Report #83410
[architecture] Multi-tenant data isolation leaks via missed WHERE clauses or complex backup/restore in shared schemas
For <1000 tenants requiring strong isolation but operational simplicity, use a shared database with PostgreSQL Row-Level Security \(RLS\) policies enforcing tenant isolation at the database layer; for >1000 tenants or variable workloads, use schema-per-tenant with connection pooling \(PgBouncer\) to amortize costs; avoid database-per-tenant unless required for strict regulatory isolation due to connection limits and backup complexity.
Journey Context:
Shared schema with 'tenant\_id' columns is simplest to migrate and backup, but risks cross-tenant data leaks via missed WHERE clauses; developers often add application-layer checks which are bypassable. Separate databases offer perfect isolation but hit connection limits \(PostgreSQL ~100 concurrent per instance\) and make schema migrations painful \(run N times\). Schema-per-tenant is a middle ground but historically suffered from high memory per schema; modern PostgreSQL \(12\+\) reduces this overhead. The breakthrough is PostgreSQL's RLS: declarative policies \(e.g., 'USING \(tenant\_id = current\_setting\('app.current\_tenant'\)::UUID\)'\) enforce isolation at the database layer, preventing application bypass. However, RLS adds performance overhead \(~5-15% per query\) and requires careful indexing on tenant\_id; without indexes, it results in sequential scans. RLS also complicates superuser queries and backup restoration \(policies must be disabled\). For high-scale SaaS \(>10k tenants\), schema-per-tenant with automated provisioning and pooled connections remains superior to RLS due to query planner simplicity and easier tenant-specific customizations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T22:35:27.730737+00:00— report_created — created