software

Real-World System Design: Authentication, RBAC, and Multi-Tenant Architecture (Part 1)

Published: (December 22, 2025 at 06:04 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Why This Series?

Most tutorials show:

  • “Add JWT authentication”
  • “Protect a route”
  • “Create roles like admin and user”

But real systems need answers to harder questions:

  • How do you design auth for multiple organizations (tenants)?
  • How do roles differ per department or project?
  • How do you avoid permission explosions?
  • How do you scale RBAC without rewriting everything later?

These are the problems we’ll solve—step by step.

The Core Building Blocks

1. Authentication (Who are you?)

Authentication answers one question:

Who is making this request?

Common approaches:

  • Email/password
  • OAuth (Google, GitHub, SSO)
  • Token‑based auth (JWT, opaque tokens)
  • Session‑based auth

⚠️ Authentication does not decide what you can do. It only proves identity.

2. Authorization & RBAC (What are you allowed to do?)

Authorization answers:

What can this authenticated user access or modify?

RBAC is the most widely used model:

Users → Roles → Permissions

In real systems:

  • Roles vary per tenant
  • Permissions vary per context
  • Some actions depend on ownership or hierarchy

We’ll explore:

  • Simple RBAC
  • Role‑Permission mapping
  • Context‑aware permissions
  • When RBAC breaks and what to use instead

3. Multi‑Tenant Architecture (Where do you belong?)

Multi‑tenancy answers:

Which organization’s data and rules apply to this user?

Typical examples:

  • SaaS products
  • Enterprise tools
  • Internal platforms used by multiple companies

Key challenges:

  • Data isolation
  • Tenant‑specific roles and permissions
  • Scaling without duplicating logic
  • Preventing cross‑tenant access bugs

A single missed check here can become a security incident.

A Real‑World Example We’ll Build On

Throughout this series, we’ll use a realistic scenario: a SaaS platform used by multiple companies. Each company has departments, users, roles, and permissions.

High‑level structure

Organization (Tenant)
 └── Company
     └── Department
         └── Users
             └── Roles
                 └── Permissions

Rules

  • A user belongs to one tenant
  • Roles are defined per tenant
  • Permissions control access to features and data
  • Access depends on both role and context

This mirrors how many enterprise systems actually work.

Common Mistakes Teams Make Early

  • ❌ Hard‑coding roles (e.g., if user.role === 'admin')
  • ❌ Assuming one global admin role
  • ❌ Mixing authentication and authorization logic
  • ❌ Ignoring tenant boundaries in queries
  • ❌ Designing RBAC too late (after features grow)

This series will help you avoid these traps.

What This Series Will Cover

Authentication in Real Systems

  • JWT vs. sessions
  • Token lifecycle
  • Secure login flows

Designing RBAC That Scales

  • Role vs. permission design
  • Database schema patterns
  • Avoiding role explosion

Multi‑Tenant Authorization

  • Tenant isolation strategies
  • Query‑level security
  • Middleware patterns

Advanced Patterns

  • Policy‑based access control
  • Attribute‑based access control (ABAC)
  • Feature flags & permission gates

Common Security Pitfalls

  • Privilege escalation bugs
  • Insecure defaults
  • Authorization testing strategies

Who This Series Is For

  • Backend engineers
  • SaaS product developers
  • API designers
  • Anyone who wants to understand why patterns exist, not just how to implement them

Basic familiarity with backend development is assumed, but the concepts apply across stacks.

What’s Next

In Part 2, we’ll start with Authentication design in multi‑tenant systems—how to structure identity, tokens, and tenant context correctly from day one.

If you’re interested in real‑world system design patterns, follow along.

Back to Blog

Related posts

Read more »