docs: improve ADR based on feedback

MaferMazu · MaferMazu · commit b0f18dede502 · 2025-09-18T18:32:15.000-05:00
diff --git a/docs/decisions/0004-technology-selection.rst b/docs/decisions/0004-technology-selection.rst
@@ -4,7 +4,7 @@
 Status
 ******
 
-**Draft** *2025-09-12*
+**Draft** *2025-09-19*
 
 Context
 *******
@@ -16,69 +16,31 @@ Authorization is a common challenge across software platforms, and many open-sou
 * Choose solutions that balance flexibility with maintainability.
 * Ensure long-term scalability and alignment with modern best practices.
 
+We analyzed a variety of authorization technologies, including Django permissions, Django-guardian, Django-prbac, Bridgekeeper, Edx-rbac, Casbin, Spicedb, Keycloak, Cerbos/Permguard. The complete analysis of these solutions can be found here: `Authorization Technologies Reviewed`_.
+
+Following this preliminary assessment, we determined that Django-prbac, Casbin, and OpenFGA were the solutions most closely aligned with the requirements. We create a comparison table to decide which one is more suitable for our use case, taking into account factors such as integration fit, permission management, performance, extensibility, maturity, security, learning curve, total cost of operations, and other relevant considerations. Here you can find the `Authorization Comparison Table`_.
 
 Decision
 ********
 
-Policy-based over a Permission-centric approach
-==================================================
-
-A policy-based approach is a method of managing resource access by defining rules and conditions rather than making direct, specific assignments. It's about setting general guidelines that are enforced automatically.
-
-We are choosing policy-based over permission-centric because the first one has improvements in the following areas:
-
-* Flexibility and Granularity: It allows for more specific and detailed access rules based on context and attributes, rather than just on a user's identity.
-
-* Scalability: It's easier to manage access in large, complex systems. Instead of assigning individual permissions to thousands of users, you manage a smaller number of policies.
-
-* Dynamic Access: Access decisions are made in real-time based on current conditions (e.g., time of day, location, resource), making it more adaptable to changing needs.
-
-* Improved Security: It enforces the principle of least privilege more effectively, as access is only granted when all conditions are met, reducing the risk of over-provisioning permissions.
-
-* Centralized Management: Policies can be centrally defined and updated, and the changes are automatically applied across the system without manual intervention for each user.
-
-In this approach, you use policies to make decisions. A policy is a statement that defines "who (subject) can do what(action), to which resource(resource), under what conditions (context)."
-
-Also, this decision is supported by decisions in the `Authorization Model Foundations ADR`_.
-
-
-Casbin as a technology to implement the AuthZ system
-=====================================================
+* We choose to use `Casbin`_ as the authorization engine for Open edX, which allows us to have a robust foundation, enabling long-term evolution; improves security because it enforce the principle of least privilege; help us maintain a centrilize logic, making it easier to manage and update; and promotes best practice because has support for multiple well-understood authorization models. This decision of using Casbin is also aligned with the `Authorization Model Foundations ADR`_.
 
-Based on a broad initial study, we analyzed a variety of authorization technologies, including Django permissions, django-guardian, django-prbac, bridgekeeper, edx-rbac, casbin, spicedb, keycloak, cerbos/permguard. The complete analysis of these solutions, and the rationale for the initial findings, can be found here: `Authorization Technologies Reviewed`_.
+* We'll use the production-ready Python (pycasbin) library and Django integration (django-authorization) for Django native APIs.
 
-Following this preliminary assessment, we determined that django-prbac, Casbin, and OpenFGA were the solutions most closely aligned with the requirements. These three candidates were then subjected to a more in-depth evaluation against a comprehensive set of criteria. The assessment focused on key factors, including Role and Permission Management, Integration Fit, and Extensibility, as well as an analysis of Maturity, Community Support, and Total Cost of Ownership.
-
-After a thorough review, Casbin was selected as the technology we'll use due to its superior performance across all evaluation criteria. For a complete breakdown of the evaluation, including a detailed explanation of the requirements and the specific scores for each technology, please visit `AuthZ Technologies Comparison`_.
+* We will integrate Casbin as a library within our services to avoid introducing a new service.
 
+* We'll use a centralized policy enforcement, which means all access requests are evaluated against a unified set of policies before granting or denying access.
 
 Consequences
 ************
 
-Benefits of this decision
-=========================
-
-The adoption of a policy-based model with Casbin provides some advantages:
-
-* Builds a Robust Foundation: This model provides a solid basis for future authorization needs, allowing for more complex rules (like ABAC) without changing the application's code.
-
-* Improves Security: It effectively enforces the principle of least privilege, which helps reduce the risk of over-provisioning permissions.
-
-* Centralizes Logic: Authorization logic is easier to manage and update because rules are defined in a single place.
-
-* Promotes Best Practices: Support for multiple, well-understood authorization models (such as RBAC and ABAC) promotes the use of established patterns and best practices.
+* Additional Layer: An abstraction layer will need to be created to shield stakeholders (including Open edX services) from the complexities of direct Casbin policy management (with APIs, enforcement utilities, etc).
 
+* Casbin as a default dependency: Casbin will be included as a default dependency in our services, ensuring that it is available for authorization tasks.
 
-Potential Drawbacks
-=====================
+* Performance considerations: We need to consider how policy loading, matching, and enforcement affect the overall performance.
 
-Despite its benefits, this decision does come with some trade-offs:
-
-* Higher Learning Curve: The community will face a higher initial learning curve compared to using a built-in Django-based solution.
-
-* Migration Effort: A dedicated effort is required to migrate any existing authorization logic to the new policy framework.
-
-* Additional Layer: An abstraction layer will need to be created to shield stakeholders from the complexities of direct Casbin policy management.
+* Data consistency: Watchers and robust strategies are required to ensure that the authorization policies are consistent across different services.
 
 
 Rejected Alternatives
@@ -89,7 +51,7 @@ Permission-centric approach
 
 * Strengths: This approach is simple and easy to understand for basic use cases and static permissions.
 
-* Limitations: It becomes unmanageable as access requirements become more complex, especially with dynamic or contextual logic. Managing thousands of individual permissions is not scalable and can lead to unmanageable complexity and security vulnerabilities.
+* Limitations: Managing thousands of individual permissions is not scalable and can lead to unmanageable complexity and security vulnerabilities.
 
 
 Policy Decision Points (PDPs) like Cerbos and Permguard
@@ -125,12 +87,17 @@ ReBAC Solutions (SpiceDB, OpenFGA)
 References
 **********
 
-.. (Optional) List any additional references here that would be useful to the future reader. See `Documenting Architecture Decisions`_ for further input.
+* `Authorization Model Foundations ADR`_
+* `Authorization Comparison Table`_
+* `Authorization Technologies Reviewed`_
+
 
 .. _a consistent set of evaluation criteria: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Framework-for-Evaluation
 
 .. _Authorization Model Foundations ADR: https://github.com/openedx/openedx-authz/blob/main/docs/decisions/0002-authorization-model-foundation.rst
 
-.. _AuthZ Technologies Comparison: https://openedx.atlassian.net/wiki/x/GQC0NAE
+.. _Authorization Comparison Table: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Comparison-Table
 
 .. _Authorization Technologies Reviewed: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Authorization-Technologies-Reviewed
+
+.. _Casbin: https://casbin.org/
