...
- We have a separate service that XBUS can call that will return the various roles a user has in a given course (e.g. "student", "staff", "beta-tester"). Based on that information, XBUS makes its own determination as to whether
carlosshould be allowed to seejarvis's information. - We store permissions in a more centralized manner. XBUS declares that it has some parameterized permission
read_user_state_course(whether that's dynamic, or we use some naming convention), and it asks a central authorization service whethercarloshas that permission for this course. - We write the relevant group information to the JWT token. This might be things like "edx-staff" as well as all org-level groups and course-level groups. This may grow large over time.
Option #2 theoretically gives us more flexibility, but what little I found discussing this (an O'Reilly microservices book, a Quora post, a video presentation) describes having a centralized permissions system as extremely painful. Some quotes:
...