Improvements to Roles and Permissions

[e0d]

At-A-Glance

The Roles and Permissions system is being redesigned to allow more flexibility for creating custom roles and stacking permissions onto roles. The MVP will include one new role: Course Author with permissions to do everything in Studio and view live courses, but no access to the Instructor Dashboard/course run data.

More information

Product specs

• Product Problem Statement: https://docs.google.com/document/d/1Imgf3wXpJaoc_dw-jJwBLdkRWHNLlHyTScaNJoJQOic/edit#heading=h.nw8md6e8b4lk

• Spec: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3824648277/RBAC+Tech+Spec

• Matrix: https://docs.google.com/spreadsheets/d/1htsV0eWq5-y96DZ5A245ukfZ4_qeH0KjHVaOyfqD8OA/edit#gid=908503896

Design files

Kanban board

Stakeholders

Primary Contributors

• edX
• edunext

Community release milestones

• Quince:

• Redwood: Target MVP

How to contribute

• Has a community backlog with work to pick up?

---

Needs cited across the community:

-more limited roles for authors
-more nuance between instructor role and course author role
-need to duplicate and reuse groups of permission settings’
-more customization of dashboard

Goal should probably be to align with industry standards, with incremental changes implemented over time.

Also need to connect to Core Product work and consider a workflow/dashboard (in LMS? in Studio?) where:

• All roles are configured in one central location
• If there are multiple places to configure roles, it is intentional and not confusing

[github-actions]

Thanks for your submission, @openedx/open-edx-project-managers will review shortly.

[bryan-kersten]

My team is looking to lead work on this project.

[jmakowski1123]

Collaborators:
-WGU

Paulo and ASU and Bryan coordinating on subset of features required for ASU

[itsjeyd]

Paulo and ASU and Bryan coordinating on subset of features required for ASU

Yep! OpenCraft is planning to follow 2U's activities around this project, and to keep @bryan-kersten and his team in the loop on relevant PRs for ASU. We'll be looking for feedback on any aspects that might clash with 2U's plans and/or could be implemented in a different way that would better support future efforts and refactorings from Bryan's team.

[bryan-kersten]

Hi @itsjeyd Can you share here the specific PRs that you'll be completing for ASU? Just want to make sure we have that noted as we work towards larger project.

[itsjeyd]

Hey @bryan-kersten, thanks for checking in! The PRs that OpenCraft submitted for ASU so far are:

• feat: feature flag to disable Advanced Settings edx-platform#32015
• fix: missing advance_settings_access template variable edx-platform#32097

@0x29a If the list above is missing something, please let me know.

In terms of additional features related to fine-grained RBAC, we're back to the drawing board for now: ASU found a way to leverage existing functionality to address some of their needs in the short term. So the next step will be to iterate on their requirements for new capabilities and define more precisely what they would like us to add to the platform.

We'll keep you in the loop on that.

In the meantime, if you have any design docs or specs for the functionality that your team is planning to implement, please let us know.

CC @cassiezamparini @viadanna

[bryan-kersten]

Thanks Tim. Really appreciate you sharing this info and keeping me in loop as requirements iterate. We are in process of gathering a larger understanding of the problem set around RABC. As we get that together I will share with you here so we can be sure to capture the broader sentiment of the community before we hone in on prioritization and approach.

[itsjeyd]

That sounds great @bryan-kersten, thanks for the update!

CC @cassiezamparini @viadanna @0x29a

[robrap]

[inform] In addition to this roadmap item, I created and linked openedx/open-edx-proposals#479, which explores more of the implementation details across the platform.

[jmakowski1123]

Bryan's RBAC Problem Statement: https://docs.google.com/document/d/1Imgf3wXpJaoc_dw-jJwBLdkRWHNLlHyTScaNJoJQOic/edit#

[itsjeyd]

For latest batch of updates about this epic see 7-21-2023 - Campus Working Group Meeting Notes (first item).

[hsinkoff]

Tech Spec related to the RBAC project.

[hsinkoff]

Update:
The Tech Spec has been posted to Slack and Discourse. We have not received any feedback since posting it, but have requested all feedback be provided by August 23rd, 2023.

At this time the plan is to move forward with adding a new course roles system beginning after the 23rd. We will incorporate any feedback received before proceeding and then will move forward with adding the new system; first for usage with a new role(s) and then, if this option proves successful, we will begin switching existing roles to the new system.

