Skip to main content

Tenant isolation

For cost and operational efficiency reasons, SaaS are often built as multi-tenant systems. In such a system you can run a single Vault and include your tenant id for every record stored in the Vault. In such cases, data may leak between tenants as a result of a software defect or misconfiguration.
The Vault includes a feature that can help you enforce this tenant isolation. This safety mechanism is especially potent when you can easily identify the tenant id of your requests at the beginning of a request, and generally trust that to be correct. Many times this id is being retrieved from a 3rd party authentication system that can be trusted independently. We recommend passing that tenant id to the Vault, which will lock that request to the specific tenant.

For example, assume a system with multiple tenants, each one has many Person records in the Vault. Each tenant has a unique id which is being stored during every add object request. Then, a request arrives from tenant T to retrieve the details of person P. By passing X-Tenant-Id: T in the header of the request as explained in the API documentation, the Vault will enforce that the person P passed is a member of that tenant. In case of a violation, i.e. person P doesn't belong to tenant T, the request will be dropped to avoid any data leakage and these details will be logged. With the logs you can identify and fix issues in tenant isolation.