PMFA
← Return to Index
006

Multi-Tenancy Without RLS Is Theater

Shared databases with tenant IDs are not isolation. They are a single breach away from catastrophe.
Version 1.0.0 — Ratified

Multi-tenancy is not a feature.
Multi-tenancy is an isolation requirement.

Without Row-Level Security, multi-tenancy is theater.

I. The Multi-Tenancy Promise

Multi-tenancy promises:

These benefits are real.
They are also dangerous without proper isolation.

II. The Common Implementation

Most multi-tenant systems implement isolation through tenant IDs.

Every table has a tenant_id column.
Every query includes WHERE tenant_id = ?.

This is not isolation.
This is convention.

III. Convention Is Not Security

Convention relies on:

Convention fails at scale.
Convention fails under pressure.
Convention fails eventually.

When convention fails, data crosses tenant boundaries.

IV. The Breach Scenario

A single missing WHERE clause.
A single debugging session with elevated access.
A single migration script without the filter.

One tenant sees another tenant’s data.

The breach may be:

But it happened.
The isolation promise is broken.

V. Row-Level Security

Row-Level Security (RLS) enforces isolation at the database level.

With RLS:

RLS is not optional.
It is the minimum requirement for real isolation.

VI. Beyond RLS

True isolation may require:

The choice depends on:

More separation means more isolation.
More isolation means more trust.

VII. Final Conclusion

Multi-tenancy without RLS is theater.
It creates the appearance of isolation.
It does not create isolation.

When isolation fails:

The cost of proper isolation is known and budgetable.
The cost of a breach is unknown and unbounded.

Choose isolation.
Not convention.

Canonical text. Interpretations are invalid.
SHA-256: c3d4f2b6541400cdf9d903098d868441e1c4e224ab5c205c9661da5fda7ee5e9