Multi-tenant Permissions with AWS AppSync and Cognito User Pools

By Rich

Mon Mar 15 2021

The ability to host multiple isolated tenants in a single application is vital for most modern SaaS apps. It can also be one of the more difficult features to implement.

I’m going to discuss how I’ve implement this in multiple applications using AWS AppSync with Cognit User Pools.

Data and User Types

Before proceeding it’s important to cover the type of data and users your application has.

In any multi tenant application I’ve come across two types of data.

Shared Data

Shared data is common to all tenants using the application. It is typically maintained by the application owner. An example of shared data would be a list of countries.

Tenant Data

Tenant data is specific to one tenant and should never be accessible by other tenants.

Tenant (Regular) Users

Tenant or regular users are people who have access to one or more tenants. Within each tenant they may have different levels of access. For example: They may have full admin access in tenant A but only limited access in tenant B.

Admin/Support Users

These are typically staff working for company running the SaaS app. They may have the ability to manage shared data and may have unrestricted access to tenants in order to provide support.


Tenant DataShared Data
Tenant UserRead/WriteRead
Admin/Support UserRead/WriteRead/Write

Tenant users can access data for any tenant

  1. Tenants - Can access their own data and read shared data
  2. Application Admin/Support - Can access any tenants and shared data

Want to learn more about serverless applications and devops with AWS?

Sign up for our newsletter.