/
System Abstractions

System Abstractions

Owned by Guillermo Viedma
Last updated: Feb 19, 2025
2 min read

This document outlines the core abstractions for the new Role-Based Access Control (RBAC) system. These abstractions are intended to facilitate discussion and guide the architectural design process. They are not final definitions but serve as a foundation for collaboration

Permission

A Permission defines what a user is allowed to do in the system.

Attributes:

  • Name: The specific permission granted (e.g., "Edit Course Content").

  • Description: A brief explanation of what the permission allows.

Examples:

  • "Publish Course"

  • "Edit Course Title"

  • "Delete Grade"

  • "Send Email"

 

 

Resource

A Resource is a subset of the platform. It represents a structured entity within the system

Types of Resources:

  • Site: The set of all organizations in the platform.

  • Organization: A set of courses. An administrative grouping for authoring and delivering learning experiences–typically an institution or department. A Course belongs to exactly one Organization.

  • Course: An entity that serves as a container for multiple Course Runs.

  • Course Run: A single instance of a course offering.

Example:

  • Global (contains all organizations in the platform)

    • Organization A

      • Course A

        • Course A - 1st Semester 2024 (Course Run)

        • Course A - 2nd Semester 2024 (Course Run)

      • Course B

        • Course B - 1st Semester 2024 (Course Run)

      • Course C

        • Course C - 2nd Semester 2024 (Course Run)

 

 

Scope

A Scope is a set of Resources where a permission applies. The abstractions includes the exceptions of a subset of Resources of the platform.

Attributes:

  • Scope: The specific entities included in the scope (e.g., "Organization Y AND Course B").

  • Exceptions: Resources explicitly excluded.

Examples:

  • Scope: "Organization X"

  • Exception: "Course 101"

 

 

Role

A Role is a set of permissions. Roles are stackable, meaning a user can hold more than one role simultaneously. Stackability implies that the user’s effective permissions are the union of all permissions granted by their assigned roles.

Attributes:

  • Name: The role name (e.g., "Instructor").

  • Permissions: The set of Permissions the role grants.

Examples:

Role: Instructor

  • Permissions:

    • "Edit Course Content"

    • "View Reports"

Role: Admin

  • Permissions:

    • "Delete Course"

    • "Manage Permissions"

 

 

Grant

A Grant relates a User with a Role and a Scope, mapping each permission to a Scope.

Attributes:

  • User: The individual receiving the role.

  • Role: The set of permissions assigned.

  • Scope: The resources where the role applies.

Examples:

  • User: Jane Doe → Role: Instructor → Scope: "Organization X"

  • User: John Smith → Role: Admin → Scope: "Global"

 

 

User Policies

User Policies define exceptions to standard role behavior.

Attributes:

  • User: The individual affected.

  • Permission: The action granted or restricted.

  • Scope: Where the exception applies.

Examples:

User Policy: Jane Doe

  • Permission: "Edit Course Content"

  • Scope: "Course 101"

User Policy: John Smith

  • Permission: "Delete Course"

  • Scope: "Organization Y"

Related content

PRD Roles & Permissions
PRD Roles & Permissions
Open edX Product Management
More like this
Meeting notes 2025-02-05
Meeting notes 2025-02-05
Open edX Product Management
More like this
Technical Approach: Roles and Permissions
Technical Approach: Roles and Permissions
Open edX Product Management
More like this
2025-02-11 Core Product Meeting notes
2025-02-11 Core Product Meeting notes
Open edX Community
Read with this
RBAC Tech Spec
RBAC Tech Spec
Open edX Community
More like this
Authorization
Authorization
Open edX Product Management
More like this