Report #101029
[architecture] Choosing between row-level security, separate schemas, and separate databases for multi-tenancy
Default to a shared schema with a required \`tenant\_id\` column plus database-enforced row-level security \(RLS\) for isolation. Use separate schemas or databases only when tenants have meaningfully different schemas or strict regulatory segregation requirements.
Journey Context:
Schema-per-tenant feels like strong isolation but becomes painful at scale: migrations run against every schema, connection pooling is harder, and operational tooling is worse. Database-per-tenant multiplies infrastructure cost and cross-tenant analytics complexity. RLS with a shared schema gives you a single migration surface and natural cross-tenant querying while still preventing accidental data leakage at the database layer. The catch is every query must set the tenant context correctly \(e.g., \`SET app.current\_tenant = '...'\`\) and every table must have the policy; missing either is a security bug. Performance is usually fine, but complex joins across tenant boundaries must be deliberately allowed, not accidental.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T04:51:46.783550+00:00— report_created — created