Skip to main content

Multi-tenancy Enterprise

Enterprise multi-tenant architecture for large organizations with multiple teams.

Architecture overview

Synjar uses workspace-level isolation for multi-tenancy:

Organization
├── Workspace A (Team 1)
│   ├── Documents
│   ├── Members
│   └── Settings
├── Workspace B (Team 2)
│   ├── Documents
│   ├── Members
│   └── Settings
└── Organization Settings
    ├── SSO
    ├── Audit Logs
    └── Billing

Data isolation

Row-Level Security (RLS)

All data is isolated at the database level using PostgreSQL RLS:

  • Users can only access data in their workspaces
  • Queries are automatically filtered
  • No cross-workspace data leakage possible

Storage isolation

  • Each workspace has isolated storage paths
  • Encryption keys are workspace-specific
  • No shared storage between workspaces

Organization features

Centralized administration

Organization admins can:

  • Create and manage workspaces
  • Assign workspace owners
  • Configure organization SSO
  • View organization-wide audit logs
  • Manage billing for all workspaces

Cross-workspace analytics

View usage metrics across all workspaces:

  • Total documents
  • Active users
  • Search volume
  • Storage usage

Workspace management

Creating workspaces

Organization admins:

  1. Go to Organization > Workspaces
  2. Click Create Workspace
  3. Assign name and initial owner
  4. Configure settings

Workspace limits

SettingDescription
Max membersUser limit per workspace
Max documentsDocument limit per workspace
Max storageStorage quota per workspace

Transferring workspaces

Workspaces can be moved between organizations by contacting support.

Security model

Access hierarchy

Organization Admin
└── Can access all workspaces (admin view only)

Workspace Owner
└── Full control of single workspace

Workspace Admin
└── Manage content in single workspace

Workspace Member
└── View and search in single workspace

Cross-workspace access

By default, users only see workspaces they're members of. Organization admins have a separate admin view for oversight.

API multi-tenancy

API requests are scoped to workspaces:

# List documents in specific workspace
GET /api/v1/workspaces/{workspaceId}/documents

# API key inherits user's workspace memberships

Self-hosted multi-tenancy

For self-hosted Enterprise:

  • Same RLS-based isolation
  • Can deploy separate instances per tenant
  • Custom data residency options

See also