When to use Multi-Tenant Applications and when to use ACL (access control lists)?
Application Type

Hi everyone,

We have been on a modernization journey and a lot of our legacy applications have a concept of data isolation based on roles. At first we used the ACL strategy as defined in this technical article to mimic this behavior in Outsystems.

Recently we discovered the multi tenant feature that seems to adress the same issue as ACLs.

Have any of you had to choose between ACLs or multitenancy ? 


Hello Geraldo,

Multi tenant is much easier choice when your data base is isolated and same apps and same database is getting used for different systems like different banks, different countries, different cities etc. 

Multi-tenant applications are easy to deploy. You only need to set up one instance of a software application, which will be able to serve all your customers. Multi-tenancy architectures allow for efficient usage of compute and hardware resources.

An Entity should be Single-tenant if its data is meant to be shared by all tenants and Multi-tenant if it is tenant specific 


But the Access control list are used to store the objects with its users and user groups, this is mainly used for financial data for specific  user and from specific branches.

Please check following  discussion 




Hello Geraldo,

Let me explain you when is multi tenant more appropriate, I believe only explanation should help you decide between ACL Vs Multi Tenant. 

Multi tenant design is recommended for applications which require data isolation between multiple client organizations or tenants. Segregation of data per user is not an ideal scenario for implementing multi tenancy. You can achieve this in much simpler way by storing proper relationship between user and the set of data they can access, then implement the logic to fetch and show only that data to user which he has access to based on defined access rules stored in database.

Imagine you implement multi tenancy in this scenario and there are thousands or even hundreds of users for your application, you would be end up having same number of tenants which are hard to manage and wastage of resources.

You can understand it better with examples and same explanation on below post. Quite often ACL and other simpler approaches should be able to handle most of the access management scenarios unless there is real need to implement tenants.


Hope this helps!


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.