Amazon Verified Permissions multi-tenant design considerations - AWS Prescriptive Guidance

Amazon Verified Permissions multi-tenant design considerations

There are several design options to consider when you implement authorization by using Amazon Verified Permissions in a multi-tenant SaaS solution. Before exploring these options, let's clarify the difference between isolation and authorization in a multi-tenant SaaS context. Isolating a tenant prevents inbound and outbound data from being exposed to the wrong tenant. Authorization ensures that a user has the permissions to access a tenant.

In Verified Permissions, policies are stored in a policy store. As described in the Verified Permissions documentation, you can either isolate the policies of tenants by using a separate policy store for each tenant, or allow tenants to share policies by using a single policy store for all tenants. This section discusses the advantages and disadvantages of these two isolation strategies, and describes how they can be deployed by using a tiered deployment model. For additional context, see the Verified Permissions documentation.

Although the critieria discussed in this section focus on Verified Permissions, the general concepts are rooted in the isolation mindset and the guidance it provides. SaaS applications must always consider tenant isolation as part of their design, and this general principle of isolation extends to including Verified Permissions in a SaaS application. This section also references core SaaS isolation models such as the siloed SaaS model and the pooled SaaS model. For additional information, see the core isolation concepts in the AWS Well-Architected Framework, SaaS Lens.

Key considerations when designing multi-tenant SaaS solutions are tenant isolation and tenant onboarding. Tenant isolation impacts security, privacy, resiliency, and performance. Tenant onboarding impacts your operational processes as it relates to operational overhead and observability. Organizations that go through a SaaS journey or implement multi-tenant solutions must always prioritize how tenancy will be handled by the SaaS application. Although a SaaS solution might lean toward a particular isolation model, consistency is not necessarily required across the entire SaaS solution. For example, the  isolation model you choose for the frontend components of your application might not be the same as the isolation model you choose for a microservice or authorization services.