UserTenants

UserTenants Type

Audience: Programmer

Represents a tenant (company/organization) that a user has access to, including their role within that tenant. This type enables multi-tenant user access in pyck, allowing users to belong to multiple organizations with different roles in each.

Fields

Field

Type

Description

ID

UUID!

Unique identifier of the tenant

Name

String!

Human-readable name of the tenant/organization

Role

String!

User's role within this specific tenant

Usage Example

query {
  me {
    Username
    Email
    Tenants {
      ID
      Name
      Role
    }
  }
}

Response Example

{
  "data": {
    "me": {
      "Username": "john.doe",
      "Email": "[email protected]",
      "Tenants": [
        {
          "ID": "123e4567-e89b-12d3-a456-426614174000",
          "Name": "Acme Corporation",
          "Role": "admin"
        },
        {
          "ID": "987f6543-a21b-34c5-d678-123456789012",
          "Name": "Beta Industries",
          "Role": "viewer"
        }
      ]
    }
  }
}

Multi-Tenant Access

UserTenants enables sophisticated multi-tenant scenarios:

Multiple Organizations: Users can belong to multiple companies/organizations
Role Isolation: Each tenant association has its own role assignment
Tenant Switching: Applications can allow users to switch between their accessible tenants
Permission Scoping: Permissions are scoped to the specific tenant context

Role Management

The Role field contains the user's role within the specific tenant:

Roles are tenant-specific, not global
A user can be an admin in one tenant and a viewer in another
Role definitions are managed at the tenant level
Role changes affect only the specific tenant association

Common Use Cases

Consultants: External users who need access to multiple client organizations
Shared Services: Users who provide services across multiple business units
Parent-Child Companies: Users who work across related but separate entities
Partner Access: Granting limited access to business partners or suppliers
Administrative Oversight: Super-users who manage multiple tenant instances

Security Considerations

Tenant isolation must be strictly enforced at the data layer
Role validation should occur within the tenant context
Audit logs should track which tenant context actions are performed in
Session management should clearly indicate the active tenant

Relationship with UserProfile

UserTenants is accessed through the UserProfile.Tenants field, replacing the deprecated AssignedRoles field:

query {
  me {
    # Deprecated - use Tenants instead
    AssignedRoles
    
    # Recommended approach
    Tenants {
      ID
      Name
      Role
    }
  }
}

Best Practices

Always validate tenant access before performing operations
Use tenant ID for data filtering and access control
Display tenant name in the UI for clarity
Implement tenant switching mechanisms in multi-tenant applications
Log all cross-tenant operations for security auditing
Cache tenant associations for performance while maintaining security

PreviousUserRoleTuple NextWorkflow

Last updated 2 months ago

Was this helpful?