Recently we talked about authentication as a central building block of a Multi-tenant application service. Another aspect of a Multi-tenant application architecture is the separation of data. Once we authenticate the credentials of the client, we must then assure they view only data to which they are entitled.
Some data can be shared across tenants when it is common to more than one. Other data is specific to a single tenant, and must be isolated from all other clients of the system.
Given different forms of persistence there are different techniques for isolating data. For relational data such as SQL Server you could segregate data at many levels. Database separation can be used, and may be required in some situations. Schema separation allows multiple tenants in a single database with common table names. Vertical or horizontal partitioning of tables may also be used where tenants are isolated by data attributes stored in one or more tables.
Other storage techniques may be used to isolate tenants. Including a client identifier as part of the key or partition for no-sql storage allows data to be isolated readily.
Share your experience working with multi-tenant applications? How have you isolated data meeting the requirements of your customers and certification authorities? Leave a note online, or drop me an Email at btaylor@sswug.org.
Cheers,
Ben