http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660What is done in here is an ETL integrated straight into a db engine, isn't? No external messaging systems needed. Pure pub/sub by specifying what should be published where. Nice http://ayende.com/4768/distributed-authorization-with-ravendb#comment6http://ayende.com/4768/distributed-authorization-with-ravendb#comment6Fri, 18 Feb 2011 08:52:09 GMTThis kind of reminds me of two bounded contexts that could be "related" through some messaging and events. Couldn't the situation be handled that way? http://ayende.com/4768/distributed-authorization-with-ravendb#comment5http://ayende.com/4768/distributed-authorization-with-ravendb#comment5Fri, 18 Feb 2011 08:26:35 GMTre: "enterprise rules" - in some cases you are _required_ to shard sensitive data. http://ayende.com/4768/distributed-authorization-with-ravendb#comment4http://ayende.com/4768/distributed-authorization-with-ravendb#comment4Thu, 17 Feb 2011 19:04:30 GMTRobert, In most cases, the number of services is limited, a service is an organization function, and they don't have a lot. The auth logic is the same, it is a shared dll used everywhere. As for the data you are replicating, you aren't replicating personal info, you are replicating permissions info http://ayende.com/4768/distributed-authorization-with-ravendb#comment3http://ayende.com/4768/distributed-authorization-with-ravendb#comment3Thu, 17 Feb 2011 18:23:33 GMTWouldn't this method of replicating the actual data store become somehow unmanageable if you have a more than trivial number of services or if authentication and authorization logic is based on business rules and data written in code? I am thinking that it would become quite expensive to maintain the same or different logic against all services. For example, I want to block access to three services for all users younger than 18 years old. Maybe the Accounts datastore just stores the birthdate and the authorization service needs to compute the age of the user. Wouldn't this mean that I need to change all three services application code in order to implement this rule? Another point to challenge would be the "enterprise rules", where you are not allowed to distribute potentially sensitive data like Accounts to any backend system even if it belongs to you. http://ayende.com/4768/distributed-authorization-with-ravendb#comment2http://ayende.com/4768/distributed-authorization-with-ravendb#comment2Thu, 17 Feb 2011 18:17:18 GMTI'm grinning ear to ear - that is soooooo elegant - even if i say so myself!! love it!! :) http://ayende.com/4768/distributed-authorization-with-ravendb#comment1http://ayende.com/4768/distributed-authorization-with-ravendb#comment1Thu, 17 Feb 2011 16:27:41 GMT