User Story: Single Backend Instance Deployment for multiple tenants

[david-monichi]

User Story

As a CoMPAS infrastructure administrator

I want to deploy a single backend instance

So that the access and restriction for all resources and linked information are visible to a single departments/company users (single tenant).

The tenants are isolated from each other.

All information is linked to a specific tenant which by default has 2 options:

• if no authentication is enabled, a single hardcoded tenant "global" will be used
• if OIDC authentication is enabled, the name of the realm is used as tenant name

Acceptance criteria

• When authentication is disabled, all resources and SCL data are stored and retrieved under a single hardcoded tenant named "global".
• When OIDC authentication is enabled, the tenant name is automatically derived from the OIDC realm name.
• A single deployed backend instance is sufficient to serve all users within the company under the resolved tenant.
• All SCL data, types, and linked resources are scoped and isolated per tenant.
• No manual tenant configuration is required when deploying in no-auth mode ("global" tenant is applied automatically).
• The tenant resolution logic is covered by unit tests for both the no-auth and OIDC scenarios.
• Documentation is updated to reflect the tenant resolution behavior for single-tenant deployments.