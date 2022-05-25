As we mentioned, only Application Service itself knows who can access what applications. Therefore, in this scenario, incorporating the authorization check within the service can make the logic more coherent and reduce unnecessary work if the microservices do it themselves.

Access data from Application Service as an application reviewer

Assume that applicants come from 10 cities. There are 5 application reviewers, with each reviewer taking responsibility for applications from 2 cities. No information is shared among them.

City 1 and city 2 are under the management of reviewer 1. When reviewer 1 wants to view applications under their management, they need to call an endpoint similar to the following.

GET /applications?cities=1,2

The reviewer may only want to view applications from city 1 submitted in recent days.

GET /applications?cities=1&submittedAfter=xxxx-xx-xx

The reviewer isn’t authorized to view applications from cities other than 1 and 2. So the request below must be rejected.

GET /applications?cities=3,6

Delegate the authorization check to a sidecar

Since the accessibility configuration is provided by other services, the microservice doesn’t need or have the ability to provide support for the sidecar, or to know that the sidecar exists. But the sidecar, which is used for the authorization check, needs to learn the microservice's business.