openedx · MaferMazu · Dec 18, 2025 · Dec 12, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst
@@ -11,9 +11,9 @@ OEP-66: User Authorization
    * - Title
      - User Authorization
    * - Last Modified
-     - 2023-10-20
+     - 2025-12-18
    * - Authors
-     - Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org)
+     - Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org), Maria F Magallanes (maria.magallanes@edunext.co)
    * - Arbiter
      - Feanil Patel (feanil@axim.org)
    * - Status
@@ -105,12 +105,9 @@ Role Based Access Control. A system in which roles are assigned to a user
 in order to grant that user permission to perform specific operations.
 
 There are multiple RBAC implementations in use within the Open edX codebase,
-including, but not limited to, `edx-rbac`_ and `student_courseaccessrole`_.
+including, but not limited to, `edx-rbac`_, `student_courseaccessrole`_ and :ref:`openedx-authz <openedx-authz-section>`.
 The implementations will be described in detail below.
 
-.. _student_courseaccessrole: https://github.com/openedx/edx-platform/blob/master/common/djangoapps/student/roles.py
-.. _edx-rbac: https://github.com/openedx/edx-rbac/tree/master
-
 Explicit Role
 -------------
 A role that is specifically assigned to a user with
@@ -332,15 +329,15 @@ Open edX Auth Overview Diagram
 
   oep-0066/Open_edX_Auth_Overview_Table.rst
 
-Open edX Authorization Explicit Roles Diagram
----------------------------------------------
+Open edX Authorization Explicit Roles
+-------------------------------------
+
+The Open edX ecosystem uses multiple systems to manage these roles, including course-level roles, discussion roles, Django admin permissions, edx-rbac, and content library permissions. Each system has distinct role assignment mechanisms, data models, and use cases.
 
-.. image:: oep-0066/Open_edX_Authorization_Explicit_Roles.png
-  :alt: A diagram that shows the different systems/protocols that are used to control explicit roles in the Open edX codebase. The information in the diagram is also in the Open edX Authorization Explicit Roles Table (linked to in this document).
+For detailed information about each explicit role system, including system users, role options, use cases, implementation details, and data models, see:
 
 .. toctree::
   :maxdepth: 1
-  :glob:
 
   oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst
 
@@ -479,16 +476,28 @@ authn data point, but is an accepted way to implement feature specific roles and
 It is advisable to be very careful regarding the jwt token header limits if adding a new feature specific
 set of roles using this implementation path.
 
-content_libraries_contentlibrarypermission
-------------------------------------------
+.. _openedx-authz-section:
+
+openedx-authz
+-------------
+
+Open edX AuthZ is a unified authorization framework that centralizes roles and permissions across the Open edX platform, replacing the fragmented legacy system.
+
+The `openedx-authz`_ package uses the `Casbin`_ policy-based evaluation framework to ensure scalable and consistent authorization. This approach standardizes policy storage and provides a unified API, making it easier to maintain and extend authorization logic across the entire ecosystem.
+
+Currently, openedx-authz only supports the default roles and permissions of content libraries, but the idea is to extend its capabilities to the entire Open edX system.
 
-Permission is granted on a Feature, in this case Content Library.
+For more information, see the `openedx-authz documentation`_ and the `openedx-authz repository`_.
 
-Permission is assigned in the CMS exclusively for providing explicit permission to
-view or edit a library in the CMS.
+Content Libraries
+------------------
 
-It grants access on a library by library basis and is used for v2 of content libraries
-in the CMS.
+Roles and permissions are granted on a per-library basis for v2 content libraries.
+
+Explicit roles can be assigned through Studio by accessing the library and selecting the "Manage Team" option. This provides granular control over who can view, edit, or administer each content library.
+
+.. note::
+  Since Ulmo, these permissions are handled by :ref:`openedx-authz <openedx-authz-section>`.
 
 .. note::
   v1 libraries (deprecated) granted access to libraries on a course by course basis
@@ -581,9 +590,27 @@ References
 
 `bridgekeeper <https://bridgekeeper.readthedocs.io/en/latest/index.html>`_
 
+`Casbin`_
+
+`openedx-authz`_
+
+.. _student_courseaccessrole: https://github.com/openedx/edx-platform/blob/master/common/djangoapps/student/roles.py
+.. _edx-rbac: https://github.com/openedx/edx-rbac/tree/master
+.. _openedx-authz: https://github.com/openedx/openedx-authz
+.. _Casbin: https://casbin.org/
+.. _openedx-authz documentation: https://github.com/openedx/openedx-authz/blob/main/README.rst
+.. _openedx-authz repository: https://github.com/openedx/openedx-authz
+
 Change History
 **************
 
+2025-12-18
+----------
+
+* Update how the content libraries' permissions work to reflect the addition of `openedx-authz`.
+* Add `openedx-authz` information.
+* `Pull request #760 <https://github.com/openedx/open-edx-proposals/pull/760>`_
+
 2024-01-23
 ----------
 

diff --git a/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst b/oeps/best-practices/oep-0066/Open_edX_Authorization_Explicit_Roles_Table.rst
@@ -139,6 +139,10 @@ edx-rbac
 
 content_libraries - v2 Library Roles
 ------------------------------------
+
+Old - Before Ulmo
+^^^^^^^^^^^^^^^^^^
+
 .. list-table:: 
    :widths: 15 75
 
@@ -152,6 +156,7 @@ content_libraries - v2 Library Roles
           * admin = Administer users and author content
           * author = Author content
           * read = Read-only
+
    * - **Example Use Cases**
      - 
        * v2 Content Library Service
@@ -166,3 +171,27 @@ content_libraries - v2 Library Roles
    * - **Data Model**
      - 
        * content_libraries_contentlibrarypermission table in the edx-platform LMS database with access_level, id, library_id, user_id, _sdc_deleted_at fields
+
+New - Starting Ulmo
+^^^^^^^^^^^^^^^^^^^^
+
+.. list-table:: 
+   :widths: 15 75
+
+   * - **System Users**
+     - 
+       * Roles are assigned by the library creator or a library admin in the CMS.
+   * - **System Role Options**
+     - 
+       * `Open edX Authorization Content Libraries Roles`_.
+   * - **System Details**
+     - 
+       * Roles can be assigned through Studio.
+       * Roles can be managed through the `openedx-authz <https://github.com/openedx/openedx-authz>`_ Rest API.
+   * - **Data Model**
+     - 
+       * Uses `Casbin <https://casbin.org/>`_ for policy-based access control.
+       * Policies stored in casbin_rule table with fields: id, ptype, v0, v1, v2, v3, v4, v5.
+       * Policy structure: subject (role/user), action (role/permission), scope (pattern), effect.
+
+.. _Open edX Authorization Content Libraries Roles: https://openedx-authz.readthedocs.io/en/latest/concepts/core_roles_and_permissions/content_library_roles.html#roles