Swiftorial Logo
Home
Swift Lessons
AI Tools
Learn More
Career
Resources

System Design FAQ: Top Questions

24. How would you design an Identity and Access Management (IAM) System?

An Identity and Access Management (IAM) system handles authentication (who you are) and authorization (what you can do). It provides secure user identity verification, role-based access control, and auditability.

๐Ÿ“‹ Functional Requirements

  • Support sign-up/sign-in with email/password and OAuth
  • Issue and validate secure tokens (JWTs)
  • Manage users, groups, roles, and permissions
  • Audit login attempts and access changes

๐Ÿ“ฆ Non-Functional Requirements

  • Scalable token issuance and validation
  • Encrypted token storage and secure secret rotation
  • Compliance with standards (e.g., OAuth2, OpenID Connect)

๐Ÿ—๏ธ Core Components

  • Authentication Service: Handles login/signup and multi-factor auth
  • Token Service: Issues and validates JWTs or opaque tokens
  • User Store: Stores user credentials and metadata
  • RBAC Layer: Maps users to roles and permissions
  • Audit Logger: Tracks all auth and access events

๐Ÿ” JWT Token Example


{
  "alg": "HS256",
  "typ": "JWT"
}.
{
  "sub": "1234567890",
  "email": "user@example.com",
  "roles": ["admin"],
  "exp": 1718171453
}

๐Ÿ” Auth Flow (OAuth2 + OpenID Connect)

  1. User logs in via identity provider (Google, GitHub)
  2. Backend exchanges auth code for access + ID token
  3. Token attached to API calls in Authorization: Bearer header
  4. Resource server verifies token and checks permissions

๐Ÿงพ Example RBAC Table


CREATE TABLE roles (
  id UUID PRIMARY KEY,
  name TEXT UNIQUE
);

CREATE TABLE permissions (
  id UUID PRIMARY KEY,
  action TEXT,
  resource TEXT
);

CREATE TABLE role_permissions (
  role_id UUID REFERENCES roles(id),
  permission_id UUID REFERENCES permissions(id)
);

CREATE TABLE user_roles (
  user_id UUID,
  role_id UUID
);

๐Ÿ“ Directory as Identity Source

  • Integrate with LDAP or Active Directory for enterprise SSO
  • Provision accounts via SCIM or API

๐Ÿงช Secrets & Key Management

  • Use HSM or Vault for signing key storage
  • Rotate keys periodically
  • Store password hashes using bcrypt or argon2

๐Ÿ“ˆ Metrics and Auditing

  • Login success/failure rates
  • Invalid token usage
  • Admin permission change logs

๐Ÿ“Œ Final Insight

IAM is a mission-critical system requiring secure, auditable, and scalable design. Use token-based authentication, integrate industry standards, and enforce least privilege access with robust role-permission mapping.

โ†โ†’