Design authorization and audit logging systems

## Scenario You are building security infrastructure for internal services at a fintech company. Two key components are needed: ## Part A — Internal authorization (access control) Design an internal permission and access-control system used by employees, services, and automated jobs. ### Requirements - Support common authorization models: - RBAC (role-based access control) - ABAC (attribute-based access control) - Enforce **least privilege** and support separation of duties. - Permission changes (grant/revoke) should take effect quickly across the fleet. - Must support low-latency authorization checks on hot paths. ### Topics to cover - Choosing RBAC vs ABAC vs hybrid, and why. - Policy representation and evaluation (where policies live, how they are authored). - Caching authorization decisions: what to cache, cache invalidation strategy, and correctness guarantees. - Multi-tenant and service-to-service authorization. - Threat model: bypass attempts, replay, confused deputy, privilege escalation. ## Part B — Security audit logging + monitoring Design a security audit and monitoring system that records sensitive operations and detects anomalies. ### Requirements - Record immutable audit events for actions like permission changes, data exports, key/secret access. - Provide: - ingestion/collection, - durable storage, - query/search for investigations, - alerting for suspicious patterns. - Must not significantly impact the main business request path. - Prevent or detect **log tampering** (including by insiders) and support retention/compliance. ### Topics to cover - Event schema, idempotency, ordering guarantees. - Collection approach (agent vs library vs sidecar), buffering, backpressure. - Storage choices, indexing strategy, retention tiers. - Alerting/anomaly detection primitives (rules, thresholds, baselines). - Integrity mechanisms (WORM storage, hash chaining, signing, access controls). - Operational considerations (cost, on-call, failure modes, disaster recovery).