:

  1. Verify backend uses X-Project-ID header

  2. Check database queries include project_id filter

PreviousIntroductionNextSecurity Model

Last updated