Q: How do you cache permission checks to avoid a database lookup on every API request?

Two-level cache: (1) User roles cache: key=user_roles:{user_id}, value=set of (role_id, scope_id) pairs, TTL=5 minutes. Fetch from DB: SELECT role_id, scope_id FROM user_roles WHERE user_id=X AND (expires_at IS NULL OR expires_at > NOW()). (2) Role permissions cache: key=role_perms:{role_id}, value=set of (resource_type, action) pairs, TTL=1 hour. Fetch from DB: SELECT resource_type, action FROM permissions JOIN role_permissions USING (permission_id) WHERE role_id=X. On every API request: check user_roles cache → get role_ids → check role_perms cache for each role → union all permissions → check if requested (resource_type, action) is in the union. All cache reads, no DB hit. Invalidate user_roles cache on role assignment change; invalidate role_perms cache on permission update.

Question 1

What is the difference between ACL, RBAC, and ABAC?

Accepted Answer

ACL (Access Control List): each resource has a list of (principal, permission) pairs. Fine-grained but operationally expensive — changing a user's access requires updating every resource they have access to. Scales poorly for millions of resources. RBAC (Role-Based Access Control): users are assigned roles; roles have permissions. Changing permissions for a group of users means updating one role. Standard for enterprise apps. Example: EDITOR role has (Document, WRITE), (Document, READ); all editors inherit these. ABAC (Attribute-Based Access Control): policies reference attributes: "users with department=Finance AND level>=Manager can approve expense reports < $10,000." Most flexible — policies can reference any attribute. Most complex to implement and reason about. Rule of thumb: use RBAC for most apps, ABAC only when role explosion makes RBAC unmanageable (too many roles for too many resource combinations).

Question 2

How do you cache permission checks to avoid a database lookup on every API request?

Accepted Answer

Two-level cache: (1) User roles cache: key=user_roles:{user_id}, value=set of (role_id, scope_id) pairs, TTL=5 minutes. Fetch from DB: SELECT role_id, scope_id FROM user_roles WHERE user_id=X AND (expires_at IS NULL OR expires_at > NOW()). (2) Role permissions cache: key=role_perms:{role_id}, value=set of (resource_type, action) pairs, TTL=1 hour. Fetch from DB: SELECT resource_type, action FROM permissions JOIN role_permissions USING (permission_id) WHERE role_id=X. On every API request: check user_roles cache → get role_ids → check role_perms cache for each role → union all permissions → check if requested (resource_type, action) is in the union. All cache reads, no DB hit. Invalidate user_roles cache on role assignment change; invalidate role_perms cache on permission update.

Question 3

How does role-based access control work in a multi-tenant SaaS application?

Accepted Answer

Multi-tenant RBAC uses scoped roles: global roles (admin of the whole platform), tenant-scoped roles (admin of tenant X), and resource-scoped roles (editor of document Y). The UserRole table includes a scope_id: NULL for global, tenant_id for tenant-scoped, resource_id for resource-scoped. Permission check for user U accessing resource R in tenant T: (1) Collect all of U's roles: global roles + roles scoped to T + roles scoped to R. (2) Union all permissions for those roles. (3) Check if the required permission is in the union. Tenant isolation: a tenant-scoped ADMIN role only grants admin powers within that tenant's resources. Cross-tenant access is only possible via global roles. Index UserRole on (user_id, scope_id) for efficient lookup.

Question 4

What is row-level security and when should you use it?

Accepted Answer

Row-level security (RLS) enforces data access policies at the database layer, ensuring that even if application code has a bug (missing WHERE clause), users cannot see data they shouldn't. In PostgreSQL: CREATE POLICY policy_name ON table USING (condition). The condition references the current user ID (passed as a session variable). Example: documents table with policy USING (owner_id = current_user_id OR document_id IN (user's explicitly shared docs)). Use RLS when: the application has multiple access paths to the same data (API, direct queries, reporting tools), strict compliance requirements (financial data, HIPAA), or the data model naturally segments by user/tenant. RLS adds query overhead (the policy condition is appended to every query). Profile before using in high-QPS paths.

Question 5

How do you audit who has access to what in a permission system?

Accepted Answer

Effective access report: for any user, query: user's roles (from UserRole), permissions granted by each role (from RolePermission + Permission). Flatten into a list of (resource_type, action) tuples. For resource-specific questions ("who can edit this document?"): query UserRole WHERE scope_id=document_id, union with users having roles that grant global access. For change audit: PermissionAudit table logging every role grant/revoke: (actor, target_user, role, action GRANT/REVOKE, timestamp, reason). Every permission check can also be logged asynchronously (publish to Kafka → audit DB) for compliance: "User X accessed Resource Y at time T." Retain audit logs per compliance requirements (HIPAA=6 years, GDPR=retention policy, SOC2=1 year). Report on "dormant admin access" (users with admin roles who haven't used them in 90 days) for security hygiene.

Permission and Authorization System Low-Level Design

Permission Models Overview

RBAC Data Model

Permission Check Algorithm

Hierarchical Permissions

Row-Level Security (RLS)

Permission Inheritance and Scope

Audit Trail

Key Design Decisions