feat: Implement team members endpoint for admin console

feat: Implement team members endpoint for admin console

Author: rodmgwgu

CHANGELOG.rst

@@ -14,7 +14,20 @@ Change Log
 Unreleased
 **********
 
+1.3.0 - 2026-04-01
+******************
+
+Added
+=====
+
 * Add ADR for global scope support for role assignments.
+* Add ``get_all_subject_role_assignments`` and ``get_all_user_role_assignments`` api functions to fetch all user role assignments.
+* Add ``users/`` endpoint to fetch all team members, with optional filters for orgs, scopes, search by username user full name or email, sorting and pagination.
+
+Fixed
+=====
+
+* Fix enforcer ``is_admin_or_superuser_check`` that was not taking into account Org glob scopes.
 
 1.2.0 - 2026-03-30
 ******************

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "1.2.0"
+__version__ = "1.3.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/api/roles.py

@@ -31,6 +31,9 @@
     "batch_unassign_role_from_subjects_in_scope",
     "get_all_roles_in_scope",
     "get_all_roles_names",
+    "get_subject_role_assignments_in_scope",
+    "get_subject_role_assignments_for_role_in_scope",
+    "get_all_subject_role_assignments",
     "get_all_subject_role_assignments_in_scope",
     "get_permissions_for_active_roles_in_scope",
     "get_permissions_for_roles",
@@ -269,6 +272,29 @@ def batch_unassign_role_from_subjects_in_scope(subjects: list[SubjectData], role
         unassign_role_from_subject_in_scope(subject, role, scope)
 
 
+def get_all_subject_role_assignments() -> list[RoleAssignmentData]:
+    """Get all the roles for every subject across all scopes.
+
+    Returns:
+        list[RoleAssignmentData]: A list of role assignments for the subject.
+    """
+    enforcer = AuthzEnforcer.get_enforcer()
+    role_assignments = []
+    for policy in enforcer.get_grouping_policy():
+        subject = SubjectData(namespaced_key=policy[GroupingPolicyIndex.SUBJECT.value])
+        role = RoleData(namespaced_key=policy[GroupingPolicyIndex.ROLE.value])
+        role.permissions = get_permissions_for_single_role(role)
+
+        role_assignments.append(
+            RoleAssignmentData(
+                subject=subject,
+                roles=[role],
+                scope=ScopeData(namespaced_key=policy[GroupingPolicyIndex.SCOPE.value]),
+            )
+        )
+    return role_assignments
+
+
 def get_subject_role_assignments(subject: SubjectData) -> list[RoleAssignmentData]:
     """Get all the roles for a subject across all scopes.
 

openedx_authz/api/users.py

@@ -22,6 +22,7 @@
     assign_role_to_subject_in_scope,
     batch_assign_role_to_subjects_in_scope,
     batch_unassign_role_from_subjects_in_scope,
+    get_all_subject_role_assignments,
     get_all_subject_role_assignments_in_scope,
     get_role_assignments,
     get_scopes_for_subject_and_permission,
@@ -38,6 +39,7 @@
     "batch_assign_role_to_users_in_scope",
     "unassign_role_from_user",
     "batch_unassign_role_from_users",
+    "get_all_user_role_assignments",
     "get_user_role_assignments",
     "get_user_role_assignments_in_scope",
     "get_user_role_assignments_for_role_in_scope",
@@ -118,6 +120,15 @@ def batch_unassign_role_from_users(users: list[str], role_external_key: str, sco
     )
 
 
+def get_all_user_role_assignments() -> list[RoleAssignmentData]:
+    """Get all roles for all users across all scopes.
+
+    Returns:
+        list[RoleAssignmentData]: A list of role assignments and all their metadata assigned to the user.
+    """
+    return get_all_subject_role_assignments()
+
+
 def get_user_role_assignments(user_external_key: str) -> list[RoleAssignmentData]:
     """Get all roles for a user across all scopes.
 

openedx_authz/engine/matcher.py

@@ -3,15 +3,24 @@
 from django.contrib.auth import get_user_model
 from edx_django_utils.cache import RequestCache
 
