tenant-isolation-patterns
Multi-tenant isolation patterns on Salesforce: custom metadata per-tenant, permission-based feature gating, data partitioning, namespace isolation, ISV managed-package patterns. NOT for multi-org strategy (use multi-org-architecture). NOT for data sharing design (use sharing-selection decision tree).
Best use case
tenant-isolation-patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Multi-tenant isolation patterns on Salesforce: custom metadata per-tenant, permission-based feature gating, data partitioning, namespace isolation, ISV managed-package patterns. NOT for multi-org strategy (use multi-org-architecture). NOT for data sharing design (use sharing-selection decision tree).
Teams using tenant-isolation-patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/tenant-isolation-patterns/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How tenant-isolation-patterns Compares
| Feature / Agent | tenant-isolation-patterns | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Multi-tenant isolation patterns on Salesforce: custom metadata per-tenant, permission-based feature gating, data partitioning, namespace isolation, ISV managed-package patterns. NOT for multi-org strategy (use multi-org-architecture). NOT for data sharing design (use sharing-selection decision tree).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Tenant Isolation Patterns
Activate when designing how multiple logical tenants coexist in one Salesforce environment: ISV managed package with customer orgs, multi-brand single org, franchise network, or multi-agency public sector deployment. Tenant isolation is an architect-level decision that touches sharing, packaging, customization, and integration.
## Before Starting
- **Distinguish logical tenants from separate orgs.** If each tenant needs its own release cadence, compliance boundary, or governance model, use separate orgs and federate. If tenants share the same release train and just need data/config partitioning, multi-tenant within one org is viable.
- **Know the regulatory posture.** HIPAA, FedRAMP, GDPR data-residency requirements may make single-org multi-tenant legally infeasible.
- **Audit the customization ask.** Tenant-specific fields are hard in one org; tenant-specific record types and page layouts are easier; tenant-specific Apex is a smell.
## Core Concepts
### Tenant identifier on the record
Most common pattern: a `Tenant__c` lookup or picklist on every tenant-scoped object. Every query filters by tenant; every sharing rule gates by tenant. Simple, auditable, but dependent on discipline.
### Account hierarchy as tenant
For B2B2C or franchise patterns, the tenant is an `Account` with a specific record type (e.g., "Franchisee"). Users roll up through the role hierarchy under that Account. Sharing falls out naturally from the role hierarchy.
### ISV managed package isolation
In a managed-package ISV scenario, the customer's org IS the tenant boundary. Isolation is by org. Your concern is packaging, upgrades, and not leaking customer data through shared infrastructure.
### Permission-based feature gating
Custom metadata or custom permissions define which features a tenant sees. Feature flags are queried at runtime; page layouts and UI conditionally render.
## Common Patterns
### Pattern: Single org, Tenant__c field, criteria-based sharing
Add `Tenant__c` to every tenant-scoped object. OWD is Private. Criteria-based sharing rules per tenant grant access to members of the tenant's permission set group. Reports filter by current user's Tenant ID.
### Pattern: Franchise model via Account hierarchy
Each franchise is an `Account` with record type "Franchisee" plus a role for its users. OWDs private; role hierarchy handles franchise-to-franchise isolation. Regional managers span franchises via overlay role.
### Pattern: ISV package with feature flags
Managed package ships with a Custom Metadata Type `Feature_Flag__mdt`. Each customer toggles flags without code changes. Apex checks flags via a central `FeatureService.isEnabled('X')` call.
### Pattern: Multi-brand single org
Brand = Tenant. Each record stamped with brand. Users have a `BrandId` on User. Sharing rules gate by brand. Integrations receive brand-scoped tokens.
## Decision Guidance
| Situation | Recommended Approach | Reason |
|---|---|---|
| ISV B2B SaaS | Managed package, org-per-customer | Native isolation |
| Franchise / partner network | Single org, Account hierarchy | Easy rollup |
| Multi-brand agency | Single org, Tenant__c field, CBS | Tight ops, shared data model |
| Regulatory-bound tenants | Separate orgs, federated | Compliance |
| Per-tenant custom code | Reconsider — managed package + feature flags, not per-tenant Apex | Maintenance hell |
## Recommended Workflow
1. Classify the tenant model: single-org logical, ISV managed package, or multi-org federated.
2. Write the isolation requirements: data, config, compliance, release cadence, integration.
3. Choose the tenant identifier strategy (field, account, namespace).
4. Design sharing: OWD, role hierarchy, criteria-based sharing, permission set groups.
5. Design feature gating: custom metadata, custom permissions, permission sets.
6. Build a tenant-onboarding runbook: records to create, permissions to grant, flags to set.
7. Test isolation with two-tenant data set; verify no cross-tenant visibility in reports, queries, dashboards.
## Review Checklist
- [ ] Tenant model explicitly documented
- [ ] Tenant identifier chosen and consistently applied
- [ ] Sharing model validated with a two-tenant smoke test
- [ ] Feature flags in custom metadata or permissions, not Apex
- [ ] Onboarding runbook tested end-to-end
- [ ] Offboarding runbook (data export, access revocation) exists
- [ ] Cross-tenant reporting requirements addressed (aggregated view for owners)
## Salesforce-Specific Gotchas
1. **Role hierarchy bypasses sharing rules.** A tenant admin role placed above another tenant's role grants visibility — model the hierarchy carefully.
