Tenant Service — Service Risk Register

Status: populated Owner: TBD Last updated: 2026-04-18 Companion: FAILURE_MODES · SECURITY_MODEL

1. Risk catalog

ID	Category	Risk	Likelihood	Impact	Severity	Owner	Mitigation	Status
RISK-TEN-01	Data integrity	RLS misconfiguration leads to cross-tenant data exposure	Low	Critical	High	Security team	RLS tested in mandatory tenant-isolation.spec.ts; quarterly RLS audit; blast-radius analysis	Open
RISK-TEN-02	Availability	Activation saga exhausted → stuck tenant in PENDING blocks onboarding	Medium	High	High	Platform team	Bounded retry + alert; runbook; manual saga resume endpoint	Open
RISK-TEN-03	Compliance	GDPR erasure not propagated: user profile not anonymized on deactivation	Low	High	High	DPO + platform	Inbox consumer processes identity.user.deactivated.v1; erasure integration test mandatory	Open
RISK-TEN-04	Security	ABAC evaluate() performance degradation leads to fail-open behavior	Medium	High	High	Platform team	Deny-on-timeout policy; p95 alert; circuit breaker	Open
RISK-TEN-05	Compliance	Subscription expiry cron fails silently; tenants retain access beyond contract	Medium	Medium	Medium	SRE	Kubernetes CronJob with restart policy; job failure alert; metrics	Open
RISK-TEN-06	Data integrity	Activation saga creates duplicate root nodes on retry	Low	Medium	Medium	Platform team	Idempotent create-or-return semantics in facility-service client; idempotency token	Open
RISK-TEN-07	Performance	Deep hierarchy ancestor walk degrades evaluate() for large tenants	Medium	Medium	Medium	Platform team	Redis 5-min cache for ancestor chain; alert on p95 > 200 ms	Open
RISK-TEN-08	Security	Built-in roles mutated by tenant admin	Low	High	High	Identity team	is_builtin flag; domain invariant blocks delete/mutate	Open

2. Risk summary

Severity	Count
High	5
Medium	3

3. Escalation

Threshold	Escalation
High — security / data	Security lead + CISO within 24 h
High — availability	SRE on-call immediately
Medium	Sprint backlog; reviewed at milestone