-from openedx_authz.api.data import ContentLibraryData, CourseOverviewData, ScopeData, UserData
-from openedx_authz.rest_api.utils import get_user_by_username_or_email
+from openedx_authz.api.data import (
+    ContentLibraryData,
+    CourseOverviewData,
+    OrgContentLibraryGlobData,
+    OrgCourseOverviewGlobData,
+    ScopeData,
+    UserData,
+)
+from openedx_authz.utils import get_user_by_username_or_email
 
 User = get_user_model()
 
 
 SCOPES_WITH_ADMIN_OR_SUPERUSER_CHECK = {
     (ContentLibraryData.NAMESPACE, ContentLibraryData),
     (CourseOverviewData.NAMESPACE, CourseOverviewData),
+    (OrgContentLibraryGlobData.NAMESPACE, OrgContentLibraryGlobData),
+    (OrgCourseOverviewGlobData.NAMESPACE, OrgCourseOverviewGlobData),
 }
 
 

openedx_authz/rest_api/utils.py

@@ -1,11 +1,25 @@
 """Utility functions for the Open edX AuthZ REST API."""
 
+import logging
+from dataclasses import dataclass
+
 from django.contrib.auth import get_user_model
-from django.db.models import Q
 
-from openedx_authz.api.data import GLOBAL_SCOPE_WILDCARD, ScopeData
+from openedx_authz.api.data import (
+    GLOBAL_SCOPE_WILDCARD,
+    ContentLibraryData,
+    CourseOverviewData,
+    OrgContentLibraryGlobData,
+    OrgCourseOverviewGlobData,
+    RoleAssignmentData,
+    ScopeData,
+)
+from openedx_authz.api.users import is_user_allowed
+from openedx_authz.constants.permissions import COURSES_VIEW_COURSE, VIEW_LIBRARY
 from openedx_authz.rest_api.data import SearchField, SortField, SortOrder
 
+logger = logging.getLogger(__name__)
+
 User = get_user_model()
 
 
@@ -51,26 +65,6 @@ def get_user_map(usernames: list[str]) -> dict[str, User]:
     return {user.username: user for user in users}
 
 
-def get_user_by_username_or_email(username_or_email: str) -> User:
-    """
-    Retrieve a user by their username or email address.
-
-    Args:
-        username_or_email (str): The username or email address to search for.
-
-    Returns:
-        User: The User object if found and not retired.
-
-    Raises:
-        User.DoesNotExist: If no user matches the provided username or email,
-            or if the user has an associated retirement request.
-    """
-    user = User.objects.get(Q(email=username_or_email) | Q(username=username_or_email))
-    if hasattr(user, "userretirementrequest"):
-        raise User.DoesNotExist
-    return user
-
-
 def sort_users(
     users: list[dict],
     sort_by: SortField = SortField.USERNAME,
@@ -135,3 +129,49 @@ def filter_users(users: list[dict], search: str | None, roles: list[str] | None)
         filtered_users.append(user)
 
     return filtered_users
+
+
+@dataclass
+class UserAssignments:
+    user: "User"
+    assignments: list[RoleAssignmentData]
+
+
+def get_user_assignment_map(role_assignments: list[RoleAssignmentData]) -> list[UserAssignments]:
+    """
+    Group role assignments by user
+    """
+    usernames = {assignment.subject.username for assignment in role_assignments}
+    user_map = get_user_map(usernames)
+
+    users_with_assignments: list[UserAssignments] = []
+
+    for username, user in user_map.items():
+        assignments = [a for a in role_assignments if a.subject.username == username]
+        users_with_assignments.append(UserAssignments(user=user, assignments=assignments))
+
+    return users_with_assignments
+
+
+def filter_allowed_assignments(user: "User", assignments: list[RoleAssignmentData]) -> list[RoleAssignmentData]:
+    """
+    Filter the given role assignments to only include those that the user has permission to view.
+    """
+    allowed_assignments: list[RoleAssignmentData] = []
+    for assignment in assignments:
+        permission = None
+
+        # For CourseOverviewData and ContentLibraryData, check for the view permission
+        if isinstance(assignment.scope, (CourseOverviewData, OrgCourseOverviewGlobData)):
+            permission = COURSES_VIEW_COURSE.identifier
+        elif isinstance(assignment.scope, (ContentLibraryData, OrgContentLibraryGlobData)):
+            permission = VIEW_LIBRARY.identifier
+
+        if permission and is_user_allowed(
+            user_external_key=user.username,
+            action_external_key=permission,
+            scope_external_key=assignment.scope.external_key,
+        ):
+            allowed_assignments.append(assignment)
+
+    return allowed_assignments

openedx_authz/rest_api/v1/fields.py

@@ -15,6 +15,18 @@ def to_representation(self, value):
         return ",".join(value).lower()
 
