Domain-Driven Design with different roles

Question

I am new to DDD. I want to build an application implementing DDD, but I have a problem with the Roles.

The application has many roles like customer, admin, etc. The admin can create, edit, and delete post. The customer can only comment on the post.

Base on that description, I think the post should have different methods in those 2 different contexts. Should I create 2 directories for those 2 roles and duplicate the post in each directory?

Thanks a lot!

Answer 1

There are different domains and there are different bounded contexts.

Your core domain that effects business state changes is only concerned with how to implement those mutations. It is not terribly concerned about security or access control.

Your application/integration layer is the gatekeeper and decides who gets to call what on the domain. For that you may even use another Identity and Access Management (IAM) bounded context which manages the authorisation.

As an example I like to use a physical calculator to represent my domain. I can access absolutely any and all functions on the calculator. Something outside of the calculator would need to determine which buttons I can press. I hope that makes sense.

Answer 2

I'm not sure you would need to distinguish between posts in different roles. Off the top of my head, it seems potentially practical to:

• include the role as an argument with the operations on posts, so that a post can reject an attempt by a customer to edit/delete a post.

• route the operation through the user, which validates that its role allows the operation.

Those can be elaborated on and could be combined.