InterviewStack.io LogoInterviewStack.io

Identity and Access Management Questions

Design and operational practices for authentication and authorization across systems and applications. Covers identity models, provisioning and deprovisioning, role based access control and roles and permission design, policy enforcement, segregation of duties, and principle of least privilege. Includes service to service authentication and infrastructure access patterns, database authentication modes and database roles, audit trails for access and authorization changes, methods for granting and revoking permissions, and techniques to detect and investigate unauthorized access. Also addresses scaling identity and access control for large organizations, single sign on, federation, and integration with external identity providers.

HardSystem Design
59 practiced
Design a Continuous Access Evaluation (CAE) system that enables near-immediate revocation of access when credentials are compromised or roles change. Describe how change events are detected, how they are securely propagated to enforcement points (API gateways, microservices, mobile clients), options for push vs pull invalidation, securing the propagation channel, and methods to minimize latency while scaling to tens of thousands of active sessions.
MediumSystem Design
44 practiced
Design a system for issuing, rotating, and revoking API keys used by services and external partners. The system must support automated rotation without downtime, bind keys to service identities and scopes, provide audit trails, integrate with CI/CD and secret managers, and support emergency revocation. Describe issuance flows, rotation strategies (rolling, short-lived), migration for consumers, and how to deprecate long-lived keys in favor of ephemeral tokens.
HardSystem Design
41 practiced
Edge services must perform millions of authorization checks per second while minimizing calls to central PDPs. Design an authorization caching architecture that provides low-latency decisions, supports policy and permission changes, and guarantees eventual consistency. Discuss cache keys, TTL strategies, invalidation via events, negative caching, fallback to live PDP on cache miss, and measures to avoid stale allow decisions.
HardSystem Design
41 practiced
Design a CI/CD pipeline access model where build agents and deployment jobs have just enough privileges for each pipeline stage. Explain how to provision ephemeral credentials per job, inject secrets securely at runtime (without storing them in plain text in logs), sign and verify build artifacts, and prevent credential leakage. Describe integration with secret managers, workload identity federation, and artifact attestation.
MediumSystem Design
42 practiced
Design the identity and authorization architecture for a multi-tenant SaaS platform that must support per-tenant SSO (multiple external IdPs per tenant), strict tenant isolation, delegated tenant administrators, and shared services (billing, support). Describe identity model (user vs tenant identities), token design (claims like tenant_id, audience), tenancy-aware PDP behavior, role modeling, and how to enforce isolation at compute and data layers.

Unlock Full Question Bank

Get access to hundreds of Identity and Access Management interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.