## Problem statement Organizations must be [isolated](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/organization/isolation/): this means all data and functionality across GitLab can never cross an Organization boundary. This epic concerns itself with the delineation of an Organization boundary at the data level and the enforcement of this boundary across all parts of GitLab.  ## How this will work Organization Data Isolation is accomplished by three different features: - [Organization Isolation Context](https://gitlab.com/groups/gitlab-org/-/work_items/18055): the application knows to what organization a request (api call, web request) belongs. - [Organization Isolation State Tracking](https://gitlab.com/groups/gitlab-org/-/work_items/20979): the application knows that an organization is isolated: it does not have references to other organizations (similar to GitLab Dedicated) - [Organization Isolation Enforcement](https://gitlab.com/groups/gitlab-org/-/work_items/11838): the application prevents creating, reading or updating data related to other organizations These three features work together: We need to know **which** organization the user wants to access and we need to know the **state** of that organization (isolated or not). Based on that, we can **enforce** data isolation. ## FY26Q3 - Deem a top-level group as being in an isolated state. - Enforce isolation on that top-level group to maintain state integrity. - Unsupported Organization actions will invalidate the isolation state. - Enforce isolation on that Organization. The following secondary targets will also be in place: - Organization scoped paths: All necessary paths that don't define an Organization Context within the path, params, or headers will be modified to do so. ## Exit criteria - All execution paths will be isolated within an Organization context. - All database tables will be sharded - Organization data isolation will be validated and enforced to a level that satisfies the ProtoCells exit criteria ## DRI @rutgerwessels ## Links - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184361+ <!-- STATUS NOTE START --> ## Status 2026-06-18 Not much happened this week. Priority is now getting the Organizations feature ready for Artifact Registry launch :clock1: 0 :done: **Done** - Organization Isolation State Tracking - https://gitlab.com/gitlab-org/gitlab/-/work_items/577780+ is merged. This will verify that an isolated organization is still isolated :man_running: **In progress**: - Implement Application Level Organization data isolation: - MR for supporting complex queries (see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226040), fixed the Rust compilation step. The implementation of this Rust compilation step needs some changes which are under discussion. - https://gitlab.com/gitlab-org/gitlab/-/work_items/595727+ The rollout plan is being worked on. Everything is now behind a feature flag and impact is not easy to predict. :track_next: **Next** - Analyze issues with joining namespaces / projects tables (https://gitlab.com/gitlab-org/gitlab/-/work_items/601744+) - https://gitlab.com/groups/gitlab-org/-/work_items/19415+ _Copied from https://gitlab.com/groups/gitlab-org/-/epics/17388#note_3467363248_ <!-- STATUS NOTE END -->