OPA multi-tenant design considerations

The Open Policy Agent (OPA) is a flexible service that can be applied to numerous use cases where applications are required to make policy and authorization decisions. Using OPA with multi-tenant SaaS applications requires the consideration of unique criteria to ensure that key SaaS best practices such as tenant isolation remain a part of OPA's implementation. These criteria include OPA deployment patterns, tenant isolation and the OPA document model, and tenant onboarding. Each of these affects the optimal design for OPA as it pertains to multi-tenant applications.

Although the discussion in this section focuses on OPA, the general concepts are rooted in the isolation mindset and the guidance it provides. SaaS applications must always consider tenant isolation as part of their design, and this general principle of isolation extends to including OPA in a SaaS application. OPA, if used appropriately, can be a key part of how isolation is enforced in SaaS applications. This section also references core SaaS isolation models such as the siloed SaaS model and the pooled SaaS model. For additional information, see the core isolation concepts in the AWS Well-Architected Framework, SaaS Lens.

Design considerations:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tiered deployment model

Comparing centralized and distributed deployment patterns