Skip to content

Multi-Tenant Architecture

Hierarchical tenant isolation with Row-Level Security.

Tenant Hierarchy

Kanoniv supports a multi-tier tenant structure:

Platform Owner
    └── Organization (Tenant)
            └── Line of Business (Sub-tenant)
                    └── Environment (Sub-sub-tenant)

Use Cases

  • SaaS Provider: Each customer is an Organization
  • Large org: Each department is a Line of Business
  • Multi-environment: Separate prod/staging/dev per tenant

Configuration

Tenants can have a parent relationship:

json
{
  "id": "tenant_sales",
  "name": "Sales Division",
  "parent_id": "tenant_acme",
  "settings": {
    "match_threshold": 0.85,
    "timezone": "America/New_York"
  }
}

Row-Level Security

Data isolation is enforced at the database level using PostgreSQL RLS.

Policy Implementation

sql
CREATE POLICY tenant_isolation ON canonical_entities
    USING (tenant_id IN (SELECT get_tenant_hierarchy(current_tenant_id())));

Hierarchy Function

sql
CREATE FUNCTION get_tenant_hierarchy(tenant_id UUID)
RETURNS TABLE(id UUID) AS $$
    WITH RECURSIVE hierarchy AS (
        SELECT id FROM tenants WHERE id = tenant_id
        UNION
        SELECT t.id FROM tenants t
        JOIN hierarchy h ON t.parent_id = h.id
    )
    SELECT id FROM hierarchy;
$$ LANGUAGE SQL SECURITY DEFINER;

What This Means

  • Parent tenants can see their own data + all child tenant data
  • Child tenants can ONLY see their own data
  • No tenant can see sibling tenant data

Access Patterns

Parent Reads Child

An admin in tenant_acme can query all entities across:

  • tenant_acme (self)
  • tenant_sales (child)
  • tenant_support (child)

Child Isolation

An admin in tenant_sales can ONLY query:

  • tenant_sales (self)

API Tenant Context

The tenant context is set from the JWT claims:

json
{
  "tenant_id": "tenant_sales",
  "role": "admin"
}

All API queries are automatically scoped to this tenant and its children.

Cross-Tenant Queries (Platform Admin Only)

Platform administrators can query across all tenants:

python
from kanoniv.client import KanonivClient

# Platform admin can query across all tenants
client = KanonivClient(api_key="kn_platform_admin_key")
# Cross-tenant queries use the admin API
bash
curl "https://api.kanoniv.com/v1/admin/entities?all_tenants=true" \
  -H "X-API-Key: kn_..."

This is audited and restricted to the platform_admin role.

Settings Inheritance

Child tenants can inherit settings from parents:

SettingInheritance
Match thresholdsInheritable
Survivorship policyInheritable
Retention policiesMust be set per-tenant
SSO configurationPer-tenant only
json
{
  "id": "tenant_sales",
  "settings": {
    "inherit_from_parent": ["match_threshold", "survivorship_policy"],
    "timezone": "Europe/London"
  }
}

The identity and delegation layer for AI agents.