Nox-Lumen MfgMulti-tenancy model
Three-level identity model
Combo Agent uses three levels:
Rendering diagram…
Each level has a clear owner and permission boundary.
Tenant
A tenant maps to an enterprise or organization:
- Quotas — model limits, storage, concurrent Sessions
- Skill pool — tenant Skills (not visible across tenants)
- Knowledge bases — strictly partitioned
- Identity — SSO / LDAP / OAuth to the tenant IdP
User
A user is a member inside a tenant:
- Personal Skills — visible only to that user
- Personal memory — user-level preferences and terms
- Roles — RBAC over tenant resources
Session
Sessions are the finest-grained workspaces:
- Private by default — only the creator
- Sharable — invite collaborators in the same tenant
- Never cross-tenant — cannot share Sessions outside the tenant
Isolation dimensions
| Dimension | How |
|---|---|
| Storage | tenant/user/session prefixes — see Storage |
| Memory | Tenant-scoped long-term memory + user partitions for preferences |
| Skills | Precedence builtin > tenant > user; tenant Skills never leave the tenant |
| Credentials | Encrypted per tenant, not shared |
| Logs & audit | Tenant-partitioned exports |
| Model routing | Tenants can restrict “this tenant uses only model X” |
RBAC roles
Built-in roles:
| Role | Scope |
|---|---|
| TenantAdmin | Tenant admin, billing, audit, SkillHub publish |
| TeamLead | Manage team members and shared resources |
| User | Create / manage own Sessions and personal Skills |
| Auditor | Read-only + audit log access |
| Service | Service accounts for API integration |
Custom roles are supported.
Collaboration boundaries
- Same tenant — Session sharing, Skill publishing, KB attachment
- Cross tenant — not supported; use export / import / webhook decoupling instead
Graft, Session, and tenancy
Graft under multi-tenancy:
- Default: graft same tenant, same user Sessions only
- With tenant-admin approval: graft same tenant, different users
- Never across tenants