\\### \\\*\\\*Building Tree Driven ACL & Nested Permissions for Secure FinTech Applications - Sprintmoney\\\*\\\* !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/2807cab6-9046-4b5c-a7e7-3753b43d702b/image.png) > In this technical deep-dive, we'll explore how we implemented a sophisticated permission system that enables rapid onboarding of 50,000+ bank employees for Employee Masters across major banks. Our solution leverages tree data structures for efficient access control and permission management. \\\*\\\*Problem Statement\\\*\\\* --------------------- Sprintmoney approached us to develop a \\\[SaaS\\\](https://en.wikipedia.org/wiki/Software\\\_as\\\_a\\\_service) solution for banks that would: 1. Handle sales of \\\[Insurance\\\](https://en.wikipedia.org/wiki/Insurance), \\\[Mutual Funds\\\](https://en.wikipedia.org/wiki/Mutual\\\_fund), and \\\[Loan Against Securities\\\](https://en.wikipedia.org/wiki/Securities\\\_lending) (LAS) 2. Function as a white-label solution deployable in banks' own cloud infrastructure 3. Support direct employee onboarding with proper permissions Banks typically follow a hierarchical organizational structure which are generally based on \\\[Basel Committee Corporate Governance Principles for Banks\\\](https://www.bis.org/bcbs/publ/d328.htm) or \\\[Open Banking Specification\\\](https://standards.openbanking.org.uk/specifications/). \\\*\\\*Here is a simplified version\\\*\\\* -------------------------------- #### Bank-level Organization !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/1f56388c-f5c7-479e-a617-3d4784d5bdd8/image.png) #### Similarly, Each Branch then has its own hierarchy !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/c59bde15-8cc6-414e-974c-a20327ebc550/image.png) \\\[Sprintmoney\\\](https://sprintmoney.in/) expected a solution that could be flexible enough, such that \\\* Seamlessly integrate with any major bank's employee master data \\\* Implement document/entity-specific permissions (Leads, Targets, Rewards) based on organizational hierarchy \\\* Enable granular permission management by respective managers \\\* Support reward point propagation through the \\\[organizational structure\\\](https://www.bis.org/bcbs/publ/d328.htm) \\\*\\\*User Story\\\*\\\* -------------- #### Actor: Lead Generator A root-level employee who interacts with customers and creates leads for potential requirements. \\\[Lead Generator\\\] => \\\[Customer Details\\\] => \\\[Lead Created\\\] #### Actor: Specified Person A certified person who has the legal authority to sell a product and close the lead \\\[Existing Lead\\\] => \\\[Follow Up\\\] => \\\[Sales Funnel\\\] => \\\[Sales Complete\\\] => \\\[Rewards Allocated\\\] => \\\[Closed\\\] #### Actor: Branch Manager A manager who tracks branch-level performance and accounts, targets, and rewards \\\[Rewards Allocated\\\] => \\\[Targets Updated\\\] #### Expected Reward Propogation If 2 \\\`Lead Generator\\\` Create 2 leads of INR \\\`30,000\\\` and \\\`42,000\\\` each, and they endup being sold, this is the expected flow of rewards (Eg. Targets). !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/a6a13700-258a-4cee-9697-3a5bdd0da70b/image.png) The same propagation of rewards is expected throughout both trees. ### \\\*\\\*Solution\\\*\\\* #### Tree Data Structure Implementation With a segregated tree for each Bank & Branch organization, we can have a structure that would simplify 1. \\\*\\\*Read Performance\\\*\\\* \\\* Efficient data retrieval \\\* Hierarchical caching \\\* Quick permission checks 2. \\\*\\\*Update Management\\\*\\\* \\\* Asynchronous event processing \\\* Branch-level sharding \\\* State management The solution links the lowest \\\`non-group\\\` node from the \\\`Bank Tree\\\` to the root node of the \\\`Branch Tree\\\` , creating a seamless hierarchy while maintaining separation of concerns. !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/ca76e9f1-d2a8-4b8f-8a46-bdab47a0448a/image.png) This architecture provides independent processing trees that can bifurcate handling of different entities and document types (Leads, Targets, Rewards, etc.), with transactional synchronization at the Branch level and asynchronous background synchronization at the Bank level. #### Bulk Import Architecture For importing a \\\[bulk of masters\\\](https://tools.ietf.org/html/rfc4180) and appending the respective ACL is a write-heavy operation, with simple jobs or direct enqueue, it becomes tricky as missing out organization nodes or them not being in the correct sequence could cause errors and a \\\[fallback loop\\\](https://learn.microsoft.com/en-us/azure/architecture/patterns/retry). #### S3-Based Batch Processing !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/b93637f3-7afb-4755-9e50-05163bd5a8b0/image.png) #### Hierarchical Pre-population !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/888624be-d8d6-42a3-9b95-4f3ce01b5fdb/image.png) For having master's imported, we made jobs that would \\\[batch process\\\](https://www.isa.org/standards-and-publications/isa-standards/isa-88-standards) masters and first specify the hierarchy in which the masters should be synced in. #### \\\[Performance Optimization\\\](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-best-practices-development) !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/cb1da6e6-6168-44c6-a597-2d779dd36892/image.png) With the organization tree pre-populated, we were able to append masters in seconds. #### Sharding & \\\[Caching Strategy\\\](https://docs.aws.amazon.com/whitepapers/latest/database-caching-strategies-using-redis/caching-patterns.html) Our solution implements: 1. \\\[\\\*\\\*Composite Key Caching\\\*\\\*\\\](https://redis.io/solutions/caching/) \\\* Bank + Branch identifiers \\\* User-specific access patterns \\\* \\\[API-level caching\\\](https://redis.io/learn/howtos/solutions/microservices/caching) 2. \\\[\\\*\\\*Virtual Sharding\\\*\\\*\\\](https://learn.microsoft.com/en-us/azure/architecture/patterns/sharding) \\\* Branch-level \\\[data isolation\\\](https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/considerations/data-architecture) \\\* Reduced database load \\\* Improved \\\[query performance\\\](https://redis.io/kb/doc/1mebipyp1e/performance-tuning-best-practices) !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/22d3fdd6-18c2-4e6f-9b94-3e5afcd6c605/image.png) With achieved virtual sharding, we would yield great performance in terms of latency and highly improve caching, significantly reducing any load on the DB. ### \\\*\\\*Business Impact & Performance\\\*\\\* !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/6f3a53a8-65e1-4df6-b9ae-fd995e6630c0/image.png) #### Caching Improvements !\\\[\\\](https://t9016527038.p.clickup-attachments.com/t9016527038/aea86d65-b7b9-4596-b0d3-ea0540623aa3/image.png) ### \\\*\\\*Conclusion\\\*\\\* This architecture demonstrates how thoughtful system design can turn scaling challenges into opportunities for performance optimization. The tree-based approach not only solved the immediate permission management needs but also provided a foundation for \\\[horizontal scalability\\\](https://learn.microsoft.com/en-us/azure/architecture/guide/design-principles/scale-out). \\\* \\\* \\\* \\\*\\\*Author:\\\*\\\* \\\[Prafful Suthar\\\](https://www.linkedin.com/in/prafful-suthar-029289170/) \\\*\\\*Ready to solve a similar problem?\\\*\\\* \\\[Scalix.in\\\](http://Scalix.in) \\\*\\\*Tags:\\\*\\\* #Fintech #\\\[Frappe\\\](https://frappe.io/) #\\\[ERPnext\\\](https://frappe.io/erpnext/regional/open-source-erp-for-india) #Banking System #ERP