Design an Employee Directory Service (LDAP/Active Directory)
Design a centralized system for storing employee data, permissions, and roles within a large organization. Discuss synchronization and access control.
Why Interviewers Ask This
Interviewers at Salesforce ask this to evaluate your ability to design scalable, secure identity systems. They specifically test your understanding of hierarchical data modeling, real-time synchronization challenges in distributed environments, and how you prioritize security principles like least privilege while maintaining high availability for enterprise clients.
How to Answer This Question
1. Clarify requirements immediately: Ask about scale (users vs. records), consistency needs (strong vs. eventual), and specific use cases like SSO or role-based access control. 2. Define the data model: Propose a schema handling attributes (name, email), roles, and group memberships, emphasizing efficient lookups. 3. Architect the core services: Design separate microservices for User Management, Group/Role Management, and Authentication, ensuring loose coupling. 4. Address synchronization: Explain strategies for syncing with on-premise Active Directory using change data capture or CDC streams to handle latency. 5. Detail security and scaling: Discuss encryption at rest, RBAC implementation, and caching strategies like Redis to handle read-heavy traffic typical of directory services.
Key Points to Cover
- Explicitly define the trade-off between strong consistency for permissions and eventual consistency for read-heavy profile data
- Demonstrate knowledge of Change Data Capture (CDC) patterns for synchronizing with legacy on-premise systems
- Propose a clear separation of concerns between User Management, Group Management, and Authentication services
- Detail specific security measures like RBAC enforcement and immutable audit logging
- Discuss scaling strategies such as read replicas and caching to handle enterprise-level traffic
Sample Answer
To design an Employee Directory Service, I first clarify that we need to support millions of users with sub-second read latency while ensuring strong consistency for permission changes. I would start by defining a schema where Users are nodes linked to Groups and Roles via a many-to-many relationship, storing attributes in a columnar store for fast filtering. For the architecture, I'd propose a read-replica pattern where the primary database handles writes from HR systems, while multiple read replicas serve queries globally. To handle synchronization with on-premise Active Directory, I'd implement a Change Data Capture pipeline that listens to AD event logs, queues changes in Kafka, and applies them asynchronously to our cloud service, ensuring eventual consistency without blocking user logins. Security is paramount; I'd enforce Role-Based Access Control (RBAC) at the API gateway level, ensuring employees only see data relevant to their department. Given Salesforce's focus on trust, I'd also include audit logging for every permission change and encrypt sensitive fields like SSNs at rest. Finally, I'd add a caching layer using Redis for frequently accessed profile data to reduce database load during peak login times.
Common Mistakes to Avoid
- Focusing solely on the database schema without addressing how data flows between on-premise and cloud systems
- Ignoring the complexity of hierarchical relationships when designing the data model for groups and roles
- Overlooking security implications like how to handle temporary access grants or revocation workflows
- Failing to mention latency issues inherent in syncing large directories across different time zones
Practice This Question with AI
Answer this question orally or via text and get instant AI-powered feedback on your response quality, structure, and delivery.
Related Interview Questions
Design a CDN Edge Caching Strategy
Medium
AmazonDesign a System for Monitoring Service Health
Medium
SalesforceDesign a Payment Processing System
Hard
UberDesign a System for Real-Time Fleet Management
Hard
UberTrade-offs: Customization vs. Standardization
Medium
SalesforceSearch in Rotated Sorted Array
Medium
Salesforce