ADR-0011: Shared-with-tenant-guard multi-tenancy model

• Status: Accepted
• Date: 2026-01-01
• Deciders: Enterprise Architect, Security Architect
• Tags: multi-tenancy, saas, isolation

Context

The factory is a multi-tenant SaaS platform and it generates multi-tenant SaaS products. It must isolate tenants strongly while keeping infrastructure cost-efficient at scale, and provide a premium option for customers requiring stronger isolation (see Multi-Tenancy).

Decision

Adopt a shared, tenant-aware model as the default: shared services and stores with tenantId enforced at every layer (token claim → ambient TenantContext → handler assertion → row-level data filter → event/subscription filter → per-tenant secrets). Offer database-per-tenant as a premium isolation tier. Generated products inherit this exact model via the ConnectSoft.Saas.* templates.

Consequences

Positive

• Strong isolation with cost-efficient resource sharing; uniform model across factory and products.
• Premium tier available for customers needing physical data separation.

Negative / trade-offs

• Every handler and query must honor tenant scope; isolation must be continuously tested.

Neutral

• Cross-tenant sharing only via explicitly published, classified marketplace/knowledge assets.

Alternatives considered

Alternative	Why not chosen
Database-per-tenant for all	Cost and operational overhead at scale; offered as premium tier instead.
Silo (dedicated stack) per tenant	Too costly as default; reserved for special cases.

Related

• Multi-Tenancy
• Security Architecture
• Control Plane Platform
• Quality Attributes & NFRs