Should I consider Rhino.Security components to be part of the domain layer, used by other domain entities, or should it be used by the Application layer? For example, I have a system where an administrator can create new user accounts. By default these new user accounts should have the following security settings:
- Associated with the Members group: read-only rights to other entities in the system.
- Edit rights to their own user account entity (ex. change password, change contact info, etc) but not full rights (ex. cannot delete their own account).
Should these rules be implemented by the user account entity itself (or by a domain layer service), or should it be done in an application layer service?
Thanks
Dan