In addition to the technical plan, we have created a permission grid with a list of around 20 permissions that would be assignable to a role. Please review these permissions and provide any feedback you may have to bbrown1@2u.com by Friday September 1st, 2023.

Some things of note while reviewing the proposed permissions:

• When possible permissions should span features, feature-specific permissions will be used only when absolutely necessary
• Permissions are stacked to create roles
• Tab 2 (r&p) shows the mapping for all current student_courseaccessrole and django_comment_client role roles and three potential new roles

[mariajgrimaldi]

Thanks, @hsinkoff, for sharing the proposal with @felipemontoya and me. I hope this is still useful, thanks for the patience!

We came up with an idea after carefully studying the requirements of the Spanish Consortium Project (the initiative behind the Flexible Groups requirement) alongside the new systems' proposal. Since the flexible group requirement strongly inclines towards having an instructor-like course role that manages a group of students, we came up with a new set of permissions for you folks to consider:

A set of permissions (like Manage students and Manage gradebook) but the students belong to a cohort (or any other grouping strategy). Here are some examples of what a user with this permission could do:

The user with this permission who belongs to cohort A could:

• Grade a student if and only if the student belongs to that cohort.
• Reset students' attempts if and only if the student belongs to that cohort
  And so on.

This permission denies access to resources that don't belong to that grouping. Or even, instead of just considering grouping strategies, this permission could behave like a Manage students if <cond> where cond could be:

• If belongs to a cohort
• If speaks English
• If belongs to a team

And so on. This way, we can filter the dataset the user can actually interact with. We think this could be easily implemented by adding Open edX Filters that filters the students' dataset after checking for permissions.

Please, let us know what you think. We're willing to collaborate to move this forward if necessary. Thanks!

[hsinkoff]

@mariajgrimaldi Thank you for reviewing the proposal.

We are moving forward with the MVP and Phase 1 of the project at this time.

It was decided that the MVP will include permissions that replicate the existing access levels that roles provide and that Phase 1 would include the work needed to transition existing roles into the new system. The system is being designed in a way that will give it flexibility for adding new permissions that correspond to new functionality at a later date.

The permission Maria and Felipe have proposed sounds like new functionality so it will not fit into the guidelines for our MVP or Phase 1, but we do think it sounds like a good candidate for a future permission once the MVP and Phase 1 are complete.

Happy to follow-up after we’ve delivered the new permissions system.

[felipemontoya]

@hsinkoff thanks a lot for reviewing @mariajgrimaldi's proposal. We would be very interested in pursuing this, would you be open to a collaboration where we write the code for the new role and the necessary functionality to make it land during the phase 1? or shortly after if part of the MVP is definitely not possible.

[hsinkoff]

@felipemontoya, yes we would be open to collaborating with you on this. I'll reach out to you in Slack to set up some time to discuss the specific details and make sure we're all on the same page.

[hsinkoff]

Status Update

Implementation work is in progress with the current focus on model setup and adding permission checking to all current locations where roles are checked. Work is also being done to finalize names and descriptions for the permissions that will be used to build the existing (and new) roles.

The initial work will be additive and will check permissions in addition to the existing roles. Work is being completed on a feature branch.

[hsinkoff]

Status Update

Implementation work is ongoing. It was determined that the work should be held for the Redwood release and as a result no work is on the master branch at this time. The first portion of work is expected to be merged to the master branch in the coming weeks.

The focus of the current work is coding the permissions definitions so that when a permissions based role is added the code grants the correct access.

[hsinkoff]

Status Update

The CourseRoles service PR is up for review. This will be the first of many PRs required for this work, but will set up the foundational requirements of a new roles and permissions system for course level roles. Within the next month we anticipate additional PRs (in both edx-platform and frontend-app-course-authoring) that add functionality and permissions usage.

[hsinkoff]

Status Update

Work on this project is ongoing. There are no new changes to report on the status of the work.

[jristau1984]

Hello Open edX Community -

The 2U team currently working on the CourseRoles project is pausing their work for the foreseeable future. This pause is happening because additional role granularity is no longer prioritized. If any community members are interested and able to pick up this project, please consider working on it.

All work related to the project is in two feature branches, one in the edx-platform repo and one in the frontend-app-course-authoring repo.

Documentation relating to the current technical progress of the project and open questions has been added to the docs folder in the edx-platform branch. Additionally documentation about checking access has been added in the frontend-app-course-authoring docs/authorization folder.

Axim has more detailed next step options for consideration if an individual or team chooses to pick up this project. The next steps should be chosen in consultation with Axim and the campus working group.