Resolve user roles across account hierarchy
Overview
This question evaluates understanding of hierarchical data structures, role-based access control semantics, and set/map operations for computing effective permissions across account ancestors in the Coding & Algorithms domain.
You are given:
- An account hierarchy:
accounts = [
{"accountId": "org_1", "parent": null},
{"accountId": "wksp_1", "parent": "org_1"}
]
- The hierarchy is a forest.
- There are no cycles .
- Depth is small (e.g., at most grandparent/parent/child), but your solution should not rely on this unless stated.
- Role assignments:
user_role_assignments = [
{"userId": "usr_1", "accountId": "org_1", "role": "admin"}
]
Roles are strings.
Part 1 — Get roles for a user on an account
Implement:
-
getRoles(userId, accountId) -> set(roles)
based only on direct assignments on that exact account.
Part 2 — Include ancestor roles
Implement:
-
getRolesWithAncestors(userId, accountId) -> set(roles)
that returns roles assigned to the user on accountId and on all ancestor accounts up to the root.
Part 3 — Get users for an account (including ancestor roles)
Implement:
-
getUsersForAccount(accountId) -> map(userId -> set(roles))
Return all users who have at least one role effective on accountId when considering ancestor inheritance as in Part 2.
Part 4 — Filter users by required roles
Implement:
-
getUsersForAccountWithFilter(accountId, rolesFilter) -> list(userId)
Return only users whose effective role set (including ancestors) contains all roles in rolesFilter.
Example
getUsersForAccountWithFilter("wksp_1", []) should return all users effective on wksp_1.
Notes
- Define whether duplicate assignments should be deduplicated.
- Maintain deterministic ordering if required (e.g., sort userIds).