 
+class CaseSensitiveCommaSeparatedListField(serializers.CharField):
+    """Serializer for a comma-separated list of strings, case-sensitive."""
+
+    def to_internal_value(self, data):
+        """Convert string separated by commas to list of unique items preserving order"""
+        return list(dict.fromkeys(item.strip() for item in data.split(",") if item.strip()))
+
+    def to_representation(self, value):
+        """Convert list to string separated by commas"""
+        return ",".join(value)
+
+
 class LowercaseCharField(serializers.CharField):
     """Serializer for a lowercase string."""
 

openedx_authz/rest_api/v1/serializers.py

@@ -5,8 +5,12 @@
 
 from openedx_authz import api
 from openedx_authz.rest_api.data import SortField, SortOrder
-from openedx_authz.rest_api.utils import get_generic_scope
-from openedx_authz.rest_api.v1.fields import CommaSeparatedListField, LowercaseCharField
+from openedx_authz.rest_api.utils import UserAssignments, get_generic_scope
+from openedx_authz.rest_api.v1.fields import (
+    CaseSensitiveCommaSeparatedListField,
+    CommaSeparatedListField,
+    LowercaseCharField,
+)
 
 User = get_user_model()
 
@@ -203,3 +207,46 @@ def get_email(self, obj) -> str:
     def get_roles(self, obj: api.RoleAssignmentData) -> list[str]:
         """Get the roles for the given role assignment."""
         return [role.external_key for role in obj.roles]
+
+
+class ListTeamMembersSerializer(serializers.Serializer):  # pylint: disable=abstract-method
+    """Serializer for listing team members."""
+
+    scopes = CaseSensitiveCommaSeparatedListField(required=False, default=[])
+    orgs = CaseSensitiveCommaSeparatedListField(required=False, default=[])
+    sort_by = serializers.ChoiceField(
+        required=False,
+        choices=[(e.value, e.name) for e in SortField],
+        default=SortField.USERNAME,
+    )
+    order = serializers.ChoiceField(
+        required=False,
+        choices=[(e.value, e.name) for e in SortOrder],
+        default=SortOrder.ASC,
+    )
+    search = LowercaseCharField(required=False, default=None)
+
+
+class TeamMemberSerializer(serializers.Serializer):  # pylint: disable=abstract-method
+    """Serializer for team members."""
+
+    username = serializers.SerializerMethodField()
+    full_name = serializers.SerializerMethodField()
+    email = serializers.SerializerMethodField()
+    assignation_count = serializers.SerializerMethodField()
+
+    def get_username(self, obj: UserAssignments) -> str:
+        """Get the username for the given role assignment."""
+        return getattr(obj.user, "username", "") if obj.user else ""
+
+    def get_full_name(self, obj: UserAssignments) -> str:
+        """Get the full name for the given role assignment."""
+        return obj.user.get_full_name() if obj.user else ""
+
+    def get_email(self, obj: UserAssignments) -> str:
+        """Get the email for the given role assignment."""
+        return getattr(obj.user, "email", "") if obj.user else ""
+
+    def get_assignation_count(self, obj: UserAssignments) -> int:
+        """Get the assignation count for the given role assignment."""
+        return len(obj.assignments)

openedx_authz/rest_api/v1/urls.py

@@ -12,4 +12,5 @@
     ),
     path("roles/", views.RoleListView.as_view(), name="role-list"),
     path("roles/users/", views.RoleUserAPIView.as_view(), name="role-user-list"),
+    path("users/", views.TeamMembersAPIView.as_view(), name="user-list"),
 ]