Skip to main content

Cross-Tenant Access Governance

Summary

Keymate provides a Permission Gateway that resolves organizational context and evaluates resource-level permissions across Tenant boundaries. When a user requests access to a resource — including shared or cross-Tenant resources — the gateway resolves the user's organizational context from their session, evaluates the requested resource and scope against applicable policies, and returns a grant or deny decision.

Why It Exists

Most authorization decisions occur within a single Tenant's boundary. However, certain scenarios require permission evaluation that crosses Tenant boundaries: shared platform resources, cross-organization collaboration, and centralized services that serve multiple Tenants. The Permission Gateway provides a dedicated evaluation path for these scenarios, considering the user's organizational context alongside resource-level permissions.

Where It Fits in Keymate

Cross-Tenant access governance sits at the intersection of the Organization Model and the Authorization system. The Permission Gateway consumes organizational context from Org-Aware Tokens & Sessions and applies evaluation logic similar to the Policy Evaluation Model, but with awareness of organizational boundaries.

Boundaries

What this concept covers:

  • The Permission Gateway as a capability for cross-Tenant permission evaluation
  • Organizational context resolution from session tickets
  • Resource and scope evaluation across Tenant boundaries
  • Grant/deny decision flow

What this concept does not cover:

How It Works

Permission Evaluation Request

Applications submit permission evaluation requests to the Permission Gateway. Each request specifies the resource identifiers and scopes that the user needs access to. The gateway processes these requests in the context of the user's current organizational state.

Organizational Context Resolution

The Permission Gateway resolves the user's organizational context from their session ticket. This context includes the user's active Tenant, department, and the effective roles from the Delegated Administration hierarchy. The gateway uses this context as input to the evaluation process.

Resource and Scope Evaluation

The gateway evaluates each requested resource and scope against applicable policies. The evaluation considers:

  • The user's organizational roles (Tenant-level, department-level, and user-assignment-level)
  • The resource's ownership and accessibility rules
  • Contextual attributes from the user's session

Decision Response

The gateway returns a per-resource, per-scope decision — grant or deny — for each requested combination. Applications use these decisions to enforce access at the resource level.

Diagram

Example Scenario

Scenario

A user from Acme Corp requests access to a shared reporting resource that serves multiple Tenants.

Input

  • Actor: Jane Doe (user@example.com), authenticated with an Acme Corp Engineering department context
  • Resource: shared-reporting with scope view-reports
  • Action: Permission evaluation via the Permission Gateway
  • Context: Jane holds an Engineering department assignment with the analyst role

Expected Outcome

  • Result: Grant — Jane can view reports in the shared reporting resource
  • Why: The Permission Gateway resolved Jane's organizational context (Acme Corp, Engineering, analyst role), evaluated the shared-reporting:view-reports combination against applicable policies, and determined that the analyst role grants view access to the shared resource.

Common Misunderstandings

  • "Cross-Tenant access means unrestricted access between Tenants." — No. Cross-Tenant access is governed by the same policy evaluation that applies to single-Tenant access. The Permission Gateway evaluates specific resource-scope combinations against policies, considering the user's organizational context.
  • "The Permission Gateway replaces Tenant isolation." — Tenant isolation remains the default. The Permission Gateway enables controlled access to shared resources where cross-Tenant evaluation is required.
  • "All resources must go through the Permission Gateway." — The Permission Gateway serves scenarios that require organizational context resolution and cross-Tenant evaluation. Standard within-Tenant authorization uses the regular Policy Evaluation Model.
warning

The Permission Gateway evaluates permissions at the resource and scope level. It does not grant blanket cross-Tenant access. Each resource-scope combination requires an explicit policy that considers the user's organizational context.

Design Notes / Best Practices

  • Use the Permission Gateway for shared resources that serve multiple Tenants. Keep single-Tenant authorization on the standard evaluation path.
  • Define resource-level policies that explicitly consider organizational attributes when granting cross-Tenant access.
  • Monitor cross-Tenant permission evaluations to detect unexpected access patterns across organizational boundaries.
tip

Combine the Permission Gateway with Org-Aware Tokens & Sessions to ensure the user's organizational context is always current when evaluating cross-Tenant permissions.

  • Evaluating permissions for a shared reporting resource accessed by users from multiple Tenants
  • Building a centralized platform service that serves cross-Tenant requests with org-aware authorization
  • Monitoring cross-Tenant access patterns for compliance and anomaly detection

Policy Evaluation Model

Standard permission evaluation within a single Tenant.

Org-Aware Tokens & Sessions

How organizational context is embedded in sessions.

Delegated Administration

Role hierarchy that feeds into permission evaluation.

Multi-Tenant IAM

The Tenant isolation foundation.