A challenge we faced within several bounded contexts was how to implement access control, i.e. how to prevent users from gaining access to data that they should not be able to.
Access control basically works by restricting what users are allowed to view dependant on which organisation they belong to. When a user is created within the system, they are associated with an organisation and the user and organisation information is persisted within the bounded context in question.
Every entity and CloudSearch document that is persisted within the bounded context will have an attribute that corresponds to the organisation that owns the data. This is achieved by retrieving the organisation that is attached to the currently logged on user and persisting it along with all of the other attributes.
Having this information at hand, it is then relatively easy to implement access control.
When we attempt to retrieve an entity from DynamoDB, we simply ensure that the organisation attached to the entity, is the same as the one that is associated with the user in context. If they match, the user can see the data in question, if not, the data is not returned and therefore the user has been prevented from accessing data that belongs to another organisation.
A similar solution had to be applied to CloudSearch queries. When we build up the Lucene query, we simply append an extra parameter to the end which restricts returned documents to those that have the same organisation as the user in context.
The solution we adopted for access control is embedded into the domain of the system, which ensures that any new functionality added can make use of it with little effort. It also takes the burden away from the UI having to deal with this constraint.
Comments