Security in Domain driven design

Asked

Viewed 259 times

11

On a DDD architecture, what layer does security (access control) implement? What would the structure look like?

  • The access control belongs to the application layer. In this layer is treated which visions and services (speaking of services facade to the interface and not the standard services) the user or other system has access permission. I did not understand the question about the structure. If you want to know how technically this is implemented it is necessary to inform the platform you use and the type of system you are developing.

1 answer

1

Hello,

The security part should stay before the creation of the domain events. It is not recommended to leave the security part to interface as you will have code repetition.

We will use the following use case (user story):

O usuário pode editar seu perfil

We would have the following example Domain Model:

UsuarioService
editarperfil(EditarUsuarioCommand command)
    Usuario usuario = usuarioRepository.getOneById(command.id)
    usuario.alterarNome(command.nome)

Access control should stay before the call UsuarioService.editarPerfil()

Alternatives to perform this access control:

  • (IBAC) based on identity list - recommended for when we have the list of users and permissions

    UsuarioService
       @AccessControlList[listaUsuarios]
       editarperfil(EditarUsuarioCommand command)
    
  • (LBAC) recommended for access levels

         @posseses[level=5]
         userteste
    
        UserService
            @requires(level>=3)
            editarperfil(EditarUsuarioCommand command)
    
  • (RBAC) based on roles

        @roles[admin]
        userTest
    
        UsuarioService
            @requires(role=admin)
            editarperfil(EditarUsuarioCommand command)
    

Sources

More about access models here

Discussion on DDD safety here

Question about safety in Ddds here

  • Hello. It would be correct to do in Cross Cutting or should be in below?

  • Regarding user and role as would?

  • 1

    The idea is to leave the authentication in the cross Cutting layer, by the greater isolation and reuse.

  • And what would the structure look like? I ask this because it has the entities and viewmodels, repositories and etc

Browser other questions tagged

You are not signed in. Login or sign up in order to post.