/
Authoring AuthZ: User Stories

Authoring AuthZ: User Stories

This is a draft for scope alignment. Feedback is welcome.

M1 - Parity with legacy roles

M1.1 Studio parity for Staff and Admin

User story
As a platform administrator, I want course Staff and course Admin to keep the same authoring access in Studio as today.

Acceptance criteria

  • Course Staff effective access in Studio matches the permissions defined for Course Staff in the Authoring Roles and Permissions catalog.

  • Course Admin effective access in Studio matches the permissions defined for Course Admin in the Authoring Roles and Permissions catalog.

  • AuthZ is the enforcement path for the Studio authoring actions covered in M1.

  • No new UI or Administrative Console flows are introduced in M1.

  • Super Admin, Global Staff, and Course Creator behave as they do today.

Notes

  • A permission outcomes spec is needed for the permissions in scope for M1, describing expected behavior when each permission is granted vs not granted, including UI behavior and backend enforcement behavior.

  • Some behaviors are still TBD, especially around taxonomies and reruns.

M1.2 Migration tooling

User story
As a platform administrator, I want existing course role assignments to work under AuthZ during rollout.

Acceptance criteria

  • Existing Course Staff and Course Admin assignments are represented in AuthZ.

  • The system can detect mismatches between legacy assignments and AuthZ data.

  • A reconciliation mechanism exists to sync AuthZ from the current source of role assignments, without relying on a new UI.

M2 - Unfiltered view + bulk actions

M2.1 Open the console, unfiltered view

User story
As a platform administrator, I want to open the Roles and Permissions console in an unfiltered view, so I can review access across the resources I can manage.

Acceptance criteria

  • I can open the Roles and Permissions console in an unfiltered state.

  • In the unfiltered view, I see a list of users who have at least one role assignment on a resource I have access to manage.

  • I can filter and search the list, at minimum by user, resource type, resource, and role.

  • From the list, I can open a user details view to analyze that user’s access.

Notes

  • UI iteration plan is still TBD, we should define how to deliver value incrementally per story while minimizing rework, in case we need to cut scope for the next release.

  • We should align this story with the Libraries console experience, and ensure there is a Libraries version that satisfies these requirements.

M2.2 Open the console from Studio, prefiltered course view

User story
As a platform administrator, I want to open the Roles and Permissions console from Studio Settings in a prefiltered course view, so I can review the course team for the course I am working on.

Acceptance criteria

  • From a course in Studio, I can go to Settings and select Roles and Permissions.

  • This opens the Roles and Permissions console in a separate tab, prefiltered to that course.

  • The course context is clearly shown.

  • The course scoped view shows the course team list.

  • I can filter and search within the course scoped view, at minimum by user and role.

  • From the course scoped view, I can open a user details view to analyze the user’s access.

Notes

  • We still need to define the best UI for this view. The acceptance criteria should be refined once we decide what the user sees in the list and how navigation works.

M2.3 Manage course Staff and course Admin

User story
As a platform administrator, I want to assign, change, and revoke course Staff and course Admin from the Roles and Permissions console, so I can manage the course team without leaving the console.

Acceptance criteria

  • In the course scoped view, I can see users assigned as course Staff or course Admin for the selected course.

  • If I have the manage_course_team permission, I can assign course Staff to a user for the selected course.

  • If I have the manage_course_team permission, I can assign course Admin to a user for the selected course.

  • If I have the manage_course_team permission, I can change a user between course Staff and course Admin for the selected course.

  • If I have the manage_course_team permission, I can revoke course Staff or course Admin for the selected course.

  • If I do not have manage_course_team, these actions are not available, and backend enforcement blocks changes.

  • Changes are reflected in effective Studio access for that course.

Notes

  • UI details for the list and the role management interactions are still being defined, acceptance criteria may need to be refined once we lock the UI.

M2.4 See other users with access

User story
As a resource admin, I want to see users who have access to a course or library via higher scope roles, so I can understand access beyond the local team.

Acceptance criteria

  • The console provides an “other users with access” view for a selected course or library.

  • I can view “other users with access” if I have manage_course_team or manage_library_team on any relevant scope, or if I am Super Admin, or Global Staff.

  • The view includes higher scope roles that grant access to the selected resource, including Super Admin and Global Staff.

  • Each entry includes enough context to understand the access source, for example direct assignment on the resource vs inherited access from a higher scope role.

Notes

  • We should confirm whether this view is restricted to admins only, or if it should also be available to other roles such as course Staff and library Author.

M2.5 Bulk assignments across existing roles, courses and libraries

User story
As a platform administrator, I want to assign roles in bulk for courses and libraries, so I can onboard and update access efficiently.

Acceptance criteria

  • I can perform bulk assignments for the existing roles supported by the console, for both courses and libraries.

  • I can assign a selected role to multiple users for a selected course or a selected library in one flow.

  • The bulk operation reports success and failure per user.

  • Bulk changes are reflected in effective access for the selected resource.

  • Bulk actions are only available if I have the required team management permission for the resource type, manage_course_team for courses, manage_library_team for libraries.

Notes

  • This story needs additional refinement, including which bulk patterns we support first and how we avoid introducing complexity that makes future iterations harder.