Practice/Stripe/RBAC Role Resolver

RBAC Role Resolver

CodingMust

Problem Overview

Design and implement a Role-Based Access Control (RBAC) system that manages user roles across a hierarchical account structure. The system must support organizations with nested workspaces, where roles can be inherited from parent accounts.

You are given two data structures:

Accounts: A list of accounts with hierarchical parent-child relationships
User Role Assignments: A list of role assignments mapping users to accounts with specific roles

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "wksp_2", "parent": "org_1"}, {"accountId": "team_1", "parent": "wksp_1"} ]

user_role_assignments = [ {"userId": "usr_1", "accountId": "org_1", "role": "admin"}, {"userId": "usr_2", "accountId": "wksp_1", "role": "editor"}, {"userId": "usr_3", "accountId": "wksp_1", "role": "viewer"}, {"userId": "usr_1", "accountId": "wksp_2", "role": "editor"} ] `

Account Hierarchy Rules

Each account can have at most one parent (tree structure)
There are no cycles in the hierarchy
The hierarchy is limited to at most 3 levels (e.g., org, workspace, team)
Roles assigned at a parent level are inherited by all descendant accounts

The problem is divided into four progressive parts:

Part 1: Basic role lookup (direct assignment only)
Part 2: Role inheritance from ancestor accounts
Part 3: Find all users who have access to an account
Part 4: Filter users by required roles

Important Notes

There are multiple parts to this problem -- ask the interviewer how many parts there are to better manage your time
Start with the simplest data structure and extend it as parts get more complex
Write your own test cases and ensure your code compiles and runs correctly

Part 1: Basic Role Lookup

Implement a class RBACRoleResolver that can look up all roles directly assigned to a user for a specific account. Do not consider inheritance in this part.

Example

rbac = RBACRoleResolver(accounts, user_role_assignments) rbac.getUserRoles("usr_1", "org_1") # Returns: ["admin"] rbac.getUserRoles("usr_1", "wksp_2") # Returns: ["editor"] rbac.getUserRoles("usr_2", "wksp_1") # Returns: ["editor"] rbac.getUserRoles("usr_3", "org_1") # Returns: []

Requirements

Parse accounts and assignments in the constructor
Store role assignments in a structure that supports O(1) lookup by (userId, accountId)
Return an empty list for unknown user/account pairs

Clarification Questions to Ask

Should the returned roles be in any particular order?
Can a user have multiple roles on the same account?
Are role names case-sensitive?
Should we return an empty list or raise an error for unknown users/accounts?

Part 2: Role Inheritance from Ancestors

Extend your implementation so that getUserRoles also includes roles the user has been assigned at any ancestor account (parent, grandparent, etc.).

A user inherits all roles from ancestor accounts. For example, if a user is an admin at the organization level, they are also an admin at all workspaces and teams under that organization.

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "team_1", "parent": "wksp_1"} ]

user_role_assignments = [ {"userId": "usr_1", "accountId": "org_1", "role": "admin"}, {"userId": "usr_1", "accountId": "wksp_1", "role": "editor"}, {"userId": "usr_2", "accountId": "wksp_1", "role": "viewer"} ]

rbac = RBACRoleResolver(accounts, user_role_assignments) rbac.getUserRoles("usr_1", "org_1") # Returns: ["admin"] rbac.getUserRoles("usr_1", "wksp_1") # Returns: ["admin", "editor"] rbac.getUserRoles("usr_1", "team_1") # Returns: ["admin", "editor"] (inherited) rbac.getUserRoles("usr_2", "team_1") # Returns: ["viewer"] (inherited from wksp_1) rbac.getUserRoles("usr_2", "org_1") # Returns: [] (no role at org level) `

Requirements

Traverse from the given account up through its ancestors
Collect all roles assigned at each ancestor account
Return the combined set of direct and inherited roles

Follow-Up Questions

What is the time complexity of your getUserRoles function?
How would you optimize for repeated queries on the same user/account?
What data structures are you using and why?

Part 3: Find All Users for an Account

Implement a method getUsersForAccount that returns all users who have access to a given account. This includes users with direct role assignments and users who have roles on any ancestor account (and thus inherit access).

