Access control via configuration
Closed this issue · 0 comments
gogit commented
Framework should apply access control using configuration supplied by a bounded context.
The framework must not delegate the access control decision logic to the bounded context.
Explicitly define the format of the config file/db table containing the mappings between
users <-> groups <-> roles
roles <-> endpoints
roles <-> entities
roles <-> entity attributes
i.e. both coarse and fine grained access control.
Framework picks up the config from designated location applies access control using drools via interceptors or annotations.
Access control decisions within a bounded context use the config supplied by the bounded context but the code is from the framework, enabling consistent approach across all contexts.