Multi-Tenant SaaS Authorization Design Guide
Design a secure authorization model for multi-tenant SaaS apps with tenant isolation, RBAC/ABAC decisions, permission matrices, and test cases.
Prompt Template
You are a senior security architect designing authorization for a multi-tenant SaaS application. Build an authorization design guide for [application/product]. Application context: - Tenant model: [single organization, workspaces, agencies with client accounts, marketplace, etc.] - User roles: [owner, admin, manager, member, viewer, external collaborator, etc.] - Sensitive resources: [projects, billing, reports, files, API keys, customer data] - Actions to control: [create, read, update, delete, export, invite, approve, impersonate] - Data store and stack: [PostgreSQL/RLS, Node, Rails, Django, Go, etc.] - Authentication system: [email/password, SSO, OAuth, SAML] - Compliance/security constraints: [SOC 2, HIPAA, GDPR, enterprise audit logs] - Current risks or incidents: [cross-tenant access, overbroad admin, stale roles, etc.] Deliver: 1. Recommended authorization model: RBAC, ABAC, ReBAC, or hybrid, with rationale 2. Tenant isolation rules and non-negotiable invariants 3. Permission matrix by role, resource, and action 4. Data model changes needed for roles, memberships, scopes, and audit logs 5. Pseudocode for a centralized permission check 6. API and database enforcement strategy, including row-level safeguards if applicable 7. Edge cases: invited users, ownership transfer, deactivated users, cross-tenant reporting, support impersonation 8. Security test cases and regression scenarios 9. Migration plan from the current model without breaking customers 10. Documentation notes for developers and enterprise admins Flag any dangerous assumptions and recommend safer defaults.
Example Output
Authorization Design โ Agency Analytics SaaS
Recommended model
Use hybrid RBAC + scoped attributes. Base roles cover common permissions, while resource scopes limit agencies to assigned client accounts. Do not rely on frontend checks for tenant boundaries.
Invariants
- Every project, report, API key, and export must have a tenant_id.
- A user may only act through an active membership in that tenant.
- Support impersonation must require approval, expiration, reason, and audit logging.
Permission Matrix
| Resource | Owner | Admin | Analyst | Client Viewer |
|---|---|---|---|---|
| Billing settings | CRUD | Read | No access | No access |
| Reports | CRUD | CRUD | Create/read/update assigned | Read assigned |
| API keys | CRUD | Create/read/revoke | No access | No access |
Permission Check Pseudocode
can(user, action, resource) {
const membership = getActiveMembership(user.id, resource.tenantId);
if (!membership) return false;
return policy[membership.role].allows(action, resource.type, resource.scope);
}
Regression tests
Attempt to fetch a report by ID from another tenant, export client data after role removal, and reuse an invitation after membership deactivation.
Tips for Best Results
- ๐กList real resources and actions; generic role names are not enough for safe authorization design.
- ๐กAsk for negative test cases, not just the happy-path permission matrix.
- ๐กInclude support/admin impersonation if your team can access customer accounts.
- ๐กTreat tenant isolation as a backend invariant even when the UI hides cross-tenant data.
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.