Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Current »

This document outlines the core abstractions for the new Role-Based Access Control (RBAC) system. These abstractions are intended to facilitate discussion and guide the architectural design process. They are not final definitions but serve as a foundation for collaboration

Permission

A Permission defines what a user is allowed to do in the system.

Attributes:

  • Name: The specific permission granted (e.g., "Edit Course Content").

  • Description: A brief explanation of what the permission allows.

Examples:

  • "Publish Course"

  • "Edit Course Title"

  • "Delete Grade"

  • "Send Email"

Resource

A Resource is a subset of the platform. It represents a structured entity within the system

Types of Resources:

  • Global: The set of all organizations in the platform.

  • Organization: A set of courses. An administrative grouping for authoring and delivering learning experiences–typically an institution or department. A Course belongs to exactly one Organization.

  • Course: The parent of all course-runs for a specific course.

  • Course Run: A single instance of a course offering.

Example:

  • Global (contains all organizations in the platform)

    • Organization A

      • Course A

        • Course A - 1st Semester 2024 (Course Run)

        • Course A - 2nd Semester 2024 (Course Run)

      • Course B

        • Course B - 1st Semester 2024 (Course Run)

      • Course C

        • Course C - 2nd Semester 2024 (Course Run)

Scope

A Scope is a set of Resources where a permission applies. The abstractions includes the exceptions of a subset of Resources of the platform.

Attributes:

  • Scope: The specific entities included in the scope (e.g., "Organization Y AND Course B").

  • Exceptions: Resources explicitly excluded.

Examples:

  • Scope: "Organization X"

  • Exception: "Course 101"

Role

A Role is a set of permissions. Roles are stackable, meaning a user can hold more than one role simultaneously. Stackability implies that the user’s effective permissions are the union of all permissions granted by their assigned roles.

Attributes:

  • Name: The role name (e.g., "Instructor").

  • Permissions: The set of Permissions the role grants.

Examples:

Role: Instructor

  • Permissions:

    • "Edit Course Content"

    • "View Reports"

Role: Admin

  • Permissions:

    • "Delete Course"

    • "Manage Permissions"

Grant

A Grant relates a User with a Role and a Scope, mapping each permission to a Scope.

Attributes:

  • User: The individual receiving the role.

  • Role: The set of permissions assigned.

  • Scope: The resources where the role applies.

Examples:

  • User: Jane Doe → Role: Instructor → Scope: "Organization X"

  • User: John Smith → Role: Admin → Scope: "Global"

User Policies

User Policies define exceptions to standard role behavior.

Attributes:

  • User: The individual affected.

  • Permission: The action granted or restricted.

  • Scope: Where the exception applies.

Examples:

User Policy: Jane Doe

  • Permission: "Edit Course Content"

  • Scope: "Course 101"

User Policy: John Smith

  • Permission: "Delete Course"

  • Scope: "Organization Y"

  • No labels