2. **Report folders do not have row-level filters.** A tenant user seeing a shared report folder may see records from the report's query regardless of sharing — use CRM Analytics with security predicates for sensitive reporting.
3. **Flow runs as the current user but can escalate.** `System Context` flows bypass sharing and FLS; auditing flow run mode is a tenant-isolation imperative.
## Output Artifacts
| Artifact | Description |
|---|---|
| Tenant model decision record | Single-org logical / ISV / federated with rationale |
| Sharing architecture diagram | OWD, role hierarchy, CBS, PSG mappings |
| Feature flag catalog | Custom metadata types and default values |
| Onboarding + offboarding runbooks | Step-by-step tenant lifecycle |
## Related Skills
- `architect/multi-org-architecture` — sibling for federated model
- `security/sharing-architecture` — sharing detail
- `devops/managed-package-publishing` — ISV patterns
- `standards/decision-trees/sharing-selection.md` — when to use which sharingRelated Skills
mfa-enforcement-patterns
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
encrypted-field-query-patterns
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
apex-managed-sharing-patterns
Grant row-level access programmatically via __Share records when declarative sharing rules cannot express the policy. NOT for OWD, role hierarchy, or criteria-based sharing rule design.
omnistudio-testing-patterns
Use when testing or validating OmniStudio components — OmniScript preview, Integration Procedure step debugging, DataRaptor field-mapping validation, and end-to-end UTAM-based automation. NOT for Apex unit testing or standard Flow debugging.
omnistudio-error-handling-patterns
Use when designing fault behavior across Integration Procedures, DataRaptors, OmniScripts, and FlexCards — error routing, user-facing messaging, retry semantics, and idempotency. Triggers: 'omnistudio error', 'integration procedure fault', 'dataraptor error handling', 'omniscript retry', 'flexcard action failure'. NOT for general Apex exception design or Flow fault paths.
omnistudio-ci-cd-patterns
Use when designing or implementing CI/CD pipelines for OmniStudio components — DataPack export/import, versioning, environment promotion, and automated deployment. NOT for standard Salesforce metadata CI/CD or Apex-only pipelines.
omniscript-design-patterns
Use when designing or reviewing OmniScripts for guided experiences, step structure, branching, save/resume, and the boundary between OmniScript, Integration Procedures, DataRaptors, and custom LWCs. Triggers: 'omniscript design', 'too many steps in omniscript', 'save and resume omniscript', 'branching in omniscript', 'when should this be an integration procedure'. NOT for deep Integration Procedure or DataRaptor design when the guided interaction layer is not the main concern.
integration-procedure-cacheable-patterns
Use when designing Integration Procedures (IPs) with platform cache to cut latency and callout load. Covers cache key design, TTL selection, per-user vs org-wide partitions, invalidation on data changes, and safe fallback on cache miss/stale. Does NOT cover general IP authoring (see omnistudio-error-handling-patterns) or LWC client-side caching.
flexcard-design-patterns
Use when designing, building, or reviewing OmniStudio FlexCards — including data source selection, card states, actions, conditional visibility, flyout configuration, and child card iteration. Triggers: 'FlexCard', 'card template', 'flyout', 'card action', 'card state', 'data source', 'child card', 'conditional visibility'. NOT for OmniScript design, standalone LWC development, or Apex controller architecture outside the FlexCard context.
dataraptor-patterns
Use when designing or reviewing OmniStudio DataRaptors, especially Extract versus Turbo Extract versus Transform versus Load, field mapping strategy, performance tradeoffs, and when to move work into Integration Procedures or Apex. Triggers: 'DataRaptor Extract', 'Turbo Extract', 'DataRaptor Load', 'DataRaptor Transform', 'OmniStudio data mapping'. NOT for overall OmniScript journey design or Integration Procedure sequencing when the main question is not the DataRaptor shape itself.
wire-service-patterns
Use when designing or reviewing Lightning Web Components that use `@wire`, Lightning Data Service, UI API, or the GraphQL wire adapter, especially for reactive parameters, cache behavior, and refresh strategy. Triggers: 'wire service', 'refreshApex', 'reactive parameter', 'getRecord', 'wire vs imperative Apex'. NOT for component communication or generic lifecycle issues when data provisioning is not the main concern.
message-channel-patterns
Use when implementing Lightning Message Service (LMS) to enable cross-DOM communication between LWC, Aura, and Visualforce components on the same Lightning page, using message channels. Triggers: 'communicate between unrelated LWC components', 'send data between Visualforce and LWC', 'lightning message service not working', 'APPLICATION_SCOPE vs default scope', 'message channel metadata deployment'. NOT for parent-child component communication (use component-communication) or server-side events.