feat: Implement team members endpoint for admin console

Author: rodmgwgu

CHANGELOG.rst

@@ -14,14 +14,33 @@ Change Log
 Unreleased
 **********
 
+1.5.0 - 2026-04-09
+******************
+
+Added
+=====
+
+* Add ``users/`` endpoint to fetch all team members, with optional filters for orgs, scopes, search by username user full name or email, sorting and pagination.
+
+Fixed
+=====
+
+* Fix enforcer ``is_admin_or_superuser_check`` that was not taking into account Org glob scopes.
+
 1.4.0 - 2026-04-09
 ******************
 
+Added
+=====
+
 * Add ``orgs/`` endpoint to list and search orgs, with pagination, as required for filters in the Admin Console.
 
 1.3.0 2026-04-08
 ****************
 
+Added
+=====
+
 * Add stub CCX_COACH role/ CCXCourseOverviewData scope to prevent errors when working with CCX courses.
 * Add ADR for global scope support for role assignments.
 

openedx_authz/api/data.py

@@ -1207,3 +1207,18 @@ def __repr__(self):
         """Developer friendly string representation of the role assignment."""
         role_keys = ", ".join(role.namespaced_key for role in self.roles)
         return f"{self.subject.namespaced_key} => [{role_keys}] @ {self.scope.namespaced_key}"
+
+
+@define
+class UserAssignments:
+    """A user with their role assignments"""
+
+    user: "User"
+    assignments: list[RoleAssignmentData]
+
+
+class UserAssignmentsFilter(Enum):
+    """Enum for the filters that can be applied over UserAssignments."""
+
+    SCOPES = "scopes"
+    ORGS = "orgs"

openedx_authz/api/roles.py

@@ -31,6 +31,9 @@
     "batch_unassign_role_from_subjects_in_scope",
     "get_all_roles_in_scope",
     "get_all_roles_names",
+    "get_subject_role_assignments_in_scope",
+    "get_subject_role_assignments_for_role_in_scope",
+    "get_all_subject_role_assignments",
     "get_all_subject_role_assignments_in_scope",
     "get_permissions_for_active_roles_in_scope",
     "get_permissions_for_roles",
@@ -269,6 +272,29 @@ def batch_unassign_role_from_subjects_in_scope(subjects: list[SubjectData], role
         unassign_role_from_subject_in_scope(subject, role, scope)
 
 
+def get_all_subject_role_assignments() -> list[RoleAssignmentData]:
+    """Get all the roles for every subject across all scopes.
+
+    Returns:
+        list[RoleAssignmentData]: A list of role assignments for the subject.
+    """
+    enforcer = AuthzEnforcer.get_enforcer()
+    role_assignments = []
+    for policy in enforcer.get_grouping_policy():
+        subject = SubjectData(namespaced_key=policy[GroupingPolicyIndex.SUBJECT.value])
+        role = RoleData(namespaced_key=policy[GroupingPolicyIndex.ROLE.value])
+        role.permissions = get_permissions_for_single_role(role)
+
+        role_assignments.append(
+            RoleAssignmentData(
+                subject=subject,
+                roles=[role],
+                scope=ScopeData(namespaced_key=policy[GroupingPolicyIndex.SCOPE.value]),
+            )
+        )
+    return role_assignments
+
+
 def get_subject_role_assignments(subject: SubjectData) -> list[RoleAssignmentData]:
     """Get all the roles for a subject across all scopes.
 

openedx_authz/api/users.py

@@ -11,10 +11,16 @@
 
 from openedx_authz.api.data import (
     ActionData,
+    ContentLibraryData,
+    CourseOverviewData,
+    OrgContentLibraryGlobData,
+    OrgCourseOverviewGlobData,
     PermissionData,
     RoleAssignmentData,
     RoleData,
     ScopeData,
+    UserAssignments,
+    UserAssignmentsFilter,
     UserData,
 )
 from openedx_authz.api.permissions import is_subject_allowed
@@ -32,6 +38,8 @@
     unassign_role_from_subject_in_scope,
     unassign_subject_from_all_roles,
 )
+from openedx_authz.api.utils import filter_user_assignments, get_user_assignment_map
+from openedx_authz.constants.permissions import COURSES_MANAGE_COURSE_TEAM, MANAGE_LIBRARY_TEAM
 
 __all__ = [
     "assign_role_to_user_in_scope",
@@ -43,6 +51,7 @@
     "get_user_role_assignments_for_role_in_scope",
     "get_user_role_assignments_filtered",
     "get_all_user_role_assignments_in_scope",
+    "get_visible_role_assignments_for_user",
     "is_user_allowed",
     "get_scopes_for_user_and_permission",
     "get_users_for_role_in_scope",
@@ -205,6 +214,71 @@ def get_all_user_role_assignments_in_scope(
     return get_all_subject_role_assignments_in_scope(ScopeData(external_key=scope_external_key))
 
