Risk Register
:::info Source
Sourced from services/tenant-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
Severity: S1 Critical · S2 High · S3 Medium · S4 Low
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-TN-01 | ABAC policy complexity → mis-grants within tenant | S1 | Data leak between org units / roles | Policy linter; sample-data tests; UI shows policy in plain language; policy explainer endpoint | Tenant Eng + Security |
| R-TN-02 | Dynamic group predicate with cross-tenant attribute | S1 | Cross-tenant exposure via group membership | Linter rejects predicates without ctx.tenant_id; two-tenant isolation test on every predicate | Tenant Eng |
| R-TN-03 | OrgUnit ltree corruption | S2 | Authz decisions on malformed tree | Postgres CHECK on ltree path format; move/reparent wrapped in tx + tree-validity assertion | Tenant Eng |
| R-TN-04 | Role rename breaks consumers | S2 | Consumers fail to match role | Roles keyed by ULID, not name; name changes are display-only | Tenant Eng |
| R-TN-05 | Data-residency migration bug → data loss / leak | S1 | Partial data across regions; regulator fine | Rehearsals on production-size; checksums; rollback; saga tests; CTO sign-off on each migration | SRE + Tenant Eng + CTO |
| R-TN-06 | Policy bundle signature bypass | S1 | Attacker ships malicious policy | KMS-signed; consumers verify signature; signed version monotonic | Security + Platform |
| R-TN-07 | System role drift from code | S2 | Roles in DB diverge from RBAC code expectations | System roles seeded on migration; drift detector in CI | Tenant Eng |
| R-TN-08 | Feature flag tenant override blocked by eventual-consistency | S3 | Flag appears off for 30s after toggle | Bounded staleness documented; admin UI shows "propagating" state | Tenant Eng |
| R-TN-09 | SAML attribute → role mapping misconfig | S2 | Enterprise user gets wrong role | Attribute mapping editor validates against role list; test SSO flow before activate | Tenant Eng + SE |
| R-TN-10 | Membership re-activation races with enrollment revocation | S3 | User re-invited sees stale enrollments | New Membership ULID on re-invite; old revoked enrollments stay | Tenant + Enrollment |
| R-TN-11 | GDPR erasure incomplete for tenant | S1 | Tenant data retained after closure | Participate in erasure saga; delete memberships, roles-for-user, overrides | Compliance + Tenant |
| R-TN-12 | tenant.status = suspended bypass | S2 | Suspended tenant still serves requests | Gateway rejects requests for suspended tenants; events still processed for payments/compliance | Platform + Tenant |
| R-TN-13 | Slug squatting | S3 | Competitor reserves tenant slug | Slug validation + reserved-names list + manual review for public slugs | Product |
| R-TN-14 | Ltree path depth > 1000 | S3 | Query plan degrades | CHECK constraint: max depth 50 | Tenant Eng |
| R-TN-15 | Circular org-unit reference | S3 | Tree traversal loops | Prevent at write; integrity job nightly | Tenant Eng |
Governance
- Weekly: Tenant Eng + Security review S1/S2 items.
- Every release: verify mitigation still in place via test registry.
- S1 items require named owner + verification plan + due date.