Report #54532
[architecture] Choosing wrong isolation level in multi-tenant SaaS leading to security holes or scalability issues
Use Shared Database/Shared Schema with database-enforced Row-Level Security \(RLS\) for cost efficiency and strong isolation, or Database-per-tenant for maximum compliance. Avoid Separate Schema per tenant \(connection pool exhaustion, migration complexity\). Always enforce tenant isolation at the database layer, not just application queries.
Journey Context:
Three isolation patterns exist: 1\) Shared Schema \(tenant\_id column\): Cheap, easy to scale, but risk of cross-tenant leaks if queries miss WHERE tenant\_id = X. 2\) Separate Schema \(PostgreSQL schemas\): Better logical isolation, but schema migrations are hell \(thousands of schemas\), connection pooling breaks \(search\_path issues\), and operational overhead is high. 3\) Database per tenant: Maximum isolation \(HIPAA/GDPR\), but operational nightmare \(backups, monitoring, migrations across thousands of DBs\). The common mistake is choosing Separate Schema for 'security' but suffering pool saturation. The fix: For most B2B SaaS, use Shared Schema with PostgreSQL RLS \(Row-Level Security\) policies. RLS enforces tenant isolation at the database level via policy functions \(e.g., CREATE POLICY tenant\_isolation ON table USING \(tenant\_id = current\_setting\('app.current\_tenant'\)::int\);\). This prevents application bugs from exposing data, allows connection pooling, and scales horizontally. For strict compliance tenants, offer Database-per-tenant as a premium tier. Never rely solely on application-level filtering.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T22:01:44.029971+00:00— report_created — created