Skip to main content

Multi-tenant isolation

ERPly Pro runs as a multi-tenant SaaS with strict isolation by tenantId at every layer.

Isolation layers

  1. Cognito — one User Pool per environment (sandbox/staging/prod). Each user carries the tenant_id claim.
  2. Lambda authorizer — validates the JWT, extracts tenant_id, and compares it against the X-Tenant-Id header. Any mismatch → 403.
  3. DynamoDB — every table uses PK = tenant#<tenantId> as a prefix, and the clients (TenantBoundDynamoClient) inject the filter automatically.
  4. Secrets Manager — PFX files and passphrases are stored under erplypro/<env>/tenants/<tenantId>/p12. The Lambda's IAM policy only allows the pattern erplypro/<env>/tenants/${aws:PrincipalTag/tenantId}/* via session tags.
  5. Logs — Powertools Logger injects tenantId and correlationId into every line for audit.

Controlled bypass

Administrative components (archival cron, global metrics) use TenantBypassDeniedError as a guard: the only way to pass tenant_id=None is via an explicit flag (reason="archive-sweep"), which is recorded in the logs.

More detail in US-EP-04 (DynamoDB + Secrets) and US-EP-03 (Cognito + authorizer).