 
+def _filter_allowed_assignments(
+    user_external_key: str, assignments: list[RoleAssignmentData]
+) -> list[RoleAssignmentData]:
+    """
+    Filter the given role assignments to only include those that the user has permission to view.
+    """
+    allowed_assignments: list[RoleAssignmentData] = []
+    for assignment in assignments:
+        permission = None
+
+        # For CourseOverviewData and ContentLibraryData, check for the view permission
+        if isinstance(assignment.scope, (CourseOverviewData, OrgCourseOverviewGlobData)):
+            permission = COURSES_MANAGE_COURSE_TEAM.identifier
+        elif isinstance(assignment.scope, (ContentLibraryData, OrgContentLibraryGlobData)):
+            permission = MANAGE_LIBRARY_TEAM.identifier
+
+        if permission and is_user_allowed(
+            user_external_key=user_external_key,
+            action_external_key=permission,
+            scope_external_key=assignment.scope.external_key,
+        ):
+            allowed_assignments.append(assignment)
+
+    return allowed_assignments
+
+
+def get_visible_role_assignments_for_user(
+    orgs: list[str] = None,
+    scopes: list[str] = None,
+    allowed_for_user_external_key: str = None,
+) -> list[UserAssignments]:
+    """
+    Get all user role assignments filtered by orgs and/or scopes, and only include
+    assignments that the specified user has permission to view.
+
+    Args:
+        orgs: Optional list of orgs to filter by (e.g., ['edX', 'MITx']).
+        scopes: Optional list of scopes to filter by (e.g., ['lib:DemoX:CSPROB']).
+        allowed_for_user_external_key: The username to check permissions against (e.g., 'john_doe').
+
+    Returns:
+        list[UserAssignments]: A list of users with their role assignments, filtered by orgs/scopes and permissions.
+    """
+    user_role_assignments = get_user_role_assignments_filtered()
+    # Filter assignments based on the user's permissions
+    user_role_assignments = _filter_allowed_assignments(
+        user_external_key=allowed_for_user_external_key,
+        assignments=user_role_assignments,
+    )
+    # Group assignments by user
+    users_with_assignments = get_user_assignment_map(user_role_assignments)
+
+    users_with_assignments = filter_user_assignments(
+        users_with_assignments=users_with_assignments,
+        by=UserAssignmentsFilter.SCOPES,
+        values=scopes,
+    )
+    users_with_assignments = filter_user_assignments(
+        users_with_assignments=users_with_assignments,
+        by=UserAssignmentsFilter.ORGS,
+        values=orgs,
+    )
+    return users_with_assignments
+
+
 def is_user_allowed(
     user_external_key: str,
     action_external_key: str,

openedx_authz/api/utils.py

@@ -0,0 +1,77 @@
+"""Utility functions used on api"""
+
+from django.contrib.auth import get_user_model
+
+from openedx_authz.api.data import (
+    RoleAssignmentData,
+    UserAssignments,
+    UserAssignmentsFilter,
+)
+
+User = get_user_model()
+
+
+def get_user_map(usernames: list[str]) -> dict[str, User]:
+    """
+    Retrieve a dictionary mapping usernames to User objects for efficient batch lookups.
+
+    This function performs a single optimized database query to fetch multiple users,
+    making it ideal for scenarios where we need to look up several users at once
+    (e.g., when serializing multiple user role assignments).
+
+    Args:
+        usernames (list[str]): List of usernames to retrieve. Duplicates are automatically
+            handled by the database query.
+
+    Returns:
+        dict[str, User]: Dictionary mapping each username to its corresponding User object.
+            Only users that exist in the database are included in the returned dictionary.
+    """
+    users = User.objects.filter(username__in=usernames).select_related("profile")
+    return {user.username: user for user in users}
+
+
+def get_user_assignment_map(role_assignments: list[RoleAssignmentData]) -> list[UserAssignments]:
+    """
+    Group role assignments by user
+    """
+    usernames = {assignment.subject.username for assignment in role_assignments}
+    user_map = get_user_map(usernames)
+
+    users_with_assignments: list[UserAssignments] = []
+
+    for username, user in user_map.items():
+        assignments = [a for a in role_assignments if a.subject.username == username]
+        users_with_assignments.append(UserAssignments(user=user, assignments=assignments))
+
+    return users_with_assignments
+
+
+def filter_user_assignments(
+    users_with_assignments: list[UserAssignments],
+    by: UserAssignmentsFilter,
+    values: list[str],
+) -> list[UserAssignments]:
+    """
+    Filter user assignments by orgs or scopes.
+    """
+    if not values:
+        return users_with_assignments
+
+    def _get_value_to_filter(assignment: RoleAssignmentData) -> str:
+        if by == UserAssignmentsFilter.SCOPES:
+            return assignment.scope.external_key
+        elif by == UserAssignmentsFilter.ORGS:
+            return assignment.scope.org
+        else:
+            raise ValueError(f"Invalid filter: '{by}'. Must be one of {[f.value for f in UserAssignmentsFilter]}")
+
+    filtered_users: list[UserAssignments] = []
+    for uwa in users_with_assignments:
+        if any(_get_value_to_filter(a) in values for a in uwa.assignments):
+            # Also filter assignments to reflect the correct number of assignments
+            filtered_assignments = [a for a in uwa.assignments if _get_value_to_filter(a) in values]
+            filtered_users.append(UserAssignments(user=uwa.user, assignments=filtered_assignments))
+    users_with_assignments = filtered_users
+
+    return filtered_users

