OEP-66 RBAC (Role Based Access Control) - DRAFT #510
Conversation
| There are currently two distinct systems for adding course level roles that are comingled in the UI. | ||
| The database tables involved in the first system (course access roles) is the student_courseaccessrole table | ||
| and the database tables involved in the second system (discussion roles) are the django_comment_client_role table and associated tables. | ||
| Additionally, it is possible to grant a user access to a course using the Django Admin auth_permission table and associated tables. |
There was a problem hiding this comment.
Does this newline work for you? I was getting confused trying to see how this was related to the two distinct systems.
| Additionally, it is possible to grant a user access to a course using the Django Admin auth_permission table and associated tables. | |
| Additionally, it is possible to grant a user access to a course using the Django Admin auth_permission table and associated tables. |
| The database tables involved in the first system (course access roles) is the student_courseaccessrole table | ||
| and the database tables involved in the second system (discussion roles) are the django_comment_client_role table and associated tables. |
There was a problem hiding this comment.
Are these both in edx-platform? Are there other parts of this that are already used in multiple services? Maybe you could add some notes around this.
You do have the following below:
The current systems require developer work across multiple repos, MFEs, and IDAs ...
It might be helpful to clarify the parts that are cross-service (IDA) to make it clear this is an OEP, and not just an edx-platform level ADR. Somehow the "two distinct systems" is what sticks out the most when I'm reading this, and these seem to be contained in one service (I think).
See the "Decision" section for a similar comment.
|
|
||
| We will create a new system that utilizes permissions assigned to roles | ||
| which are assigned to users to grant access to different portions of the system. | ||
| This system will replace the two existing systems, course access roles and discussion roles. |
There was a problem hiding this comment.
Again, this decision seem focused on edx-platform systems (I think). Can you help clarify why this shouldn't just be an edx-platform ADR.
|
|
||
| Once completed this will remove one level of complexity from the overall authorization picture | ||
| by decreasing the systems involved by one, however during the interim it will add complexity by increasing | ||
| the number of involved systems and requiring all access checks to check for a role and a permission. |
There was a problem hiding this comment.
The term "system" is possibly confusing me. Will this check be within a service, or cross-service? Depending on the answer, we can discuss potential language. "System" made me think cross-service, but I don't know that that is the case.
| References | ||
| ********** | ||
|
|
||
| .. image:: oep-0066/rbac_overview.png |
There was a problem hiding this comment.
This image contains much more detail that is not in this document. Is there another doc that contains this information? Do you want a sub-document or other sections? For accessibility purposes (which would probably help most readers), having this information in doc form would be useful. We could discuss options.
Also, this image contains so much. Even just breaking it into 2 images, rather than one that is so wide, would help give each more room.
| - TBD | ||
|
|
||
| ******* | ||
| Context |
There was a problem hiding this comment.
I was surprised that there was no mention of the edx-rbac library. Is that being described below, but in other language? Is that not being discussed at all? It feels like an RBAC OEP should at least acknowledge this library and explain why it is or is not part of this OEP.
|
After speaking with @robrap and @feanil it has been decided that a best practice OEP for Authorization is needed and will include information on course level roles, but that an architecture OEP for this change is not needed. This information will be included in an ADR in the edx-platform repo and then documented as an authorization option in the best practice OEP. OEP-66 will be transformed into the Authorization best practice OEP. A new PR will be opened once a first draft of the authorization best practice OEP is ready. |
No description provided.