DDD User-Domain specific settings

Question

I am currently developing micro service responsible for authentication (bounded context responsible for identity and permissions). We have specific settings based on user roles which are tied to another domains, but used to generate tokens

(something like this https://developer.zendesk.com/rest_api/docs/core/custom_roles)

For an example

role_can_write_booking: true,
fetch_products_type : "all/forUsersCompanyOnly"

etc.

Should I persist this information as a part of Identity BC, or each domain should persist it's part of settings. Example: role_can_write_booking : true inside Booking Bounded Context, fetch_products_type : "all/forUsersCompanyOnly" inside Booking products bounded context. ?

Answer 1

It depends. There are trade-offs either way. If you store all the information inside the identity context then it needs to have knowledge of all the other contexts and needs to change whenever some permission or access rule changes in any context. If each context manages its own permission rules then they only need to know about themselves.

You also need to consider how things are managed. Is there a concept of centrally managing roles and permissions?

It also depends on how course or fine-grained the roles need to be and how complex the domain is in terms of identity / roles / permissions etc.

If you have very course-grained roles (I.e. 'Administrator', 'User') then I'd probably do something along the lines of having the identity context manage user accounts and roles, but leave the permissions side of things to each individual context. I.e 'here's an authenticated user with roles X and Y' then each individual context determines what this allows.