Multi-Tenancy
Overview
Section titled “Overview”Greentic is designed from the ground up for multi-tenant deployments. Every aspect of the platform supports tenant isolation, allowing a single deployment to serve multiple organizations securely.
Tenant Hierarchy
Section titled “Tenant Hierarchy”Workspace└── Tenant (organization) └── Environment (prod, staging, dev) └── Team (department, group) └── Channel (messaging provider instance) └── Session (user conversation)TenantCtx
Section titled “TenantCtx”The TenantCtx struct flows through all operations:
pub struct TenantCtx { pub tenant_id: String, pub env_id: String, pub team_id: Option<String>,}Every API call, flow execution, and data access is scoped to a TenantCtx.
Configuration
Section titled “Configuration”Tenant Definition
Section titled “Tenant Definition”tenant: id: acme name: "ACME Corporation" settings: timezone: "America/New_York" language: "en-US"
environments: - id: prod name: "Production" - id: staging name: "Staging"Team Definition
Section titled “Team Definition”team: id: support name: "Customer Support" tenant_id: acme
channels: slack: provider: messaging-slack config: workspace_id: "T123456" channel_id: "C789012"
telegram: provider: messaging-telegram config: chat_id: "-1001234567890"Bundle Configuration
Section titled “Bundle Configuration”tenants: acme: name: "ACME Corporation" teams: support: name: "Customer Support" channels: slack: provider: messaging-slack telegram: provider: messaging-telegram
sales: name: "Sales Team" channels: teams: provider: messaging-teams
bigcorp: name: "BigCorp Inc." teams: helpdesk: channels: webchat: provider: messaging-webchatData Isolation
Section titled “Data Isolation”Session Storage
Section titled “Session Storage”Sessions are isolated by tenant context:
sessions/├── acme/│ ├── prod/│ │ ├── support/│ │ │ ├── session_001.cbor│ │ │ └── session_002.cbor│ │ └── sales/│ │ └── session_003.cbor│ └── staging/│ └── support/│ └── session_004.cbor└── bigcorp/ └── prod/ └── helpdesk/ └── session_005.cborState Isolation
Section titled “State Isolation”Working memory (state) is scoped per session:
// State key formatlet key = format!( "state:{}:{}:{}:{}", tenant_ctx.tenant_id, tenant_ctx.env_id, tenant_ctx.team_id.unwrap_or("default"), session_id);NATS Subject Isolation
Section titled “NATS Subject Isolation”Message routing uses tenant-scoped subjects:
greentic.messaging.ingress.{env}.{tenant}.{team}.{channel} │ │ │ │ │ │ │ └─ Channel ID (slack, telegram) │ │ └──────── Team ID │ └─────────────── Tenant ID └────────────────────── Environment (prod, staging)Secret Isolation
Section titled “Secret Isolation”Secrets are stored and retrieved with tenant scope:
// Secret retrieval includes tenant contextlet secret = secrets_client .get_secret(&tenant_ctx, "api_key") .await?;Secret Namespacing
Section titled “Secret Namespacing”secrets/├── global/ # Platform-wide secrets│ └── signing_key├── acme/ # Tenant: ACME│ ├── slack_bot_token│ ├── openai_api_key│ └── teams/│ └── support/│ └── webhook_secret└── bigcorp/ # Tenant: BigCorp └── telegram_bot_tokenFlow Isolation
Section titled “Flow Isolation”Each tenant can have different flows and configurations:
name: acme_support_flowversion: "1.0"
# ACME-specific support flownodes: - id: greet type: reply config: message: "Welcome to ACME Support! How can I help?"name: bigcorp_helpdesk_flowversion: "1.0"
# BigCorp-specific helpdesk flownodes: - id: greet type: reply config: message: "BigCorp Helpdesk here. What's your issue?"Access Control
Section titled “Access Control”Component Access
Section titled “Component Access”Components receive TenantCtx and must respect boundaries:
impl Guest for MyComponent { fn process(input: Input, ctx: &TenantCtx) -> Output { // Verify tenant has access to requested resource if !has_permission(ctx, &input.resource_id) { return Output::error("Access denied"); }
// Process with tenant scope process_for_tenant(ctx, input) }}API Access
Section titled “API Access”REST API enforces tenant scope:
GET /api/v1/sessionsAuthorization: Bearer <token>X-Tenant-ID: acmeX-Team-ID: supportDeployment Models
Section titled “Deployment Models”Single-Tenant
Section titled “Single-Tenant”One Greentic instance per tenant:
┌─────────────────┐│ Greentic (ACME) │└─────────────────┘
┌─────────────────┐│ Greentic (BigCorp)│└─────────────────┘Multi-Tenant Shared
Section titled “Multi-Tenant Shared”Multiple tenants on shared infrastructure:
┌───────────────────────────────────┐│ Greentic Instance ││ ┌─────────┐ ┌─────────────────┐││ │ ACME │ │ BigCorp │││ │ (prod) │ │ (prod) │││ └─────────┘ └─────────────────┘││ ┌─────────┐ ┌─────────────────┐││ │ ACME │ │ BigCorp │││ │(staging)│ │ (staging) │││ └─────────┘ └─────────────────┘│└───────────────────────────────────┘Hybrid
Section titled “Hybrid”Mix of dedicated and shared resources:
┌───────────────────────────────────┐│ Shared Greentic Instance ││ ┌─────────┐ ┌─────────────────┐││ │ Small │ │ Medium │││ │ Tenants │ │ Tenants │││ └─────────┘ └─────────────────┘│└───────────────────────────────────┘
┌───────────────────────────────────┐│ Dedicated: Enterprise Tenant ││ (Custom SLA, dedicated resources)│└───────────────────────────────────┘Best Practices
Section titled “Best Practices”- Always pass TenantCtx - Never hardcode tenant IDs
- Validate at boundaries - Check tenant access at API and component level
- Use tenant-scoped logging - Include tenant ID in all log entries
- Separate secrets - Never share secrets between tenants
- Test isolation - Verify one tenant cannot access another’s data
- Monitor per-tenant - Track usage and errors by tenant