Knogin
[Developers]

Auth: Cross-Tenant Data Sharing & Mutual Aid

When two police forces respond to a major cross-border incident, or when a national health service requests situational-awareness data from a civil-protection agency, neither organisation can afford to re-provision every

Back to All Modules
Category: Data IntegrationLast Updated: May 26, 2026
data-integrationcompliance

Overview#

When two police forces respond to a major cross-border incident, or when a national health service requests situational-awareness data from a civil-protection agency, neither organisation can afford to re-provision every user manually or share raw database credentials. Cross-Tenant Data Sharing solves this by letting an administrator define a time-limited, scope-restricted sharing agreement between tenants. Within minutes, authorised operators in the requesting organisation can see exactly the records they need, under the data-owner's policy, with every access logged against both tenants.

The capability is built around the principle that the owning tenant always retains control. Sharing agreements expire automatically, can be revoked instantly, and are enforced at the authorisation layer so no data escapes the agreed scope regardless of how the consumer calls the platform. Multi-Level Security clearance attributes carried in the federated identity token mean that even within an approved sharing agreement, individual operators only see records their clearance permits.

Key Features#

  • Federated Identity Acceptance: Sharing agreements accept signed identity tokens from the partner organisation's own identity provider, so operators authenticate once with their home credentials and receive a scoped token valid for the shared resources, with no separate account to manage.

  • Time-Bound Agreements: Every sharing arrangement carries an explicit start time and expiry. Tokens issued under the agreement are bounded by that window and cannot be renewed beyond the authorised period without a new administrative decision.

  • Granular Scope Definition: Data owners define the precise set of resource types, classification levels, and geographic or operational boundaries that the partner may access. Scope is enforced on every request, not only at token issuance.

  • Multi-Level Security Clearance Enforcement: Clearance attributes carried in the federated identity token are evaluated against the owning tenant's classification policy, ensuring operators below the required clearance level cannot retrieve restricted records even within an approved sharing scope.

  • Instant Revocation: Administrators can terminate a sharing agreement at any time. All tokens issued under that agreement are immediately invalidated and subsequent requests are refused without any propagation delay.

  • Immutable Dual-Tenant Audit Trail: Every access event, including denials, is written to an append-only audit log attributed to both the data owner and the consuming organisation, satisfying accountability requirements under mutual-aid agreements and data-protection law.

  • Consent and Approval Workflow: New sharing requests can be routed through a configurable approval chain within the data-owning organisation before the agreement becomes active, ensuring that data custodians retain governance over what is shared and with whom.

  • Attribute-Based Access Control: Policies can reference any attribute in the identity token, including role, unit, jurisdiction, or operational context, allowing fine-grained rules such as restricting access to field commanders only or limiting sharing to a named incident identifier.

Use Cases#

  • Multi-agency emergency response: Two or more agencies co-responding to a major incident share situational-awareness records and resource availability under a time-limited agreement that expires when the incident is stood down.
  • Cross-border law enforcement operations: A joint investigation team spanning multiple jurisdictions establishes a scoped sharing agreement allowing analysts in each country to query case records held by the other, within the classification limits each nation permits.
  • Civil-military coordination: A national civil-protection authority grants a military headquarters read access to civilian infrastructure data during a humanitarian operation, with access automatically terminating at the end of the declared emergency period.
  • Healthcare mutual aid: During a mass-casualty event, pre-hospital triage data held by an ambulance service is shared in real time with receiving hospitals in adjacent health board areas, limited to patient identifiers and triage category.
  • Regulatory data exchange: A supervisory authority requests read access to operational logs held by a regulated entity for the duration of an audit, with all queries attributable to the regulator's own named staff.

Integration#

Cross-Tenant Data Sharing integrates with the platform's federated identity layer to accept signed tokens from external SAML 2.0 and OpenID Connect providers, and with the graph data service to enforce relationship-based access control when data ownership spans multiple linked entities. Sharing agreements and their audit records feed into the platform's compliance dashboard, where administrators from both tenants can view the agreement status, inspect the access log, and download evidence packages suitable for data-protection or regulatory reporting.

Open Standards#

  • SAML 2.0 (OASIS): Cross-organisation identity federation uses SAML 2.0 Web Browser SSO and Attribute Assertion profiles, allowing the consuming organisation's identity provider to assert clearance and role attributes that the owning tenant's policy engine evaluates.
  • OpenID Connect 1.0 and OAuth 2.0 (RFC 6749): Token issuance for scoped cross-tenant access follows the OAuth 2.0 authorisation framework with PKCE, using OpenID Connect identity tokens to carry verifiable clearance and organisational claims across trust boundaries.
  • JSON Web Token (RFC 7519): Scoped access tokens and identity assertions are structured as signed JWTs, with issuer, audience, expiry, and custom clearance claims validated on every request to the owning tenant's resources.
  • SCIM 2.0 (RFC 7643 / RFC 7644): Where a sharing agreement requires temporary user provisioning in the owning tenant, the System for Cross-domain Identity Management protocol is used to synchronise minimal identity attributes without replicating full directory records.
  • XACML 3.0 (OASIS): Attribute-based access control policies governing scope, clearance, and operational context are expressed and evaluated in a manner consistent with the eXtensible Access Control Markup Language standard, ensuring policies are portable and auditable.
  • Common Alerting Protocol (CAP, ITU-T X.1303 / OASIS): When sharing agreements cover incident-alert data, records are structured and exchanged in conformance with the Common Alerting Protocol, ensuring interoperability with national alerting infrastructure.
  • ETSI eIDAS (EU Regulation 910/2014 and eIDAS 2.0): Cross-border sharing agreements involving European public-sector bodies are structured to respect the eIDAS trust levels for electronic identification, ensuring that identity assurance levels are preserved when tokens cross national boundaries.
  • NATO STANAG 4774 / 4778: Classification labelling and handling instructions attached to shared records follow the NATO Confidentiality Metadata Label Syntax and Binding standards, supporting interoperability with allied classification enforcement systems.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with up to two active sharing agreements; additional agreements and approval-workflow customisation available on the Enterprise Plan.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.