You’re exploring the full DataBridge platform free, with synthetic Future Horizons University data. Everything is unlocked; actions run in your demo session (in-session only, not saved to a real backend).

FHU Databridge
Enterprise
Pricing
Admin & Operator
8 min

Tenancy & RBAC

How tenants, roles and tiers gate access across the platform.

By the end you’ll be able to

  • Understand tenants, roles and subscription tiers.
  • Read what each role can and cannot do.
  • Recognise how role checks are enforced server-side on every mutation.

DataBridge is multi-tenant: every record — submission, audit-log entry, webhook delivery — is tagged with a tenant id (typically a UKPRN), and the API refuses to leak data across tenants. Tenancy is identified on the wire by the `x-tenant-id` header and the `x-actor` header; see `docs/OPERATOR_GUIDE.md` §5 for the on-the-wire contract.

On top of tenancy sits a role system. The four roles you will meet are `data:viewer` (read-only browse), `data:steward` (the day-to-day analyst with the assistant, schema mapper, drift and repairs), `tenant:admin` (everything a steward has plus the audit log, RA builder and the admin console), and `system:superadmin` (cross-tenant platform operator). The seeded demo personas in `apps/web/lib/personas.ts` map one-to-one onto those roles.

Subscription tier is orthogonal to role. The three tiers are `free`, `pro` and `enterprise`. The same role on different tiers sees different surfaces: a `data:viewer` on `free` is read-only on the audits screen; the same role on `pro` unlocks the assistant, integration map and repairs queue; an admin on `enterprise` opens the RA builder, audit-log browser and the admin console.

Critically, the admin shell only shows the console when you carry `tenant:admin` (or `system:superadmin`) — but every mutation goes through the API's `requireRole` middleware which re-checks the role server-side. The web layer is a courtesy; the API is the gate. That is why demo mode can paint the admin shell without compromising a real deployment: the API still refuses unauthorised writes.

When you sign in as a persona the resolved roles win over the open-demo default (see `apps/web/lib/roles.ts`). Without a session and with `NEXT_PUBLIC_DEMO_MODE=1`, every visitor resolves as `tenant:admin` so the demo experience is unpadlocked — see `docs/ADMIN_LOGIN.md` for the Options A / B / C / D matrix.

Walkthrough

  1. 1.Open the admin console

    Open the admin home. The console is gated on `tenant:admin` (or `system:superadmin`); in demo mode you resolve as an enterprise admin automatically.

    Open admin console

  2. 2.Browse the cross-tenant audit log

    Look at the cross-tenant audit-log browser. Every entry is tagged with the tenant and the actor that produced it — that is the multi-tenant story made visible.

    Open audit log

  3. 3.See a tenant-scoped surface

    Open the per-tenant audit-log view. This is the same data, scoped to the visitor's resolved tenant — and that scoping is enforced by the API, not just the UI.

    Open tenant audit log

Your turn

Open the admin console and confirm you can see the operator surfaces (audit log, SLOs, webhooks, marketplace, waivers).

Hint: Use the 'Open admin console' step above — demo mode resolves you as an enterprise admin.

Knowledge check

1.Which role gates the DataBridge admin console?
2.What header carries the tenant identity on each API call?
3.What are DataBridge's three subscription tiers?

Complete this lesson