Hello,

We are developing an application using microservice architecture and we use xsuaa service for security between microservices.
Presently, we use separate xsuaa service for each microservice that have secured endpoints, which is bad. According to knowledgebase any solution should only have one XSUAA service instance. If there is the need for more than one instance, then consider splitting it into another project which should be deployed in a different space. An exception exists if you have one master instance and one or more subinstances, which are used to provide access to your application, but with limited scope compared to your main instance.

So we want to rework security, and now we know one working option: We can make one xsuaa service and re-use it in all our microservices, but there is a problem with this approach. All our applications will have access to everything, which is bad, since we can`t leverage security and permit access to specific endpoints. So if anyone will get credentials (clientid and secret) he would also get access to every single endpoint of any microservice.
The question is it fine to use this approach, or should we investigate how we can implement security with one main instance and sub-instances with specific authorities?
Thanks