Hi all. I’m trying to figure out whether any of the Prefect products would be suitable to help me support a multi-tenant model. What I mean by that is: • I want to have a single orchestrator that’s owned/managed by me. • Each customer would have their own agent(s) which they would self host. • Each customer would have one or more flows, that only they would be able to see or run. I have 2 specific questions about this: • I see that the Cloud product offers RBAC, but I can’t figure out if that actually does what I want. I see you can create custom roles with specific permissions. But is it possible to prevent one user from seeing another user’s flows? • I understand that you could use labels to tell Customer A’s agent to only run Customer A’s flows, for example. But I don’t know if you can actually prevent Customer A from applying Customer B’s label, and then having Customer B’s flow runs go to Customer A’s agent. Is there any mechanism to lock that down?

Hey @Martin Goldman, for this kind of multi-tenancy, it’s not available through self-serve so you’d need to chat with

<mailto:sales@prefect.io|sales@prefect.io>

. We’ve seen this though where a consulting firm will split their clients by tenant. There are also some use cases like building your own orchestrator that violate our license, so it’s really best you talk to sales here to outline your plans and get quotes. With tenants, you can prevent them from seeing each other’s flows as they will only be in one tenant. Agents are tied to a tenant so there will be no crossover between tenants even if the labels are the same.