Skip to main content

Multi-Tenant Architecture

QA Hub is a multi-tenant platform: each organization runs in a fully isolated workspace called a tenant. All data — projects, test cases, runs, results, configurations — is scoped to a tenant and never shared across tenants.

Tenant lifecycle

StatusAccess
PENDINGNo access — waiting for approval
ACTIVEFull access to the workspace
REJECTEDRegistration denied
SUSPENDEDAccess revoked — data preserved

Registration flow

  1. A user visits the QA Hub registration page and creates an account.
  2. A tenant is created with status PENDING.
  3. An in-app notification is sent to all SUPER_ADMINs.
  4. A SUPER_ADMIN approves or rejects the tenant at /admin.
  5. On approval, the tenant status becomes ACTIVE and the user can log in.

Data isolation

Every Prisma query in QA Hub is scoped by tenantId. There is no mechanism for cross-tenant data access through the API. Tenant boundaries are enforced at the middleware level — not just the query level.

API tokens are also tenant-scoped: a token created in Workspace A cannot access data from Workspace B.

SUPER_ADMIN

The SUPER_ADMIN role is a platform-wide administrator role. SUPER_ADMINs can:

  • Approve, reject, or suspend any tenant
  • Impersonate a tenant (via the admin panel) to troubleshoot on their behalf
  • View platform-wide stats and audit logs
  • Resolve password reset requests

SUPER_ADMINs are assigned directly in the database — there is no self-service promotion to this role.

Admin impersonation

A SUPER_ADMIN can impersonate a tenant by clicking Impersonate in the admin panel (/admin). This sets a qa_hub_admin_tenant cookie scoped to that workspace. The impersonation session can be ended at any time by clicking Exit impersonation.

Impersonation actions are logged in the audit trail with the SUPER_ADMIN's identity.

Self-hosted vs cloud

On self-hosted deployments, the initial admin setup requires directly setting a tenant's status to ACTIVE in the database. See Getting Started — First login for the bootstrap SQL.

On the cloud plan, tenant approval is managed by the QA Hub team.