/
Authoring Roles and Permissions

Authoring Roles and Permissions

Status

This is a draft for scope alignment. Feedback is welcome.

Purpose

Define the permissions expected for Studio Authoring, what each permission covers, and which roles should have it. Items that still need validation are listed at the end.

These roles are proposed for Studio Authoring and map to the permission catalog below. They are meant to introduce clearer boundaries than the current broad legacy Staff patterns, without changing legacy authorization outside the authoring scope.

1. Permission catalog

Course access, creation, and content

  • courses.view_course
    View course in the course list, access the course outline in read only mode, includes the “View Live” entry point.

  • courses.create_course
    Create a new course in Studio.

  • courses.edit_course_content
    Edit course content, outline, units, components.

  • courses.publish_course_content
    Publish course content.

Library updates

  • courses.manage_library_updates
    Accept or reject library updates in Studio.

Course updates and handouts

  • courses.view_course_updates
    View course updates and handouts.

  • courses.manage_course_updates
    Manage course updates and handouts, create, edit, delete.

Pages and Resources

  • courses.view_pages_and_resources
    View Pages and Resources.

  • courses.manage_pages_and_resources
    Edit Pages and Resources, including toggles and content managed from that section.

Files

  • courses.view_files
    View the Files page.

  • courses.create_files
    Upload files.

  • courses.edit_files
    Non destructive file actions, for example lock or unlock, exact actions depend on implementation.

  • courses.delete_files
    Delete files.

Schedule and Details

  • courses.view_schedule
    View course schedule.

  • courses.edit_schedule
    Edit course schedule.

  • courses.view_details
    View course details.

  • courses.edit_details
    Edit course details, includes Course Summary, Course Pacing, Course Details, Course Pre requisite.

Grading settings

  • courses.view_grading_settings
    View grading settings page.

  • courses.edit_grading_settings
    Edit grading settings.

Course team and groups

  • courses.view_course_team
    View the course team roster.

  • courses.manage_course_team
    Edit course team membership and roles.

  • courses.manage_group_configurations
    Manage content groups.

Tags and taxonomies

  • courses.manage_tags (placeholder name)
    Create, edit, delete tags.

  • courses.manage_taxonomies (placeholder name)
    Create, edit, delete taxonomies.

Advanced and certificates

  • courses.manage_advanced_settings
    Access and edit Advanced Settings.

  • courses.manage_certificates
    Access and edit Certificates.

Import and export

  • courses.import_course
    Show Import in Studio, this is treated as a high privilege action and effectively implies most authoring permissions.

  • courses.export_course
    Show Export in Studio.

  • courses.export_tags
    Export tags.

Other

  • courses.view_checklists
    View checklists.

  • view_global_staff_and_superadmins (placeholder name)
    Allow course or library admins to view the list of global Staff and Super Admin users.

Explicitly out of scope for this iteration

  • courses.delete_course
    Not currently supported in Studio, and out of scope for Authoring AuthZ.

2. Roles and permission sets

These roles are proposed for Studio Authoring. They map to the permissions above and define boundaries between content work, course operations, and course administration.

Course Auditor

What this role is for: QA, compliance review, content review, and general oversight, no changes in Studio.
Permissions:

  • courses.view_course

  • courses.view_course_updates

  • courses.view_pages_and_resources

  • courses.view_files

  • courses.view_grading

  • courses.view_checklists

  • courses.view_course_team

  • courses.view_schedule

  • courses.view_details

Course Editor (name TBD)

What this role is for: building and maintaining course content and supporting assets, without operational controls or high impact actions that can affect a live course.
Permissions:

  • Everything in Course Auditor, plus:

    • courses.edit_course_content

    • courses.manage_library_updates

    • courses.manage_course_updates

    • courses.manage_pages_and_resources

    • courses.create_files

    • courses.edit_files

    • courses.edit_grading

    • courses.manage_group_configurations

    • courses.edit_details

    • courses.manage_tags (placeholder)

Explicit exclusions:

  • courses.publish_course_content

  • courses.delete_files

  • courses.edit_schedule

  • courses.manage_advanced_settings

  • courses.manage_certificates

  • courses.import_course

  • courses.export_course

Course Staff

What this role is for: operating the course lifecycle in Studio, publishing content, handling scheduling, and managing high impact configuration for the course.
Permissions:

  • Everything in Course Editor, plus:

    • courses.publish_course_content

    • courses.delete_files

    • courses.edit_schedule

    • courses.manage_advanced_settings

    • courses.manage_certificates

    • courses.import_course

    • courses.export_course

    • courses.export_tags

Course Admin

What this role is for: course level administration, including access and role management for the course team, plus all Staff capabilities.
Permissions:

  • Everything in Course Staff, plus:

    • courses.manage_course_team

    • courses.manage_taxonomies (placeholder)

3. Items to validate

A) Create course, granting model

  • courses.create_course stays as an independent permission, separate from library creation.

  • Granting flow decision:

    • Option 1: keep granting via Django admin

    • Option 2: grant via a Console flow, gated by a platform level role, for example Super Admin. If we go this route, this should land at the end of development since it requires new UI work.

B) Files and publish coupling

  • Decision needed: keep courses.delete_files separate, or unify it with courses.publish_course_content as a single high impact permission.

  • Rationale: file deletion is the only permission related to publishing that can affect a published course, breaking course content by removing referenced assets.

  • Update: there is a “currently in use“ state, maybe we can create some rules using that.

C) Schedule and Details split, enforcement feasibility

  • We will split Schedule and Details into separate permissions:

    • courses.edit_schedule for course scheduling controls

    • courses.edit_details for Course Summary, Course Pacing, Course Details, Course Pre requisite

  • Flow review needed to confirm Studio enforcement points support this split cleanly.

D) Advanced settings, certificates, proctored exams

  • courses.manage_advanced_settings, courses.manage_certificates need a full flow review to decide:

    • whether Course Editor should have any access

    • whether finer grained permissions are needed

  • Proctored exam enable and disable should be reviewed as a flow, including external tool dependencies, then mapped to a permission.

E) Re run course

  • Not included in the catalog or role sets yet.

  • Flow review needed to confirm:

    • whether Staff and Admin can do it today

    • whether it is related to courses.create_course, for example if users who can create courses can also re run courses

    • whether re run requires a dedicated permission, or should be treated as part of create course

F) Tags and taxonomies

  • courses.manage_tags and courses.manage_taxonomies are placeholders.

  • We need to review tags and taxonomies in more detail to align on:

    • final permission IDs and scope, course scoped vs platform scoped

    • the Studio surfaces they gate

    • whether Course Editor should have them by default, or if they stay Staff and Admin only