TMCnet Feature
May 12, 2021

Saas and Multi-tenancy


What are SaaS (News - Alert) and PaaS

SaaS stands for Software as a service, PaaS is a platform as a service. SaaS is a cloud-based solution replacing a desktop application or a server-based, on-premises solution.

PaaS is a particular type of SaaS where developers can use cloud-based solutions to create other solutions.

Forms of deployment.

In the early days of cloud computing, companies were reluctant to store sensitive data on the cloud. Also, communication speeds were insufficient for proper response times. Servers were deployed on-premises, along with the physical security challenges involved.

When the solutions and platforms have matured, more organizations have become confident that data stored on the cloud and managed using up-to-date technologies is more secure than data on-premises.

When moving to the cloud, organizations developed, deployed, and managed their applications using in-house resources.

Nowadays, more organizations take advantage of information services and technologies offered as part of SaaS or PaaS platforms. These are available for subscription fees or free of charge.

Common Terms


Multi-tenancy describes a cloud deployment paradigm where a single instance of the software and its supporting infrastructure serves multiple customers/organizations or tenants.

Organization or Tenants

A Tenant is usually a company or a customer, not a single person. Tenant definition is: A tenant is the smallest collection of Users and other objects that a dedicated Administrator is required to manage.

Scaling out

Scaling out is a collection of technologies, hardware, software, and best practices that allow servers on the cloud to expand when traffic grows, effectively sharing the workload among multiple servers.

Reliability through ‘no single point of failure.’

‘No single point of failure’ relates to the technologies, software, and hardware used to prevent any downtime resulting from a single device or software component failure. Often, scalability and reliability are associated.

Data security

The collection of technologies, software applications, and sometimes hardware appliances, used to protect access to servers on the cloud and to the data they store. Data security also includes means to comply with international standards such as ISO 27001 and should be designed to protect personal data following the GDPR guidelines.

(login) and two factor authentication

One of the most common security compromises is the use of credentials by more than one user. The use of Multi Factor Authentication (MFA (News - Alert)) such as Google Authenticator, forces users to use their own credentials and use a smartphone to gain access to a system.

Access Control to API endpoints

The technology used to limit the access of the signed-in user to API endpoints on the server. When a server supports batch processing through external triggers, rules and schedules, API access control should be associated with the permissions of the user creating the relevant server side objects.

Access Control to Data

The technology used to limit access to data, In the spirit of ‘Privacy by design’. A system should prevent access to data by default. Every piece of information should be accessible to allowed users at the allowed operation or level of access. Data created by a user is always accessible to that user.

Why Multi-Tenancy is essential in SaaS systems

When using SaaS, organizations should manage their tenant domain(s) as if they were using a dedicated server. This allows tenant administrators to define users, roles , permissions and other security objects without being limited to some rigid pre-defined SaaS policies.

Sometimes, organizations need to define new tenants for their own customers,subsidiaries or affiliated organizations.

These requirements cannot be met without proper support for multi-tenancy.

Different approaches to multi-tenancy in SaaS/PaaS platforms

Server(s) per organization/customer/tenant

Initially, providing services on the cloud to multiple organizations would have required the provisioning of a separate database, separate copy of the backend application and a separate copy of the front end applications.

This approach uses a single tenant system on each server and an associated database.

The main advantages of such deployment architecture are:

  • This approach is similar to the ‘on premises server’ approach and may be easier to accept by some people.

The main drawbacks of such an approach are:

  • Maintenance of multiple organizations is time consuming and error prone..
  • Resources may be at surplus for some organizations while inadequate for others.
  • There is no way to maintain hierarchical or flat structure of tenants where authorized users can access data across multiple tenants. This can be critical when organizations manage subsidiaries where each subsidiary is a tenant.
  • Scaling out, if at all, must be provisioned for each customer separately, this makes the maintenance even more difficult. Resources waste is also much evident.

Standard JPA 2.1 multi-tenancy

When using standard JPA for ORM in Java based backends, there is built in support for multi-tenancy as follows:

  • Use a single database for multiple tenants each having a different schema.
  • Use multiple databases, a single database per tenant relying on JPA ability to provision the correct connection.
  • Use a discriminator column at the level of the JPA provider (This is only supported by EclipseLink and not Hibernate).
  • Use Oracle (News - Alert) Virtual Private Database (VPD) when using EclipseLink provider.

None of the above solutions provides access across multiple tenants for the several use cases requiring such support.

Wizzdi FlexiCore Multi-tenancy support

Wizzdi develops and provides open source platforms and technologies extending Spring framework in many ways, such as inter-injectable plugins, multi-tenancy and optional powerful data aware user interface components.

Multi-tenancy in FlexiCore is optional  and if used, it allows tenants to be created , if the user is permitted to, inside existing tenants. This allows authorized users, for example the CEO of a company having multiple subsidiaries, to access the aggregated view of the data across multiple tenants.

Also, FlexiCore data access enforces tenant isolation at the root. Adding the predicates related to multi-tenancy to any query created by plugins’ developers without placing any extra work on them. 

Simply put, all queries performed against the database retrieve the data permitted to the current user, considering associated roles, tenants and their default policies in the context of the operation involved. This is enforced in the database level without filtering the data in memory and is designed for huge databases.

Access control to data in FlexiCore is built from the ground up to support multi-tenancy and by default to prevent access to data unless created by the logged-in user.

Encryption in FlexiCore to increase data security

FlexiCore supports encryption of selected columns using a key pair. Keys are optionally stored on an external vault server allowing optional human intervention when a server needs the keys. Without human intervention , keys are managed at one location, that is, the vault, serving multiple servers while allowing easy changes to policies. More documentation on FlexiCore can be found here.

» More TMCnet Feature Articles


» More TMCnet Feature Articles