Design authorization and audit logging systems

Scenario

You are building security infrastructure for internal services at a fintech company. Two key components are needed:

Part A — Internal authorization (access control)

Design an internal permission and access-control system used by employees, services, and automated jobs.

Requirements

• Support common authorization models:
  • RBAC (role-based access control)
  • ABAC (attribute-based access control)
• Enforce least privilege and support separation of duties.
• Permission changes (grant/revoke) should take effect quickly across the fleet.
• Must support low-latency authorization checks on hot paths.

Topics to cover

• Choosing RBAC vs ABAC vs hybrid, and why.
• Policy representation and evaluation (where policies live, how they are authored).
• Caching authorization decisions: what to cache, cache invalidation strategy, and correctness guarantees.
• Multi-tenant and service-to-service authorization.
• Threat model: bypass attempts, replay, confused deputy, privilege escalation.

Part B — Security audit logging + monitoring

Design a security audit and monitoring system that records sensitive operations and detects anomalies.

Requirements

• Record immutable audit events for actions like permission changes, data exports, key/secret access.
• Provide:
  • ingestion/collection,
  • durable storage,
  • query/search for investigations,
  • alerting for suspicious patterns.
• Must not significantly impact the main business request path.
• Prevent or detect log tampering (including by insiders) and support retention/compliance.

Topics to cover

• Event schema, idempotency, ordering guarantees.
• Collection approach (agent vs library vs sidecar), buffering, backpressure.
• Storage choices, indexing strategy, retention tiers.
• Alerting/anomaly detection primitives (rules, thresholds, baselines).
• Integrity mechanisms (WORM storage, hash chaining, signing, access controls).
• Operational considerations (cost, on-call, failure modes, disaster recovery).