diff --git a/api/src/db/neo4jDriver.js b/api/src/db/neo4jDriver.js
index cd6e18e2..310f184e 100644
--- a/api/src/db/neo4jDriver.js
+++ b/api/src/db/neo4jDriver.js
@@ -11,6 +11,9 @@ const driver = neo4j.driver(
   ),
 );
 
+// TODO: run migrations here maybe? store "version" in a node with a specific
+// label, if that number is too low then run upgrade migrations
+
 // TODO: Run driver.close() when node app exits.
 
 export default driver;
diff --git a/api/src/graphql/authorization/index.js b/api/src/graphql/authorization/index.js
index e658e600..ad6ee320 100644
--- a/api/src/graphql/authorization/index.js
+++ b/api/src/graphql/authorization/index.js
@@ -11,3 +11,13 @@ export const isAdmin = combineResolvers(
     return (user && user.role === 'admin') ? skip : new Error('Not authorized');
   },
 );
+
+export const isAuthorized = combineResolvers(
+  isAuthenticated,
+  (obj, args, { user }) => {
+    if (user.tenantId === 'placeholder') {
+      return skip;
+    }
+    return new Error('Unauthorized access');
+  },
+);
diff --git a/api/src/graphql/resolvers/index.js b/api/src/graphql/resolvers/index.js
index f1f002e5..afec0157 100644
--- a/api/src/graphql/resolvers/index.js
+++ b/api/src/graphql/resolvers/index.js
@@ -23,7 +23,7 @@ import {
   searchRealities,
   getEmailData,
 } from '../connectors';
-import { isAuthenticated } from '../authorization';
+import { isAuthenticated, isAuthorized } from '../authorization';
 import { sendUpdateMail } from '../../email/mailService';
 
 const notify = (process.env.EMAIL_NOTIFICATIONS === 'enabled');
@@ -169,7 +169,7 @@ const resolvers = {
       },
     ),
     updateResponsibility: combineResolvers(
-      isAuthenticated,
+      isAuthorized,
       async (obj, args, { driver, user }) => {
         const emailData = await getEmailData(driver, args);
         const responsibility = await updateReality(driver, args);
diff --git a/api/src/index.js b/api/src/index.js
index 8457e099..d76b232b 100644
--- a/api/src/index.js
+++ b/api/src/index.js
@@ -39,6 +39,7 @@ function getUser(user) {
     {
       email: user['https://realities.platoproject.org/email'],
       role: user['https://realities.platoproject.org/role'],
+      tenantId: 'placeholder',
     },
   );
 }