refactor: use actor_id to avoid storing pii from the actor

Author: mariajgrimaldi

docs/decisions/0012-auditability.rst

@@ -70,18 +70,17 @@ Event payload
         "subject":   "<namespaced subject key, e.g. user^alice>",
         "role":      "<namespaced role key, e.g. role^instructor>",
         "scope":     "<namespaced scope key, e.g. course-v1^course-v1:Org+Course+Run>",
-        "actor":     "<username of the caller, or None for system actor>",
+        "actor_id":  <database ID of the caller (int), or None for system actor>,
     }
 
 The actor is resolved from ``django_crum.get_current_user()`` at API call time. No callers
-need to pass ``actor=`` explicitly. The username is stored as a plain string rather than a
-reference to the ``User`` record, so attribution is preserved even if the user is deleted.
+need to pass ``actor_id=`` explicitly.
 
 Audit table
 -----------
 
 ``RoleAssignmentAudit`` mirrors the event payload. Registered in Django admin, filterable by
-user, role, scope, actor, and timestamp.
+user, role, scope, actor_id, and timestamp.
 
 Subject, role, and scope are stored as plain namespaced key strings (e.g. ``user^alice``,
 ``role^instructor``, ``lib^lib:Org1:lib1``). There are no FK references to live ``Subject``,
@@ -141,12 +140,11 @@ Consequences
 #. **Events are best-effort.** If the audit write fails, the Casbin policy is still durable.
    Consumers requiring guaranteed delivery must implement their own retry logic.
 
-#. **``actor`` is nullable.** Non-request contexts (management commands, background tasks)
-   record ``None``, logged as a system operation. ``actor`` is stored as a plain username
-   string rather than a FK to ``User``. Attribution is preserved unconditionally: deleting
-   or retiring a user does not affect existing audit records. This also avoids a dependency
-   on the ``User`` table from the audit log, keeping audit records fully independent from
-   live data.
+#. **``actor_id`` is nullable.** Non-request contexts (management commands, background tasks)
+   record ``None``, logged as a system operation. ``actor_id`` is stored as a plain integer
+   (the database ID of the caller) rather than a FK to ``User``. This avoids a dependency
+   on the ``User`` table and keeps audit records fully independent from live data. Attribution
+   is preserved unconditionally: deleting or retiring a user does not affect existing records.
 
 #. **Audit records are independent from live authorization state.** Deleting a subject,
    scope, or role does not remove its audit history. Records may reference identifiers that

openedx_authz/admin.py

@@ -83,11 +83,11 @@ def queryset(self, request, queryset):
 class RoleAssignmentAuditAdmin(admin.ModelAdmin):
     """Read-only admin for the role assignment audit log."""
 
-    list_display = ("operation", "display_subject", "display_role", "display_scope", "actor", "timestamp")
+    list_display = ("operation", "display_subject", "display_role", "display_scope", "actor_id", "timestamp")
     list_filter = ("operation", ScopeTypeFilter)
     search_fields = ("subject", "role", "scope")
     date_hierarchy = "timestamp"
-    readonly_fields = ("operation", "subject", "role", "scope", "actor", "timestamp")
+    readonly_fields = ("operation", "subject", "role", "scope", "actor_id", "timestamp")
 
     @admin.display(description="subject")
     def display_subject(self, obj):

openedx_authz/api/roles.py

@@ -242,7 +242,7 @@ def assign_role_to_subject_in_scope(subject: SubjectData, role: RoleData, scope:
                 subject=subject.namespaced_key,
                 role=role.namespaced_key,
                 scope=scope.namespaced_key,
-                actor=getattr(get_current_user(), "username", None),
+                actor_id=getattr(get_current_user(), "id", None),
             )
         )
     )
@@ -293,7 +293,7 @@ def unassign_role_from_subject_in_scope(subject: SubjectData, role: RoleData, sc
                     subject=subject.namespaced_key,
                     role=role.namespaced_key,
                     scope=scope.namespaced_key,
-                    actor=getattr(get_current_user(), "username", None),
+                    actor_id=getattr(get_current_user(), "id", None),
                 )
             )
         )

openedx_authz/handlers.py

@@ -105,7 +105,7 @@ def create_audit_record_on_role_assignment_change(sender, role_assignment, **kwa
             subject=role_assignment.subject,
             role=role_assignment.role,
             scope=role_assignment.scope,
-            actor=role_assignment.actor,
+            actor_id=role_assignment.actor_id,
             timestamp=kwargs["metadata"].time,
         )
     except Exception as exc:  # pylint: disable=broad-exception-caught

openedx_authz/migrations/0008_roleassignmentaudit.py

@@ -1,9 +1,10 @@
-# Generated by Django 4.2.24 on 2026-04-15 16:48
+# Generated by Django 4.2.24 on 2026-04-20 15:54
 
 from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
+
     dependencies = [
         ("openedx_authz", "0007_coursescope"),
     ]
@@ -45,20 +46,15 @@ class Migration(migrations.Migration):
                 (
                     "scope",
                     models.CharField(
-                        help_text=(
-                            "Namespaced key of the scope (e.g. 'course-v1^course-v1:org+course+run') or glob pattern."
-                        ),
+                        help_text="Namespaced key of the scope (e.g. 'course-v1^course-v1:org+course+run') or glob pattern.",
                         max_length=255,
                     ),
                 ),
                 (
-                    "actor",
-                    models.CharField(
+                    "actor_id",
+                    models.IntegerField(
                         blank=True,
-                        help_text=(
-                            "Username of the user who performed the operation, or None for system-initiated actions."
-                        ),
-                        max_length=150,
+                        help_text="Database ID of the user who performed the operation. Null for system-initiated actions.",
                         null=True,
                     ),
                 ),

openedx_authz/models/core.py

@@ -285,11 +285,10 @@ class Operations(NamedTuple):
         max_length=255,
         help_text="Namespaced key of the scope (e.g. 'course-v1^course-v1:org+course+run') or glob pattern.",
     )
-    actor = models.CharField(
-        max_length=150,
+    actor_id = models.IntegerField(
         null=True,
         blank=True,
-        help_text="Username of the user who performed the operation, or None for system-initiated actions.",
+        help_text="Database ID of the user who performed the operation. Null for system-initiated actions.",
     )
     timestamp = models.DateTimeField()
 

openedx_authz/tests/test_handlers.py

@@ -245,7 +245,7 @@ def test_creates_audit_record_for_created_operation(self):
 
         Expected result:
         - One RoleAssignmentAudit record exists with operation, subject, role, scope,
-          actor (None), and the event timestamp.
+          actor_id (None), and the event timestamp.
         """
         role_assignment = RoleAssignmentData(
             operation=RoleAssignmentAudit.OPERATIONS.created,
@@ -261,7 +261,7 @@ def test_creates_audit_record_for_created_operation(self):
         self.assertEqual(audit.subject, "user^john_doe")
         self.assertEqual(audit.role, "role^library_admin")
         self.assertEqual(audit.scope, "lib^org1:lib1")
-        self.assertIsNone(audit.actor)
+        self.assertIsNone(audit.actor_id)
         self.assertEqual(audit.timestamp, self.TIMESTAMP)
 
     def test_creates_audit_record_for_deleted_operation(self):