diff --git a/oeps/best-practices/oep-0066-bp-authorization.rst b/oeps/best-practices/oep-0066-bp-authorization.rst index 9e193706b..c9fce5de7 100644 --- a/oeps/best-practices/oep-0066-bp-authorization.rst +++ b/oeps/best-practices/oep-0066-bp-authorization.rst @@ -395,12 +395,69 @@ django_comment_client_role Explicit roles are assigned to users on a course level basis. +Each role is made up of a combination of permissions stored in the database. + These roles require that the user already be enrolled in the course (have an enrollment, audit or verified). Roles are assigned through the LMS in the same place in the UI as the student_courseaccessrole roles. They can also be granted in the LMS Django Admin Dashboard. +Access is granted through a combination of checking a user's role and checking if a user has a specified permission. +In some situations, the code also checks if a user has a combination (and or or) of permissions to grant access. + +course_roles_role (Proposed Service) +------------------------------------ + +.. note:: + Code related to the course_role schema is in progress. + This section describes the intended usage, but not all portions have been implemented at this time. + The code is not being used in production at this time. + +Explicit course level roles are assigned to users. The roles grant access on the course level, +but can also be assigned organization or instance wide. + +**Permissions:** + +Each role is a combination of the permissions found in the course_roles_permission database table. +The permissions in course_roles_permission are used to determine authorization (access) within the code. As a result, +new roles can be added to the database, connected to existing permissions, and utilized in the system +with minimal effort. + +**Role Assignment** + +A course_roles_role can be assigned to a user in the LMS, CMS, or Django Admin Dashboard. +These three locations are stored in the course_roles_service database table. +If needed, additional UI locations can be added at a later date. +When a course_roles_role is created, a course_roles_roleservice database row (or rows) should also be created that link the role to the UI service where the role should be assignable to users. +The course_roles_role list will be filtered by course_roles_roleservice values to determine which roles to show in each UI role assignment page (Course Team, Membership, Course_Roles). + +Each role assignment will generate one row in the course_roles_userrole database table. The values +in the row will determine if the user is granted access for a single course, all +courses in the org, or all courses in the instance. + +* If a userrole is assigned to a course, it grants access based on the related permissions to that course. +* If a userrole is assigned on an organization wide level, it grants access based on the related permissions to all courses that belong to the organization. +* If a userrole is assigned on an instance wide level, it grants access based on the related permissions to all courses that belong to the instance. + +The course_roles_userrole database table utilizes foreign keys to user, role, course (CourseOverview), and organization. It is not +possible to assign a course_roles_userrole on an object that is not a course (does not have a CourseOverview) in the database. + +.. note:: + Once the proposed course_roles architecture is created, the next planned step is to migrate + existing student_courseaccessrole roles to the course_roles schema and deprecate the student_courseaccessrole roles. + The comment_client roles are also being considered for migration to course_roles, but are considered lower + priority because they are already based upon permissions. + +.. image:: oep-0066/Open_edX_Course_Roles_Proposal.png + :alt: A diagram that provides an overview of the proposed architecture for course_roles. The information in the diagram is also in the Open edX Course Roles Proposal Table (linked to in this document). + +.. toctree:: + :maxdepth: 1 + :glob: + + oep-0066/Open_edX_Course_Roles_Proposal_Table.rst + edx-rbac -------- @@ -523,6 +580,13 @@ References Change History ************** +2024-01-23 +---------- + +* Update django_comment_client_role section +* Add draft course_roles section +* `Pull request #556 `_ + 2023-10-23 ---------- diff --git a/oeps/best-practices/oep-0066/Open_edX_Authorization.png b/oeps/best-practices/oep-0066/Open_edX_Authorization.png deleted file mode 100644 index f9f1315a7..000000000 Binary files a/oeps/best-practices/oep-0066/Open_edX_Authorization.png and /dev/null differ diff --git a/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.png b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.png new file mode 100644 index 000000000..4b8c374e3 Binary files /dev/null and b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.png differ diff --git a/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.xml b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.xml new file mode 100644 index 000000000..96f2b8557 --- /dev/null +++ b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.xml @@ -0,0 +1,314 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal_Table.rst b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal_Table.rst new file mode 100644 index 000000000..2f89d6d07 --- /dev/null +++ b/oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal_Table.rst @@ -0,0 +1,119 @@ +Open edX Course Roles Proposal Table +################################################### + +edX Platform - student_courseaccessrole +--------------------------------------- +.. list-table:: + :widths: 15 75 + + * - **System Users** + - + * Roles are assigned by instructors in the LMS and by CMS admins in the CMS. + * Roles are assigned to users (other than students) who need elevated access in the LMS or CMS, but roles may also apply to other systems. + * Roles can be assigned in the django admin dashboard. + * - **System Role Options** + - + * Example roles as named in db: instructor, staff, beta_tester, etc. + * Example roles as named in Instructor Dashboard/Course Teams: Admin, Staff, Beta Tester, etc. + * - **Example Use Cases** + - + * Course level access + * Course Level Access, granted across an org of the system + * Role/Permission set likely to be needed for many users + * Roles need to be assignable within the UI + * Roles need to be assignable by others with a specific role on the course + * - **System Details** + - + * LMS + * Instructor role can access and assign course roles + * Roles can be assigned in the membership tab on the instructor dashboard page + * Roles assigned in the LMS may exist in the CMS + * CMS + * Admin role can access and assign course roles + * Roles can be assigned on course team page + * Roles assigned in the CMS must also exist in the LMS + * Connected to the django admin dashboard through admin.py file. + * Roles assigned on a course by course basis, an org by org basis, or for the entire system. + * - **Data Model** + - + * student_courseaccessrole database table in the edx-platform LMS database with course_id, id, org, role, user_id, _sdc_deleted_at fields + + *Note: If the course_id column is an empty string the role is for the org, if the org and course_id are empty strings the role is for the entire system.* + +comment_client - Discussion Roles +--------------------------------- +.. list-table:: + :widths: 15 75 + + * - **System Users** + - + * Roles are assigned by instructors in the LMS. + * Roles can be assigned to any user who needs elevated access to Discussions. + * The role of administrator cannot be removed from the instructor. + * - **System Role Options** + - + * Example roles as named in the db: Administrator, Moderator, etc. + * Example roles as named in Instructor Dashboard: Discussion Admin, Discussion Moderator, etc. + * - **Example Use Cases** + - + * Discussion Service + * - **System Details** + - + * LMS + * Instructor role can access and assign discussion roles + * Roles can be assigned in the membership tab on the instructor dashboard page + * Roles assigned in the LMS only apply to the LMS Discussions + * Administrator role is given to the instructor by default and cannot be removed. Additional administrators can be added + * - **Data Model** + - + * All tables are in the edx-platform LMS database + * django_comment_client_role table with course_id, id, name fields + * django_comment_client_role_users table with id, role_id, user_id, _sdc_deleted_at fields + * django_comment_client_permission_roles table with id, role_id, permission_id fields + * django_comment_client_permission table with name field + +edX Platform - course_roles_role +-------------------------------- +.. list-table:: + :widths: 15 75 + + * - **System Users** + - + * Roles are assigned by instructors in the LMS and by CMS admins in the CMS. + * Roles are assigned to users (other than students) who need elevated access in the LMS or CMS, but roles may also apply to other systems. + * Roles can be assigned in the django admin dashboard. + * - **System Role Options** + - + * Once implemented, the planned roles include current student_courseaccessrole roles and potentially comment_client roles. + * Existing roles and role assignments would be migrated from student_courseaccess and potentially comment_client. + * - **Example Use Cases** + - + * Course level access + * Course Level Access, granted org or instance wide + * Role/Permission set likely to be needed for many users + * Roles need to be assignable within the UI + * Roles need to be assignable by others with a specific role on the course + * - **System Details** + - + * LMS + * Instructor role can access and assign course roles + * Roles can be assigned in the membership tab on the instructor dashboard page + * Roles assigned in the LMS may exist in the CMS + * CMS + * Admin role can access and assign course roles + * Roles can be assigned on course team page + * Roles assigned in the CMS must also exist in the LMS + * Connected to the django admin dashboard through admin.py file. + * Roles assigned on a course by course basis, as org wide basis, or a system/instance wide basis. + * - **Data Model** + - + * All tables are in the edx-platform LMS database + * course_roles_role table with name, id fields + * course_roles_permission table with name, id fields + * course_roles_rolepermission table with role_id, permission_id, id fields + * course_roles_userrole table with user_id, role_id, course_id, organization_id, id fields + * course_roles_service table with name, id fields + * course_roles_roleservice table with role_id, service_id, id fields + + *Note: If the course_id column is empty the role is org wide, if the organization_id and course_id are empty the role is instance/system wide.* + \ No newline at end of file