In a DDD architecture, on what layer is security (access control) implemented? What would the structure look like?
In a DDD architecture, on what layer is security (access control) implemented? What would the structure look like?
Hello,
The security portion must be in place before the domain events are created. It is not recommended to leave the security part for interface because you will have code repetition.
Let's use the following user story:
O usuário pode editar seu perfil
We would have the following Domain Model example:
UsuarioService
editarperfil(EditarUsuarioCommand command)
Usuario usuario = usuarioRepository.getOneById(command.id)
usuario.alterarNome(command.nome)
Access control should be before call UsuarioService.editarPerfil()
Alternatives to performing this access control:
(IBAC) based list of identities - recommended for when we have list of users and permissions
UsuarioService
@AccessControlList[listaUsuarios]
editarperfil(EditarUsuarioCommand command)
(LBAC) recommended for access levels
@posseses[level=5]
userteste
UserService
@requires(level>=3)
editarperfil(EditarUsuarioCommand command)
(RBAC)
@roles[admin]
userTest
UsuarioService
@requires(role=admin)
editarperfil(EditarUsuarioCommand command)
Fonts
More about access templates here
DDD Security Discussion here
DDD Security Question here