Draft 2025-09-29
Open edX has its authorization system described in the OEP-66, but due to its limitations, the community wanted to explore a more appropriate option for managing authorization on the platform. To mitigate the possible risk associated with completely overhauling a core system like authorization, our primary strategy is to implement a staging or phased migration plan. This approach enables us to limit the blast radius to test components in a controlled environment, apply lessons learned, and ensure business continuity, thereby giving users time to adapt.
- The new authorization will coexist with the previous one until we migrate the entire system.
- We will start migrating the current library permissions and roles to the new authorization system.
- For the MVP, we will maintain the current functionality using the new architecture.
- Develop a migration script to transform the existing explicit role assignments to the new authorization model, without modifying the previous table.
- We will modify the enforcement points related to library permissions in the new system and verify other enforcement points, which will be updated with the latest set of Roles and Permissions for Libraries.
- We will use the authorization API system for the libraries' endpoints related to authorization. Example: Obtaining the list of users who have permissions over a scope.
- Create a deprecation ticket to let the community know how the library roles and permissions will work.
- Update the OEP-66 doc regarding the library's new authorization system.
For more information regarding the API and communication, see the Enforcement mechanisms ADR.
For more information on how the existing roles and permissions of libraries will be translated, see the Libraries Roles and Permissions Migration Plan document.
- Change the authorization system completely at once.
- Utilize the existing tables and mechanisms to enforce permissions within the new system.
- Use library-specific API endpoints regarding authorization.