System Design Space
Knowledge graphSettings

Updated: March 25, 2026 at 5:46 PM

Access Control for Media App

medium

Classic task: RBAC/ABAC/ReBAC, policy decision point, audit trail and cache invalidation.

Authorization in a media product is not just token validation. It is applying entitlement policy to device, region, subscription, time, and content type without destroying latency.

The chapter helps break down policy evaluation, signed URLs, cache invalidation, DRM-adjacent controls, and authorization decisions on a high-traffic read path.

For interviews and design reviews, this case is useful because it tests understanding of policy distribution, critical-path latency, and the correctness of access decisions.

Pipeline Thinking

Ingestion, partitioning, deduplication, and stage latency drive system behavior.

Serving Layer

Index and cache-locality decisions directly shape user-facing query latency.

Consistency Window

Explicitly define where eventual consistency is acceptable and where it is not.

Cost vs Freshness

Balance update frequency with compute/storage cost and operational complexity.

Acing SDI

Practice task from chapter 16

Authorization for media products: policy model, enforcement, audit, and reliability.

Читать обзор

Access Control for Media App is about designing authorization as a separate capability, not as scattered condition checks in handlers. Interviewers look for policy clarity, responsibility boundaries, and failure behavior.

Functional requirements

  • Access checks for viewer/editor/admin and service accounts.
  • RBAC baseline with ABAC/ReBAC for advanced policies.
  • Audit trail for authorization decisions and policy changes.
  • Explain API for support and incident investigation.

Non-functional requirements

  • p95 authorization decision latency < 20ms.
  • High availability of policy decision path.
  • Tenant isolation and privilege-escalation resistance.
  • Correct cache invalidation after policy updates.

High-Level Architecture

Theory

ACL/RBAC/ABAC/ReBAC

Access-control models and how to apply them in distributed systems.

Читать обзор

High-Level Architecture

PEP/PDP + policy store + audit/revocation loop

This topology separates decision path, policy control plane, and audit/revocation control loop.

Client / Service
access request
API Gateway
entry policy
PEP
enforcement point
PDP
decision engine
Policy Store
versioned rules
Attribute Store
subject/resource
Decision Cache
short-lived
Audit Log
immutable decisions
SIEM / Alerts
anomaly detection
Revocation Service
emergency revoke

This architecture keeps hot decision path separate from policy control plane and supports explainability, auditability, and fast revocation under compromise scenarios.

Write/Read Paths

Write/Read Paths

How policy changes are written into control plane and how hot decision path is served.

Write path: policy/revocation updates are written into versioned store, then cache invalidation propagates and audit events are emitted.

Policy Change

Layer 1

admin/update request

Security/admin service sends policy updates, role grants, and revoke events.

Policy Store

Layer 2

versioned write

Update is committed as a new policy version with rollout guards.

Invalidate Cache

Layer 3

PEP/PDP sync

Invalidation propagates to decision caches and edge enforcement points.

Audit Stream

Layer 4

immutable events

Policy and revoke events are persisted into immutable audit log/SIEM.

Enforcement Ready

Layer 5

new rules active

PEP/PDP runs on the new policy version and applies updated decisions.

Write path checkpoints

  • Every policy change must be versioned and attributed to an actor for auditability.
  • Cache invalidation must complete before rollout is considered done.
  • Revocation path should propagate quickly and block compromised sessions.

Policy model

  • RBAC for baseline role-based access.
  • ABAC for context (tenant, device, region, time).
  • ReBAC for collaboration and ownership graphs.
  • Deny-by-default with explicit allow paths.

Reliability and security

  • Short-lived cache with version-aware invalidation.
  • Fallback policy under PDP outage (fail-closed for critical ops).
  • Immutable audit log and anomaly detection.
  • Fast revocation path for compromised identities.

Common misses in interviews

  • No explainability path for denied access decisions.
  • Long-lived access cache without policy version control.
  • Mixing authentication and authorization concerns.
  • No emergency revoke flow for compromised accounts.

Related chapters

  • Identification, authentication, authorization - Boundary model for AuthN/AuthZ responsibilities and token lifecycle handling.
  • ACL/RBAC/ABAC/ReBAC - Access-control model trade-offs and selection criteria for media-domain policies.
  • API Security Patterns - Gateway/service-level enforcement patterns for resilient authorization surfaces.
  • Zero Trust - Least-privilege and continuous verification approach for distributed authorization paths.
  • SRE Book - Operational reliability practices and guardrails for critical authz services.
  • Payment System - Parallel on auditability, idempotency, and failure-safe behavior in sensitive systems.

Enable tracking in Settings