Tenant vs. Realm

Airlock IAM supports two concepts to segregate users: Tenant and Realm. The following table compares the two concepts and their respective use cases:



Use case

  • Multiple IAM instances (or one instance with multiple contexts acting as distinct instances) share one database schema.

This use case allows saving costs if database pricing is based on database schema.

All IAM instances must always use the same IAM version.

  • One IAM instance with one database schema.

This use case supports the distributed administration of end-users in a shared application landscape.

User base

  • Suitable to manage end-users from different organizations.
  • Suitable to manage end-users from the same organization but from different organizational units.


  • Tenants are explicitly configured. Any change requires activating a new IAM configuration.
  • Realms are created at runtime and do not require to activate a new IAM configuration.


  • Strong segregation on the database layer over all tables and without exceptions.
  • Limited segregation on the software layer. Superadmins have access to all users and all realm administrators.
  • No segregation on the user level.


  • There is no Super Admin across tenants. Each tenant must be administered separately.
  • Super Admin can administer users across all realms.