Hypothesis: An intentional separation between each of the concepts below will allow us to have more flexibility in the platform without much-added complexity:
• Application(OAuth-)Client-level permissions are implemented as OAuth Scopes and captured in OEP-4.
• System-wide Roles are a set of roles that are to be used across the platform. They are configurable for the instance of the platform. That is, different Open edX instances may have different sets of Roles.
• System-wide User-Roles are mappings between users and system-wide roles, stored in a centralized user service (LMS today). They are communicated in JWT Tokens so different IDAs different Features can enforce them.
• IDA Feature-specific Roles are mappings between System-wide Roles and IDAFeature-specific Roles. These are specific to the IDA the Feature and configurable for the instance of the platform.
• IDAFeature-specific Role-Permissions are mappings between IDAFeature-specific Roles and IDAFeature-specific Permissions.
• IDAFeature-specific Permissions are relevant to the features specific to the IDA the Feature and implemented as described in OEP-9.
...