$ loading_
Domain patterns for multi-tenant SaaS platforms — tenant isolation models, data partitioning, noisy neighbor mitigation, per-tenant configuration, billing metering, and failure modes. Use when designing or evaluating SaaS products that serve multiple customers from shared infrastructure.
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "system-type-multi-tenant-saas" 技能: 1. 下载 https://raw.githubusercontent.com/microsoft/amplifier-bundle-systems-design/main/skills/system-type-multi-tenant-saas/SKILL.md 2. 保存为 ~/.claude/skills/system-type-multi-tenant-saas/SKILL.md 3. 装好后重载技能,告诉我可以用了
Patterns, failure modes, and anti-patterns for multi-tenant software-as-a-service platforms.
Every multi-tenant system lives on a spectrum between full sharing and full isolation. The choice is not one-time — most mature SaaS platforms mix models across their stack.
| Model | Description | Cost per tenant | Isolation strength | Operational complexity |
|---|---|---|---|---|
| Shared everything | Single DB, single schema, tenant_id column on every row | Lowest | Weakest — one bad query away from data leakage | Lowest until it isn't |
| Shared compute, separate data | Shared application tier, separate database or schema per tenant | Medium | Strong data isolation, shared failure domain for compute | Medium — schema migrations multiply |
| Fully siloed | Dedicated infrastructure per tenant (DB, compute, sometimes network) | Highest | Strongest — blast radius limited to one tenant | Highest — you're running N deployments |
The right answer is almost always a hybrid. Small tenants on shared infrastructure, enterprise tenants on dedicated. The boundary is driven by:
Compliance is the most common reason teams are forced up the isolation spectrum against their economic interest. Understand these constraints early:
tenant_id filtering is defensible but requires strong evidence (query audit logs, automated testing, access controls).Design for shared-everything first, but make the isolation boundary a first-class abstraction. Every data access path should go through a tenant context that can be swapped from "row filter" to "connection router" without rewriting application code. Teams that don't do this spend 6-18 months retrofitting isolation when their first enterprise customer demands it.
Data partitioning is where multi-tenancy gets real. The schema design you pick on day one will constrain your options for years.
The most common starting point. Every table has a tenant_id column. Every query includes a WHERE tenant_id = ? predicate.
What goes wrong:
tenant_id filter leaks data across every tenant. This is the single most common multi-tenant security vulnerability. Mitigate with: PostgreSQL Row-Level Security (RLS), ORM-level query interceptors that inject tenant filters, automated test suites that assert every query plan includes the tenant predicate.tenant_id, queries scan far more data than needed. Every index should be (tenant_id, ...) not (..., tenant_id).…
Catalog of reusable architectural primitives — boundaries, contracts, state machines, queues, caches, consistency models, and more. For each: what it is, when it's right, when it's WRONG. Use when selecting patterns for a design or evaluating whether a pattern fits.
Domain-Driven Design as a lens for system architecture — bounded contexts, aggregates, ubiquitous language, context mapping, domain events, and strategic vs tactical patterns. Use when modeling complex business domains, defining service boundaries, or evaluating whether a system's structure reflects its domain.
The Unix/Linux design philosophy as a lens for system design — mechanism vs policy, composability, small tools, text streams, convention over configuration, and the principle of least surprise. Use when evaluating designs for composability, simplicity, or separation of concerns.
Object-oriented design principles as a lens for system architecture — SOLID, composition over inheritance, the actor model, design patterns (and when they're wrong), encapsulation, polymorphism, and responsibility-driven design. Use when evaluating code organization, module boundaries, or object/component relationships.
Domain patterns for Azure cloud architecture — compute selection, managed services, identity (Entra ID), networking, data platform, messaging, deployment, cost management, and operational patterns. Use when designing or evaluating a system deployed on Microsoft Azure.
Adversarial review of a system design from 6 critical perspectives -- SRE, security, staff engineer, finance, operator, and developer advocate. Produces a unified risk assessment. Use for INTERACTIVE on-demand reviews during a design conversation (/adversarial-review). For RECIPE-DRIVEN reviews (where prior step context is needed), use the systems-design-critic agent instead.