VN-10 · Multi-Tenant Isolation & Onboarding
Status: Delivered Roles needed: System admin (onboard tenant), two tenant admins
What the client asked for
"OneProtect is a multi-tenant MSSP SaaS platform... Multi-tenant logical isolation with row-level partitioning validates Postgres + RLS as the canonical tenant data path."
And hardened tenant-admin onboarding (identity created and verified before roles are granted).
What this proves
The platform is genuinely multi-tenant: a system admin can onboard a new tenant and its admin, and no tenant can ever see another tenant's data — enforced at the database level, not just in the UI.
How it works (at a glance)
Where to look in the portal
Settings(system-admin tenant/user onboarding panel)Assets,Tickets,Alerts(to confirm isolation)Audit
Validation walkthrough
| # | Action | What you should see |
|---|---|---|
| 1 | Log in as system admin, open the tenant onboarding panel | A system-admin-only panel to create tenants and tenant admins |
| 2 | Create a new tenant and its tenant admin | The tenant and admin are created; weak passwords / missing identity config are rejected (fail-closed) |
| 3 | Confirm the identity was verified before roles were granted | Onboarding only commits roles after the identity provider user is created/verified |
| 4 | Log in as Tenant A admin, note Tenant A's assets/tickets | Tenant A data is visible |
| 5 | Log in as Tenant B admin, open the same pages | Only Tenant B data is visible; none of Tenant A's records appear |
| 6 | As Tenant B admin, attempt to view a Tenant A record by its identifier | Access is denied / not found (isolation holds even with a known ID) |
| 7 | Open Audit | Onboarding and role-assignment actions are recorded |
Pass / fail checklist
- System admin can onboard a tenant and its tenant admin
- Weak passwords / missing identity configuration fail closed (no silent role grant)
- Identity is verified before tenant roles are committed
- Tenant A admin sees only Tenant A data
- Tenant B admin sees only Tenant B data
- A known Tenant A record identifier is not accessible to Tenant B
- Onboarding/role actions appear in
Audit
Intentionally not in Phase 1
- Multi-mode tenant identity-provider federation choices (managed IdP vs self-hosted) are a separate architecture decision; Phase 1 runs on the provided identity provider.
Evidence to capture
- Screenshot of the onboarding panel and a created tenant.
- Side-by-side screenshots of Tenant A vs Tenant B
Assetsshowing isolation. - Screenshot of the onboarding audit entries.