Suppose I have a complex system where there large trees of people. Simple thoughts are employees / manager relationship, many employees report to one manager. Now in addition to manager there are support staff that are capable of acting on the behalf of the manager can manipulate the managers’ employees.

In a CQRS system how would you model a message for a hypothetical action of “edit employee” where the invoker of the action is a support staff. The action can only succeed if the staff member as per the manager security relationship is acting upon an employee in their realm.

Verifying the security of this would involve querying the database to validate that the person being modified is indeed inside the employee chain of that manager.

Where would this query occur? Prior to originating the “edit employee” message?

If the data is upfront validated before originating the message, in an eventually consistent system suppose that before the “edit employee” message has been processed a separate action has occurred that would have removed the authority of the user to complete the “edit employee” action. If the the command handler doesn’t validate the security concerns of that message, the message would still succeed even though the user no longer the authority to execute it.

This would seem to imply that double sided validation, similar to UI validation & server side validation would be the best course of action. However the method of completing that validation seems as though it would violate key tenets to CQRS.

What approach(es) are best when having to deal with these and other similar cross cutting concerns when using CQRS?