From b6d7fc0ca71c0f52823608c9a6dc6b2dc9924891 Mon Sep 17 00:00:00 2001 From: Maria Fernanda Magallanes Zubillaga Date: Fri, 12 Dec 2025 17:00:59 -0500 Subject: [PATCH 1/5] docs: update the oep-66 --- .../oep-0066-bp-authorization.rst | 40 +++++++++++++++---- ...edX_Authorization_Explicit_Roles_Table.rst | 17 ++++---- 2 files changed, 42 insertions(+), 15 deletions(-) diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst index b3eb513b5..f9e992f04 100644 --- a/oeps/best-practices/oep-0066-bp-authorization.rst +++ b/oeps/best-practices/oep-0066-bp-authorization.rst @@ -332,15 +332,15 @@ Open edX Auth Overview Diagram oep-0066/Open_edX_Auth_Overview_Table.rst -Open edX Authorization Explicit Roles Diagram ---------------------------------------------- +Open edX Authorization Explicit Roles +------------------------------------- -.. image:: oep-0066/Open_edX_Authorization_Explicit_Roles.png - :alt: A diagram that shows the different systems/protocols that are used to control explicit roles in the Open edX codebase. The information in the diagram is also in the Open edX Authorization Explicit Roles Table (linked to in this document). +The Open edX ecosystem uses multiple systems to manage these roles, including course-level roles, discussion roles, Django admin permissions, edx-rbac, and content library permissions. Each system has distinct role assignment mechanisms, data models, and use cases. + +For detailed information about each explicit role system, including system users, role options, use cases, implementation details, and data models, see: .. toctree:: :maxdepth: 1 - :glob: oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst @@ -479,8 +479,24 @@ authn data point, but is an accepted way to implement feature specific roles and It is advisable to be very careful regarding the jwt token header limits if adding a new feature specific set of roles using this implementation path. -content_libraries_contentlibrarypermission ------------------------------------------- +openedx-authz +------------- + +Open edX AuthZ is a unified authorization framework that centralizes roles and permissions across the Open edX platform, replacing the fragmented legacy system. + +The `openedx-authz`_ package uses the `Casbin`_ policy-based evaluation framework to ensure scalable and consistent authorization. This approach standardizes policy storage and provides a unified API, making it easier to maintain and extend authorization logic across the entire ecosystem. + +Currently, openedx-authz only supports the default roles and permissions of content libraries, but the idea is to extend its capabilities to the entire Open edX system. + +For more information, see the `openedx-authz documentation`_ and the `openedx-authz repository`_. + +.. _openedx-authz: https://github.com/openedx/openedx-authz +.. _Casbin: https://casbin.org/ +.. _openedx-authz documentation: https://github.com/openedx/openedx-authz/blob/main/README.rst +.. _openedx-authz repository: https://github.com/openedx/openedx-authz + +content libraries +------------------ Permission is granted on a Feature, in this case Content Library. @@ -581,9 +597,19 @@ References `bridgekeeper `_ +`Casbin`_ + +`openedx-authz`_ + Change History ************** +2025-12-15 +---------- + +* Update how the content libraries' permissions work to reflect the addition of `openedx-authz`. +* Add `openedx-authz` information. + 2024-01-23 ---------- diff --git a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst index 697ef39a3..8bd0b2e43 100644 --- a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst +++ b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst @@ -144,14 +144,15 @@ content_libraries - v2 Library Roles * - **System Users** - - * Roles are assigned by the library creator in the CMS. - * Roles can be assigned in the django admin dashboard. + * Roles are assigned by the library creator or a library admin in the CMS. * - **System Role Options** - * Roles: - * admin = Administer users and author content - * author = Author content - * read = Read-only + * The **Library Admin** has full control over the library, including managing users, modifying content, and handling publishing workflows. They ensure content is properly maintained and accessible as needed. + * The **Library Author** is responsible for creating, editing, and publishing content within a library. They can manage tags and collections but cannot delete libraries or manage users. + * The **Library Contributor** can create and edit content within a library but cannot publish it. They support the authoring process while leaving final publishing to Authors or Admins. + * The **Library User** can view and reuse content but cannot edit or delete anything. + * - **Example Use Cases** - * v2 Content Library Service @@ -159,10 +160,10 @@ content_libraries - v2 Library Roles - * Set in the CMS * Roles can be assigned through the CMS UI - * Roles can be assigned through the LMS