Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Question

I am currently building microservices based system on java Spring Cloud. Some microservices use PostgreSQL and some of them MongoDB. REST and JMS is used for communication. The

Answer 1

I don't have a full and clear picture of your authorization requirements. I'm assuming a correlation between authenticated users and domain object/entity permissions.

One option to consider is to define user attributes corresponding to your domain object/entity permissions, and implement an Attribute-based Access Control (ABAC) policy.

The attributes are tied to and stored with the users identity in your repository, and retrieved when performing your authentication.