Report #103454
[architecture] Choosing the wrong tenant isolation model in Postgres
Start with row-level security \(RLS\) policies on a single shared schema for simplicity; move to schema-per-tenant or database-per-tenant only when you need strong isolation, per-tenant customization, or independent scaling.
Journey Context:
Database-per-tenant gives the strongest isolation but the highest operational cost \(backups, migrations, connection pooling\). Schema-per-tenant shares compute and allows customization but still multiplies migration work. RLS in a shared schema is simplest and cheapest, but security depends entirely on the application always setting the tenant context correctly; superuser or misconfigured roles bypass policies. The common error is defaulting to separate databases 'for security' when RLS plus proper connection policy would suffice.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:25:23.877758+00:00— report_created — created