django admin dashboard * Roles are assigned per library. * Roles can be assigned in the UI by an admin for the library or a user with the global_staff role. - * Connected to the django admin dashboard through admin.py file. * - **Data Model** - - * content_libraries_contentlibrarypermission table in the edx-platform LMS database with access_level, id, library_id, user_id, _sdc_deleted_at fields + * Uses `Casbin `_ for policy-based access control. + * Policies stored in casbin_rule table with fields: id, ptype, v0, v1, v2, v3, v4, v5. + * Policy structure: subject (role/user), action (role/permission), scope (pattern), effect. From 9e1bbb439d233c5013ea40ec8071ed3b950b8b77 Mon Sep 17 00:00:00 2001 From: Maria Fernanda Magallanes Zubillaga Date: Mon, 15 Dec 2025 15:34:17 -0500 Subject: [PATCH 2/5] docs: apply feedback --- .../oep-0066-bp-authorization.rst | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst index f9e992f04..738354c34 100644 --- a/oeps/best-practices/oep-0066-bp-authorization.rst +++ b/oeps/best-practices/oep-0066-bp-authorization.rst @@ -11,9 +11,9 @@ OEP-66: User Authorization * - Title - User Authorization * - Last Modified - - 2023-10-20 + - 2025-12-15 * - Authors - - Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org) + - Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org), Maria F Magallanes (maria.magallanes@edunext.co) * - Arbiter - Feanil Patel (feanil@axim.org) * - Status @@ -479,6 +479,8 @@ authn data point, but is an accepted way to implement feature specific roles and It is advisable to be very careful regarding the jwt token header limits if adding a new feature specific set of roles using this implementation path. +.. _openedx-authz-section: + openedx-authz ------------- @@ -490,21 +492,15 @@ Currently, openedx-authz only supports the default roles and permissions of cont For more information, see the `openedx-authz documentation`_ and the `openedx-authz repository`_. -.. _openedx-authz: https://github.com/openedx/openedx-authz -.. _Casbin: https://casbin.org/ -.. _openedx-authz documentation: https://github.com/openedx/openedx-authz/blob/main/README.rst -.. _openedx-authz repository: https://github.com/openedx/openedx-authz - -content libraries +Content Libraries ------------------ -Permission is granted on a Feature, in this case Content Library. +Roles and permissions are granted on a per-library basis for v2 content libraries. -Permission is assigned in the CMS exclusively for providing explicit permission to -view or edit a library in the CMS. +Explicit roles can be assigned through Studio by accessing the library and selecting the "Manage Team" option. This provides granular control over who can view, edit, or administer each content library. -It grants access on a library by library basis and is used for v2 of content libraries -in the CMS. +.. note:: + Since Ulmo, these permissions are handled by :ref:`openedx-authz `. .. note:: v1 libraries (deprecated) granted access to libraries on a course by course basis @@ -601,6 +597,11 @@ References `openedx-authz`_ +.. _openedx-authz: https://github.com/openedx/openedx-authz +.. _Casbin: https://casbin.org/ +.. _openedx-authz documentation: https://github.com/openedx/openedx-authz/blob/main/README.rst +.. _openedx-authz repository: https://github.com/openedx/openedx-authz + Change History ************** @@ -609,6 +610,7 @@ Change History * Update how the content libraries' permissions work to reflect the addition of `openedx-authz`. * Add `openedx-authz` information. +* `Pull request #760 `_ 2024-01-23 ---------- From 438516b480be8b4880370d0ec51e873b116f4597 Mon Sep 17 00:00:00 2001 From: Maria Fernanda Magallanes Zubillaga Date: Mon, 15 Dec 2025 16:19:21 -0500 Subject: [PATCH 3/5] docs: update of rbac section and explicit roles table --- .../oep-0066-bp-authorization.rst | 7 ++-- ...edX_Authorization_Explicit_Roles_Table.rst | 38 ++++++++++++++++--- 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst index 738354c34..696f5c6de 100644 --- a/oeps/best-practices/oep-0066-bp-authorization.rst +++ b/oeps/best-practices/oep-0066-bp-authorization.rst @@ -105,12 +105,9 @@ Role Based Access Control. A system in which roles are assigned to a user in order to grant that user permission to perform specific operations. There are multiple RBAC implementations in use within the Open edX codebase, -including, but not limited to, `edx-rbac`_ and `student_courseaccessrole`_. +including, but not limited to, `edx-rbac`_, `student_courseaccessrole`_ and :ref:`openedx-authz `. The implementations will be described in detail below. -.. _student_courseaccessrole: https://github.com/openedx/edx-platform/blob/master/common/djangoapps/student/roles.py -.. _edx-rbac: https://github.com/openedx/edx-rbac/tree/master - Explicit Role ------------- A role that is specifically assigned to a user with @@ -597,6 +594,8 @@ References `openedx-authz`_ +.. _student_courseaccessrole: