Tenants, roles, and scope
The dev console defaults the session actor to platform_admin. Use Home → Session actor to
switch to tenant_admin if you are validating the role-gated sections on this page.
Goal
Use the correct tenant scope and headers so reads and mutations align with SPEC-001 RBAC.
Prerequisites
- Actor id and role available to the admin API (dev console uses
X-Actor-*headers). - For
tenant_admin, a non-emptyX-Actor-Tenant-Idmatching your integration (e.g.tenant_alpha).
Not available for your role: Creating or deprovisioning the canonical tenant record in Tapestry
is reserved for platform_admin. Contact your platform operator if you need a new tenant identifier
or org onboarding.
Steps (platform admin)
- Follow platform onboarding runbooks to create the tenant record and initial governance rows.
- Assign partner admins with
tenant_adminscoped to that tenant only. - Record audit references when commercial posture changes (ADR-037).
Steps (tenant admin)
- Confirm your session carries the tenant id you operate (see Session actor panel in dev).
- Retry API calls with corrected headers if you receive 403 scope errors.
- Never reuse another tenant’s identifiers in examples—keep samples synthetic.
Verify
- List partners for
tenant_alphasucceeds when role and tenant headers match. - Mutations that require finance or platform roles are refused with explicit errors, not silent success.
If it fails
Check role spelling, tenant id typos, and whether the operation is finance-gated. Escalate to platform ops for tenant lifecycle outside your scope.
Further reading
- SPEC-001 Core API Contracts — admin RBAC matrix.
- Partner registry and routing