refactor: update model.conf

BryanttV · BryanttV · commit 2c78e0e33090 · 2025-09-23T19:03:04.000-05:00
diff --git a/openedx_authz/engine/config/model.conf b/openedx_authz/engine/config/model.conf
@@ -3,69 +3,50 @@
 #
 # This model supports:
 # - Scoped role assignments (user roles tied to specific contexts)
-# - Action grouping (manage → read/write/delete to reduce duplication)
+# - Action grouping (manage → read/write/edit/delete to reduce duplication)
 # - System-wide roles (global scope "*" applies everywhere)
-# - Scope-based permissions (authorization based on context, not specific objects)
 # - Negative rules (deny overrides allow for exceptions)
-# - Namespace support (course-v1:*, lib:*, org:*, etc.)
-# - Extensibility (new resource types only require new scope namespaces)
-#
-# DESIGN PRINCIPLE:
-# - Authorization is scope-based, not object-based
-# - Each request is explicitly scoped (course, org, global, etc.)
-# - Permissions are granted within scopes, eliminating need for object matching
-# - Containment relationships are handled by the application layer
-#
-# NOT handled here (deferred to application):
-# - Resource grouping/containment (app resolves parent-child relationships)
-# - Role inheritance across scopes (app checks multiple scopes explicitly)
-# - Object lifecycle consistency (app handles cleanup on delete)
+# - Namespace support (course:*, lib:*, org:*, etc.)
+# - Extensibility (new resource types just need new namespaces)
 ############################################
 
 [request_definition]
-# Request format: subject, action, scope
+# Request format: subject (user), action, scope (specific resource being accessed)
 #
 # sub   = subject/principal with namespace (e.g., "user:alice", "service:lms")
 # act   = action with namespace (e.g., "act:read", "act:manage", "act:edit-courses")
 # scope = authorization scope context (e.g., "org:OpenedX", "course-v1:...", "*" for global)
 #
 # SCOPE SEMANTICS:
-# - Scope determines the authorization context and which role assignments apply
-# - "*"                    = global scope (system-wide roles apply everywhere)
-# - "org:OpenedX"          = organization-scoped roles (apply within OpenedX org)
+# Scope determines the authorization context and which role assignments apply
+# - "*"             = global scope (system-wide roles apply everywhere)
+# - "org:OpenedX"   = organization-scoped roles (apply within OpenedX org)
 # - "course-v1:..." = course-scoped roles (apply within specific course)
 #
 # Application must provide appropriate scope based on business logic.
 r = sub, act, scope
 
 [policy_definition]
-# Policy format: subject, action, scope, effect
+# Policy format: subject (role), action, scope (pattern), effect
 #
 # sub   = role or user with namespace (e.g., "role:org_admin", "user:bob")
-# act   = action identifier (e.g., "act:manage", "act:read", "act:edit-courses"). Uses g2 relation for action grouping.
-# scope = scope where policy applies (e.g., "*", "org:OpenedX", "course-v1:...")
+# act   = action identifier (e.g., "act:manage", "act:read", "act:edit-courses")
+# scope = scope where policy applies (e.g., "*", "org:*", "course-v1:*", "lib:*")
 # eft   = "allow" or "deny" (deny overrides allow for exceptions)
 p = sub, act, scope, eft
 
 [role_definition]
-# g: Role assignments (without scope)
-# Format: user/subject, role
-#
-# This is a simplified role assignment where users are assigned roles globally,
-# without being tied to specific scopes. All role assignments apply system-wide.
+# g: Role assignments with scope
+# Format: user/subject, role, scope
 #
 # Examples:
-# g, user:alice, role:org_admin                 # Alice is org admin
-# g, user:bob, role:course_instructor           # Bob is course instructor
-# g, user:carol, role:platform_admin            # Carol is platform admin
-# g, service:lms, role:system_service           # LMS service has system-wide access
+# g, user:alice, role:org_admin, org:OpenedX         # Alice is org admin for OpenedX
+# g, user:bob, role:course_instructor, course-v1:... # Bob is instructor for specific course
+# g, user:carol, role:library_admin, *               # Carol is global library admin
 #
 # Role hierarchy (optional):
-# g, role:org_admin, role:org_editor            # org_admin inherits org_editor permissions
-#
-# NOTE: Without scope in role assignments, authorization control must rely entirely
-# on policy definitions (p) to restrict access to appropriate scopes/contexts.
-g = _, _
+# g, role:org_admin, role:org_editor, org:OpenedX    # org_admin inherits org_editor permissions
+g = _, _, _
 
 # g2: Action grouping and implications
 # Maps high-level actions to specific actions to reduce policy duplication
@@ -92,26 +73,19 @@ e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 [matchers]
 # Authorization matching logic
 #
-# SUBJECT MATCHING:
-# - g(r.sub, p.sub): check if request subject matches policy subject (role assignment)
-#   This handles user-to-role mappings defined in the role_definition section
+# ROLE MATCHING:
+# - g(r.sub, p.sub, r.scope): check if subject has role in requested scope
+# - g(r.sub, p.sub, "*"): check if subject has role in all resources in the scope
+#
+# SCOPE MATCHING:
+# - keyMatch(r.scope, p.scope): scope matches pattern
 #
 # ACTION MATCHING:
+# - r.act == p.act: exact action match
 # - g2(p.act, r.act): policy action implies requested action via grouping
-#   Allows high-level actions (manage) to grant specific actions (read/write/delete)
-#
-# SCOPE MATCHING:
-# - keyMatch(r.scope, p.scope): check if request scope matches policy scope
-#   Supports wildcard matching (e.g., "*" matches any scope)
-#   Enables hierarchical scope matching for nested authorization contexts
 #
 # All conditions must be true for a policy to match:
-# 1. Subject must have the required role (via role assignment)
-# 2. Policy action must imply the requested action (via action grouping)
-# 3. Request scope must match the policy scope (with wildcard support)
-#
-# SCOPE-BASED AUTHORIZATION:
-# The matcher uses keyMatch for flexible scope matching, allowing policies
-# to apply to specific scopes (org:OpenedX) or globally (*), providing
-# fine-grained control over authorization contexts.
-m = g(r.sub, p.sub) && g2(p.act, r.act) && keyMatch(r.scope, p.scope)
+# 1. Subject must have role in scope OR global role
+# 2. Scope must match pattern
+# 3. Action must match OR inherit via action grouping
+m = (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.scope, p.scope) && (r.act == p.act || g2(p.act, r.act))