openedx_authz/engine/matcher.py

@@ -3,15 +3,24 @@
 from django.contrib.auth import get_user_model
 from edx_django_utils.cache import RequestCache
 
-from openedx_authz.api.data import ContentLibraryData, CourseOverviewData, ScopeData, UserData
-from openedx_authz.rest_api.utils import get_user_by_username_or_email
+from openedx_authz.api.data import (
+    ContentLibraryData,
+    CourseOverviewData,
+    OrgContentLibraryGlobData,
+    OrgCourseOverviewGlobData,
+    ScopeData,
+    UserData,
+)
+from openedx_authz.utils import get_user_by_username_or_email
 
 User = get_user_model()
 
 
 SCOPES_WITH_ADMIN_OR_SUPERUSER_CHECK = {
     (ContentLibraryData.NAMESPACE, ContentLibraryData),
     (CourseOverviewData.NAMESPACE, CourseOverviewData),
+    (OrgContentLibraryGlobData.NAMESPACE, OrgContentLibraryGlobData),
+    (OrgCourseOverviewGlobData.NAMESPACE, OrgCourseOverviewGlobData),
 }
 
 

openedx_authz/rest_api/utils.py

@@ -1,13 +1,11 @@
 """Utility functions for the Open edX AuthZ REST API."""
 
-from django.contrib.auth import get_user_model
-from django.db.models import Q
-
-from openedx_authz.api.data import GLOBAL_SCOPE_WILDCARD, ScopeData
+from openedx_authz.api.data import (
+    GLOBAL_SCOPE_WILDCARD,
+    ScopeData,
+)
 from openedx_authz.rest_api.data import SearchField, SortField, SortOrder
 
-User = get_user_model()
-
 
 def get_generic_scope(scope: ScopeData) -> ScopeData:
     """
@@ -31,46 +29,6 @@ def get_generic_scope(scope: ScopeData) -> ScopeData:
     return ScopeData(namespaced_key=f"{scope.NAMESPACE}{ScopeData.SEPARATOR}{GLOBAL_SCOPE_WILDCARD}")
 
 
-def get_user_map(usernames: list[str]) -> dict[str, User]:
-    """
-    Retrieve a dictionary mapping usernames to User objects for efficient batch lookups.
-
-    This function performs a single optimized database query to fetch multiple users,
-    making it ideal for scenarios where we need to look up several users at once
-    (e.g., when serializing multiple user role assignments).
-
-    Args:
-        usernames (list[str]): List of usernames to retrieve. Duplicates are automatically
-            handled by the database query.
-
-    Returns:
-        dict[str, User]: Dictionary mapping each username to its corresponding User object.
-            Only users that exist in the database are included in the returned dictionary.
-    """
-    users = User.objects.filter(username__in=usernames).select_related("profile")
-    return {user.username: user for user in users}
-
-
-def get_user_by_username_or_email(username_or_email: str) -> User:
-    """
-    Retrieve a user by their username or email address.
-
-    Args:
-        username_or_email (str): The username or email address to search for.
-
-    Returns:
-        User: The User object if found and not retired.
-
-    Raises:
-        User.DoesNotExist: If no user matches the provided username or email,
-            or if the user has an associated retirement request.
-    """
-    user = User.objects.get(Q(email=username_or_email) | Q(username=username_or_email))
-    if hasattr(user, "userretirementrequest"):
-        raise User.DoesNotExist
-    return user
-
-
 def sort_users(
     users: list[dict],
     sort_by: SortField = SortField.USERNAME,

openedx_authz/rest_api/v1/fields.py

@@ -15,6 +15,18 @@ def to_representation(self, value):
         return ",".join(value).lower()
 
 
+class CaseSensitiveCommaSeparatedListField(serializers.CharField):
+    """Serializer for a comma-separated list of strings, case-sensitive."""
+
+    def to_internal_value(self, data):
+        """Convert string separated by commas to list of unique items preserving order"""
+        return list(dict.fromkeys(item.strip() for item in data.split(",") if item.strip()))
+
+    def to_representation(self, value):
+        """Convert list to string separated by commas"""
+        return ",".join(value)
+
+
 class LowercaseCharField(serializers.CharField):
     """Serializer for a lowercase string."""