Domain Driven Design and Security

Question

This is linked to this question which seems to have asked a while back. Security implementation in a project that is adhering to basic principles of Domain driven design. let me give an example

Banking System:
Use Case: A new bank deposit is being made and requires approval as it is first deposit

a. Clerk can auto authorize if the deposit amount is <5000
b. Manager can be of two types - Bank manager / Account Manager. ONLY Account manager can authorize any accounts that have deposit >5000

My concerns are as follows (Pls correct if the concern itself is correct)

1. Not sure where should i build this following logic - takes care of checking whether the logged on user has authorization to do certain things taking in to account his title - (this case Account manager). Authorizing is a use case, but the security layer seems to have intimate knowledge on the domain object
2. In general Authorization (not authentication). I know that Role Based authentication would help, but the question is "where" - in which layer and the call flow. Should the UI layer call on some security layer or would the domain layer validate itself for all possible combinations ?

Please help. Its very confusing.

Bump to see if this gets experts notice

Cheers

Answer 1

Security is a cross-cutting design feature which can affect all classes, methods and properties.

From a DDD perspective you would go with specifications and roles.

Where and how those specifications get implemented comes down to your architecture. You could go with aspects, you could go with in-line calls, events, etc.

Here are some links I would check out regarding security and roles:

• Security
• Roles
• RBAC