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "wksp_2", "parent": "org_1"} ]

rbac = RBACRoleResolver(accounts, user_role_assignments) rbac.getUsersForAccount("org_1") # Returns: ["usr_1"] rbac.getUsersForAccount("wksp_1") # Returns: ["usr_1", "usr_2", "usr_3"] rbac.getUsersForAccount("wksp_2") # Returns: ["usr_1"] `

Requirements

Find all ancestors of the given account (including itself)
Collect all users with role assignments on any of those accounts
Return a deduplicated list of user IDs

Follow-Up Questions

How do you avoid returning duplicate users?
What is the time complexity of this operation?
How would you optimize if this query is called frequently?

Part 4: Filter Users by Required Roles

Extend getUsersForAccount into a new method getUsersForAccountWithFilter that only returns users who have all the specified roles (either directly or through inheritance).

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"} ]

rbac = RBACRoleResolver(accounts, user_role_assignments)

No filter -- return all users with any access

rbac.getUsersForAccountWithFilter("wksp_1", [])

Returns: ["usr_1", "usr_2", "usr_3"]

Filter by "admin" role

rbac.getUsersForAccountWithFilter("wksp_1", ["admin"])

Returns: ["usr_1"] (only usr_1 has admin, inherited from org_1)

Filter by multiple roles -- must have ALL

rbac.getUsersForAccountWithFilter("wksp_1", ["admin", "editor"])

Returns: ["usr_1"] (usr_1 has both admin and editor)

Filter by role no one has

rbac.getUsersForAccountWithFilter("wksp_1", ["superadmin"])

Returns: []

Requirements

Reuse getUsersForAccount to get all candidate users
For each candidate, compute their full role set using getUserRoles
Check that the user's roles are a superset of the required roles
If roleFilters is empty, return all users with any access

Practice/Stripe/RBAC Role Resolver

RBAC Role Resolver

CodingMust

Problem Overview

You are given two data structures:

Accounts: A list of accounts with hierarchical parent-child relationships
User Role Assignments: A list of role assignments mapping users to accounts with specific roles

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "wksp_2", "parent": "org_1"}, {"accountId": "team_1", "parent": "wksp_1"} ]

Account Hierarchy Rules

Each account can have at most one parent (tree structure)
There are no cycles in the hierarchy
The hierarchy is limited to at most 3 levels (e.g., org, workspace, team)
Roles assigned at a parent level are inherited by all descendant accounts

The problem is divided into four progressive parts:

Part 1: Basic role lookup (direct assignment only)
Part 2: Role inheritance from ancestor accounts
Part 3: Find all users who have access to an account
Part 4: Filter users by required roles

Important Notes

There are multiple parts to this problem -- ask the interviewer how many parts there are to better manage your time
Start with the simplest data structure and extend it as parts get more complex
Write your own test cases and ensure your code compiles and runs correctly

Part 1: Basic Role Lookup

Implement a class RBACRoleResolver that can look up all roles directly assigned to a user for a specific account. Do not consider inheritance in this part.

Example

Requirements

Parse accounts and assignments in the constructor
Store role assignments in a structure that supports O(1) lookup by (userId, accountId)
Return an empty list for unknown user/account pairs

Clarification Questions to Ask

Should the returned roles be in any particular order?
Can a user have multiple roles on the same account?
Are role names case-sensitive?
Should we return an empty list or raise an error for unknown users/accounts?

Part 2: Role Inheritance from Ancestors

Extend your implementation so that getUserRoles also includes roles the user has been assigned at any ancestor account (parent, grandparent, etc.).

A user inherits all roles from ancestor accounts. For example, if a user is an admin at the organization level, they are also an admin at all workspaces and teams under that organization.

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "team_1", "parent": "wksp_1"} ]

Requirements

Traverse from the given account up through its ancestors
Collect all roles assigned at each ancestor account
Return the combined set of direct and inherited roles

Follow-Up Questions

What is the time complexity of your getUserRoles function?
How would you optimize for repeated queries on the same user/account?
What data structures are you using and why?

Part 3: Find All Users for an Account

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"}, {"accountId": "wksp_2", "parent": "org_1"} ]

Requirements

Find all ancestors of the given account (including itself)
Collect all users with role assignments on any of those accounts
Return a deduplicated list of user IDs

Follow-Up Questions

How do you avoid returning duplicate users?
What is the time complexity of this operation?
How would you optimize if this query is called frequently?

Part 4: Filter Users by Required Roles

Extend getUsersForAccount into a new method getUsersForAccountWithFilter that only returns users who have all the specified roles (either directly or through inheritance).

Example

` accounts = [ {"accountId": "org_1", "parent": None}, {"accountId": "wksp_1", "parent": "org_1"} ]