Report #102986
[architecture] Is Postgres Row-Level Security enough to isolate multi-tenant data?
RLS is a defense-in-depth layer, not the primary isolation strategy; default to a mandatory \`tenant\_id\` column with tenant-scoped queries at the application layer, and add RLS only after load-testing with your real query patterns.
Journey Context:
RLS policies can add 10–40% overhead, are silently bypassed by table owners/superusers, and can leak rows through careful join planning or functions marked \`SECURITY DEFINER\`. A \`tenant\_id\` column is portable, predictable, and composes with normal indexes. Use separate schemas or databases only when tenants need true resource isolation or custom schema extensions; the operational cost is much higher.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:49:41.293975+00:00— report_created — created