Is there a thing as domain security in DDD?

Question

I read the answer to the following question: Domain Driven Design and Security but I wasn't satisfied with the answer.

Access to methods or commands is simple, that you could probably just restrict on role or something similar. A simplified example where the command is valid for both a user in role A or B if x < 100, but only valid for user B if x >= 100, where x is a parameter in the command. Where should that check go? Should the application check the parameters before executing the command or should the domain be aware of roles and such?

Do I make myself clear?

Answer 1

Is this a concern of the command? I mean does the security check fit naturally within the domain? When a command has the same intention all over the bounded context, then I think the corresponding aggregate root should ensure its validity in a specific context.

The scenario you've mentioned sounds to me like business rules and not a simple check for rights. So I'd place the check at the domain level as part of the AR.

I'd check within the infrastructure layer as well, if a user can perform the command, but that's to handle gracefully a rejection. Something like this

var ar=repository.Get(id);
if (ar.CanAddMoney(User,amount)) ar.AddMoney(amount,User)
else handleForbiddenAction();

Of course this is a very vague solution to a vague problem. It depends so much on the complexity of the domain, that I guess the only valid answer is: 'it depends'.

In fact, to anwser directly to the title, the security in DDD is expressed as a valid model.