Notifications
Clear all
Topic starter
06/06/2026 2:34 am
TL;DR: B2B SaaS permission models fail when global role lists grow faster than tenant-specific needs, creating role explosion and overbroad access, according to WorkOS’s analysis of Slack, Notion, and Linear. The governing principle is to keep the global model simple and push variation to the tenant boundary, where scoped delegation is actually controllable.
NHIMG editorial — based on content published by WorkOS: Multi-tenant permissions done right: What Slack, Notion, and Linear can teach us
Questions worth separating out
Q: How should teams prevent role explosion in multi-tenant applications?
A: Start with a small set of reusable permission primitives, then scope custom roles to the tenant, workspace, or team that owns the access decision.
Q: Why do tenant-scoped roles work better than one global role catalogue?
A: Tenant-scoped roles keep exceptions local.
Q: How do SCIM and SSO mappings affect multi-tenant access governance?
A: They automate entitlement assignment, which is useful only if the upstream directory groups are well designed.
Practitioner guidance
- Inventory role explosion hotspots Map every global role that exists for a single customer or team, then identify which permission atoms could be moved into tenant-scoped roles instead of remaining globally visible.
- Define the smallest durable boundary Choose the authorization boundary that actually owns the risk, such as tenant, workspace, teamspace, or team, and make that boundary the unit for delegated access.
- Separate permission primitives from assignment logic Keep permission atoms reusable, then build tenant-specific roles from those atoms so custom access does not contaminate the global model.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how Slack, Notion, and Linear structure roles at workspace, teamspace, and team boundaries.
- Implementation guidance for organization roles and the Organization Roles API, including how tenant defaults and priorities work.
- Practical role-mapping workflows for SCIM directories and SSO group attributes in enterprise setups.
- Admin Portal delegation patterns that let customer IT admins manage role assignment without vendor intervention.
👉 Read WorkOS's analysis of scoped roles and IdP syncing for multi-tenant apps →
Scoped roles and tenant permissions: what IAM teams should copy?
Explore further
06/06/2026 4:19 am
Scoped roles are the real control, not role count. The article shows that the failure mode is not “too many roles” in the abstract. The failure is a globally shared role model that cannot contain tenant-specific exceptions without widening blast radius. That is the same structural issue IAM teams see when entitlement design cannot absorb variance cleanly. The practitioner conclusion is to govern scope first, then role naming.
A few things that frame the scale:
- 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to The State of Secrets Sprawl 2025.
- 15% of commit authors have leaked at least one secret in their contribution history, which shows that access governance fails when human process and technical controls drift apart.
A question worth separating out:
Q: What is the difference between global roles and scoped delegation?
A: Global roles apply everywhere, while scoped delegation limits the same authority to a defined boundary such as one tenant, workspace, or team. Scoped delegation is safer in multi-tenant systems because it reduces accidental overreach and makes each grant easier to reason about during review or incident response.
👉 Read our full editorial: Multi-tenant permissions need scoped roles, not global role sprawl
