Multitenancy model

Trying to think of a model for a multitenant setup. Think SaaS, which has orgs, and each org has one or more users. Each org owns its data.

What I am having difficulty with is the permissions setup. It seems like there is a very low limit (25) of principals that objects can be shared with. So that means only a max of 25 groups we could share it with?

What are the scalable approaches for multitenancy?


1 Like

We have a multi-tenant application where we embed QuickSight dashboards. In general, the orgs in our application all have access to the same dashboards but we use row-level security to ensure they can only see their data.

Do you need a different group for each org because they need access to different dashboards?


There are several approaches:

  1. Separate Account
  2. Separate Region
  3. Namespace - Click here
  4. Shared Folder - Click here
  5. Group - Click here
  6. RLS/CLS by User or Tag - Click here

You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact AWS Support


Thank you for your list of documentation references @drpeter!

I think all of these, with the exception of tags, suffer from the same problem that I mention earlier:

An asset (e.g. dashboard) can be shared with a maximum of 64 principles (users or groups).

See: AWS::QuickSight::Dashboard - AWS CloudFormation

And using tagging approach requires a different kind of subscription, which can be cost-prohibitive.

Any idea on how to overcome the principle limits?