I am working on a multi-tenant app, if following approach appropriate: https://drawsql.app/connection01/diagrams/supabase-multi-tenant 1) User signup on my app (using auth.users table) a single user is created, no separate user per organization. 2) App shows them two tab: - Create a new Organization - List of organizations (they can select one and perform all CRUD stuffs as per RLS) 3) If they choose to create a new organization, a new organisation is created in

public.organizations

with created link to auth.users 4) All columns that contains organizations data contains two column

user_id

and

organization_id

5) RLS policies check if user is a member of the organization using

auth.users.raw_user_meta_data

Not sure how secure 5 is. Your image did not show. Is there one user per organization? If not you might consider a table organization_members where you have org_id and then array of user_id and do RLS on the auth.uid() being in that orgs user_id array. You can also do the opposite and have user_id with an array of org_ids. Your RLS should depend on secure tables, a user can technically change their meta data from the client.

A user will create organization and then invite other people to join the organization. So an organization is owned by one user but can have many user as it's member. User A can be a member of multiple organizations. I did not thought of the user can change his meta data part. I was trying to avoid creating separate table as I will have to run a select query for every db operation.

You can create a RLS rule to prevent a user from accessing any table once they have been removed from a organisation