Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hello everyone :wave:  . Is it reasonable to use resource scopes as DDD-like “bounded contexts”? i.e. each microservice has its own scope so that resources with the same name (but different meaning) can exist within each?

Yes, you can do that. You could also use the `version` field in the policies to achieve the same thing.

so the version field could be `serviceA.v1` ?

I guess the context could be included in the resource name too `serviceA:resourceB` ?

I think the `version` can be just `serviceA` and you can just call the resource `resourceB`. So, in effect you are asking Cerbos  what a user can do with the `serviceA` version of resource `resourceB`.
If you're using the sidecar model, you can even configure the default policy version used by Cerbos for that particular service. (<https://docs.cerbos.dev/cerbos/latest/configuration/engine.html>)

Of course, I am assuming that resources are completely independent of each other. if your resources need to have a base set of rules that are then overridden per service, use scopes.

Ok, a few things to think about - many thanks for your ideas :slightly_smiling_face: