Multi-tenant access control in SaaS: are scope permissions enough?

TL;DR: Multi-tenant SaaS authorization needs hierarchical scopes, role policies, and scoped resource policies to keep tenant data isolated while still allowing tenant-specific role customisation and auditable access decisions, according to Cerbos. The key issue is not just control design, but whether platform guardrails can survive tenant-level flexibility without creating cross-tenant exposure.

NHIMG editorial — based on content published by Cerbos: multi-tenancy in SaaS applications with scoped resource policies and role policies

Questions worth separating out

Q: How should teams design multi-tenant authorization so tenant data stays isolated?

A: Start with explicit tenant boundaries in policy data, then require principal and resource tenant matching before any allow can resolve.

Q: When does tenant-specific role customisation become a security problem?

A: It becomes a problem when the tenant role can exceed the platform's intended maximum privilege or when inheritance is not constrained by a clear parent role.

Q: What breaks when scoped resource policies can override parent scope rules freely?

A: Free override lets local policy become the source of truth for access, which can create privileges the platform never intended to permit.

Practitioner guidance

• Define tenant-match conditions as a hard gate Require every tenant-scoped allow to prove that principal and resource share the same tenantId before the decision can resolve to allow.
• Set platform-wide maximum roles first Create parent roles that represent the highest permissible access, then let tenant-specific roles narrow those capabilities without introducing new action paths.
• Use parental-consent modes for delegated policy Choose a scope permission mode that forces child-scope allows to remain inside parent scope boundaries when tenants can author local resource rules.

What's in the full article

Cerbos's full guide covers the implementation detail this post intentionally leaves for the source:

• Complete YAML examples for root, scoped role, and scoped resource policies
• Step-by-step evaluation flow showing how scope matching and inheritance produce a final decision
• Concrete examples of tenant-specific HR policies for leave requests and salary records
• The exact behaviour of scope permission modes when child and parent scopes disagree

👉 Read Cerbos's guide to multi-tenant access control with scope permissions →

Multi-tenant access control in SaaS: are scope permissions enough?

Explore further

View Full Forum →  |  NHI Foundation Course →