General Architecture
1. Multi-Tenancy Model
The AI Agents platform uses ABP.IO Framework as its tenant management infrastructure. The platform is built around two fundamental concepts:
Host
Manages all tenants. Provides feature activation, system configuration, and global settings. The Host administrator performs top-level operations such as tenant creation, deletion, and edition management.
Tenant
Manages its own users, roles, and projects. Each tenant operates in an independent, logically isolated environment within the platform.
2. Database Isolation Strategy
The platform adopts the Shared Database with TenantId (Logical Isolation) model:
• All tenants share the same PostgreSQL database.
• Every record is tagged with a unique TenantId field.
• The ABP.IO Global Query Filter mechanism automatically appends a TenantId filter to all queries; this filtering occurs transparently at the application layer.
• No tenant can access data belonging to another tenant. This isolation is enforced at the framework level, independent of application code.
3. Compute Isolation
The platform runs on a shared compute infrastructure:
• All tenant inference requests are processed on pods within the same Kubernetes cluster.
• Each request is tagged with a tenant context and routed so that it can only access the relevant tenant’s data.
• Although physical isolation at the pod level is not present, cross-tenant data access is prevented through the mandatory tenant context.
Role-Based Access Control (RBAC)
The RBAC model in the AI Agents platform is built on the ABP.IO Framework’s permission system. The core principles are:
• Each user is assigned one or more roles.
• Users can only access the data and operations required by their assigned roles.
• Roles are defined at the tenant level; the role structure of one tenant does not affect other tenants.
Roles in the AI Agents platform can be freely created; the permissions assigned to each role can be configured granularly through permission groups. Host Admin, Tenant Admin, Project Manager, Flow Designer, and Viewer are examples of commonly used baseline roles. New roles can be created and the permissions for each role can be customized via the Permissions screen.
Role Permissions
| Permission Group | Scope |
|---|---|
| Feature management | Managing host-level features |
| Identity management | Role management, user management, organization unit management, claim management |
| SaaS | Tenant and edition management |
| Audit logging | Access to audit records |
| OpenId | OpenID Connect application and scope management |
| Account | Account settings |
| Language management | UI language management |
| Lepton theme management | Theme settings |
| Text template management | Text template management |
| Designer | Service integrations management |
| BotHub | BotHub settings management |
| Administration | License settings |
| Setting management | System settings including emailing and time zone |