Overview#
A managed security service provider has 40 customer organisations on the platform. They need certain features enabled for all their customers that are not yet available to the general user population, and one specific customer needs a feature turned off because of a contractual restriction. The Systems Integrator domain handles this without touching each tenant individually: the provider is registered as a systems integrator, the features they need are enabled at the integrator level, and the one exception is overridden at the tenant level. Any new customer onboarded under that integrator inherits the integrator's feature set automatically. A fourth-level user override activates a single feature for a test user without affecting anyone else.
Key Features#
-
Integrator Management: Register and manage systems integrator partnerships with detailed profiles, contact information, and operational status tracking.
-
Tenant Association: Link organisational tenants to their systems integrator, establishing the relationship hierarchy for feature flag inheritance and administrative access.
-
Hierarchical Feature Flags: Control feature availability through a four-level cascade: platform defaults flow to integrator overrides, then tenant overrides, and finally user-level overrides, enabling precise feature control at every level.
-
Feature Flag Inheritance: Each level inherits from the level above and can override specific flags, so changes at the integrator level automatically propagate to all associated tenants unless explicitly overridden.
-
Administrative Controls: Restrict all integrator and feature flag management operations to administrative roles, ensuring that platform configuration changes are authorised and tracked.
-
User-Level Overrides: Enable or disable specific features for individual users when needed for testing, phased rollouts, or special access requirements.
Feature Flag Hierarchy#
| Level | Scope | Purpose |
|---|---|---|
| Platform | All organisations | Global defaults |
| Systems Integrator | All tenants under an integrator | Integrator-specific features |
| Tenant | Single organisation | Organisation-specific features |
| User | Individual user | Testing and special access |
Use Cases#
Hierarchical feature flag management through integrator relationships is most valuable in multi-tenant SaaS environments with channel partners. Key industries include managed security services, government technology, and enterprise software.
-
Partner Onboarding: Register new systems integrator partnerships and configure their initial feature set through integrator-level feature flags.
-
Phased Feature Rollout: Enable new features for specific integrators or tenants before making them available platform-wide, supporting controlled rollout strategies.
-
Custom Feature Sets: Tailor available features for different integrator partnerships based on contractual agreements and operational requirements.
-
Feature Testing: Enable features for individual users at the user override level to support testing and validation before broader rollout.
Integration#
The Systems Integrator domain supports platform administration:
- Tenant Management: Integrator-tenant relationships define organisational hierarchy
- Feature Management: Feature flags control capability availability across the platform
- User Management: User-level overrides integrate with user administration
- Organisation Management: Integrator structure maps to organisational boundaries
Open Standards#
- GraphQL (June 2018 Specification): The entire systems integrator API surface, queries, mutations, and type definitions, is implemented as a GraphQL schema, enabling strongly-typed, self-documenting queries and mutations for managing integrators, tenants, and feature flags.
- JSON Web Token (RFC 7519) / RS256: All API access is gated on bearer tokens issued as RS256-signed JWTs; the service validates these tokens against a JWKS endpoint before permitting any integrator or feature flag operation.
- OAuth 2.0 (RFC 6749): The token issuance and bearer-token bearer flow that protects every mutation and query in this domain conforms to the OAuth 2.0 authorisation framework, with tokens verified via the JWKS discovery mechanism.
- Role-Based Access Control (ANSI INCITS 359 / NIST RBAC): The four-role hierarchy, superuser, knogin_admin, si_admin, and tenant admin, is modelled on NIST RBAC principles, with each level holding only the permissions needed for its scope and explicit checks preventing cross-tenant privilege escalation.
- JSON (RFC 8259): Feature flag state (the boolean domain-capability maps at every level of the hierarchy) is stored and transmitted as RFC 8259 JSON objects, keeping the data format portable and inspectable across all integrations.
- SCIM 2.0 (RFC 7643 / RFC 7644): Tenant identity provisioning under a systems integrator can be delegated to a SCIM 2.0 endpoint, allowing integrators to synchronise user and group data from their own identity stores into the platform without bespoke connectors.
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14