The question I have is that of securing documents across services using RavenDb and the Authorization bundle:

I have an ‘Account’ service which is responsible for managing all things ‘user’.

I have a ‘Messaging’ service which is responsible for all things ‘messaging’ i.e. wall posts, conversations etc.

To trace who did what in this service, when a new message is posted I create the message and two UserProxy objects (cut down User objects which only have UserId and UserName properties – these are stored as child objects on the WallPost doc so they aren’t documents in their own right)

When a user posts something to another users wall i only want to allow:

• delete/edit to the original poster, the recipient and admins
• view to original poster, recipient, admins and all friends of the recipient

I also have a media service which is responsible for images/video, a MusicEvent service for all things music event – they all need to have a similar setup.

My question is this:

*should the account service store the master User with Roles and Permissions – when it is asked for a user it can send back a dto with the roles and permissions (could get chunky)

*should the Messaging Service maintain it’s own copy of a User – with it’s own set of roles and permissions?

first is simpler moving forward as it’s centralised – but looks a bit dodgy to me
second is probably better but the issue comes when the AccountService changes the username – i can send an event to the esb and have all the relevant services pick it up and take care of the update – but that sounds complicated.

FTR – i’m swaying to option 2 – the non-centralised method.