https://github.com/openedx/edx-platform/blob/master/common/djangoapps/student/roles.py +.. _edx-rbac: https://github.com/openedx/edx-rbac/tree/master .. _openedx-authz: https://github.com/openedx/openedx-authz .. _Casbin: https://casbin.org/ .. _openedx-authz documentation: https://github.com/openedx/openedx-authz/blob/main/README.rst diff --git a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst index 8bd0b2e43..abfef5465 100644 --- a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst +++ b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst @@ -139,19 +139,23 @@ edx-rbac content_libraries - v2 Library Roles ------------------------------------ + +Legacy +^^^^^^^ + .. list-table:: :widths: 15 75 * - **System Users** - - * Roles are assigned by the library creator or a library admin in the CMS. + * Roles are assigned by the library creator in the CMS. + * Roles can be assigned in the django admin dashboard. * - **System Role Options** - * Roles: - * The **Library Admin** has full control over the library, including managing users, modifying content, and handling publishing workflows. They ensure content is properly maintained and accessible as needed. - * The **Library Author** is responsible for creating, editing, and publishing content within a library. They can manage tags and collections but cannot delete libraries or manage users. - * The **Library Contributor** can create and edit content within a library but cannot publish it. They support the authoring process while leaving final publishing to Authors or Admins. - * The **Library User** can view and reuse content but cannot edit or delete anything. + * admin = Administer users and author content + * author = Author content + * read = Read-only * - **Example Use Cases** - @@ -160,10 +164,34 @@ content_libraries - v2 Library Roles - * Set in the CMS * Roles can be assigned through the CMS UI + * Roles can be assigned through the LMS django admin dashboard * Roles are assigned per library. * Roles can be assigned in the UI by an admin for the library or a user with the global_staff role. + * Connected to the django admin dashboard through admin.py file. + * - **Data Model** + - + * content_libraries_contentlibrarypermission table in the edx-platform LMS database with access_level, id, library_id, user_id, _sdc_deleted_at fields + +New +^^^^^ + +.. list-table:: + :widths: 15 75 + + * - **System Users** + - + * Roles are assigned by the library creator or a library admin in the CMS. + * - **System Role Options** + - + * `Open edX Authorization Content Libraries Roles`_. + * - **System Details** + - + * Roles can be assigned through Studio. + * Roles can be managed through the `openedx-authz `_ Rest API. * - **Data Model** - * Uses `Casbin `_ for policy-based access control. * Policies stored in casbin_rule table with fields: id, ptype, v0, v1, v2, v3, v4, v5. * Policy structure: subject (role/user), action (role/permission), scope (pattern), effect. + +.. _Open edX Authorization Content Libraries Roles: https://openedx-authz.readthedocs.io/en/latest/concepts/core_roles_and_permissions/content_library_roles.html#roles From 9825cefbac3e0e6933ee65b53aad90c27f4534b7 Mon Sep 17 00:00:00 2001 From: Maria Fernanda Magallanes Zubillaga Date: Tue, 16 Dec 2025 21:45:00 -0500 Subject: [PATCH 4/5] docs: change the distinction to before and starting ulmo --- .../Open_edX_Authorization_Explicit_Roles_Table.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst index abfef5465..a5ae44b45 100644 --- a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst +++ b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst @@ -140,8 +140,8 @@ edx-rbac content_libraries - v2 Library Roles ------------------------------------ -Legacy -^^^^^^^ +Old - Before Ulmo +^^^^^^^^^^^^^^^^^^ .. list-table:: :widths: 15 75 @@ -172,8 +172,8 @@ Legacy - * content_libraries_contentlibrarypermission table in the edx-platform LMS database with access_level, id, library_id, user_id, _sdc_deleted_at fields -New -^^^^^ +New - Starting Ulmo +^^^^^^^^^^^^^^^^^^^^ .. list-table:: :widths: 15 75 From 0330b600854dd12f7d3bd2282ffa98bea712b937 Mon Sep 17 00:00:00 2001 From: Maria Fernanda Magallanes Zubillaga Date: Thu, 18 Dec 2025 17:31:50 -0500 Subject: [PATCH 5/5] docs: change the last modified date --- oeps/best-practices/oep-0066-bp-authorization.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst index 696f5c6de..c18e6c01d 100644 --- a/oeps/best-practices/oep-0066-bp-authorization.rst +++ b/oeps/best-practices/oep-0066-bp-authorization.rst @@ -11,7 +11,7 @@ OEP-66: User Authorization * - Title - User Authorization * - Last Modified - - 2025-12-15 + - 2025-12-18 * - Authors - Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org), Maria F Magallanes (maria.magallanes@edunext.co) * - Arbiter @@ -604,7 +604,7 @@ References Change History ************** -2025-12-15 +2025-12-18 ---------- * Update how the content libraries' permissions work to reflect the addition of `openedx-authz`.