feat: store actor as username string in RoleAssignmentAudit

mariajgrimaldi · mariajgrimaldi · commit ff6ddebf9ee1 · 2026-04-15T20:45:30.000+02:00
Change RoleAssignmentAudit.actor from ForeignKey(User) to a plain
CharField storing the username. Attribution of the operation is preserved unconditionally: deleting or retiring a user does not affect existing audit records, and the audit log has no dependency on the User table.

The event payload carries actor as a username string resolved from
get_current_user() at API call time.

Update ADR-0012 to document the decision and its rationale.
diff --git a/docs/decisions/0012-auditability.rst b/docs/decisions/0012-auditability.rst
@@ -70,11 +70,12 @@ Event payload
         "subject":   "<namespaced subject key, e.g. user^alice>",
         "role":      "<namespaced role key, e.g. role^instructor>",
         "scope":     "<namespaced scope key, e.g. course-v1^course-v1:Org+Course+Run>",
-        "actor":     "<User object for the caller, or None for system actor>",
+        "actor":     "<username of the caller, or None for system actor>",
     }
 
 The actor is resolved from ``django_crum.get_current_user()`` at API call time. No callers
-need to pass ``actor=`` explicitly.
+need to pass ``actor=`` explicitly. The username is stored as a plain string rather than a
+reference to the ``User`` record, so attribution is preserved even if the user is deleted.
 
 Audit table
 -----------
@@ -141,11 +142,11 @@ Consequences
    Consumers requiring guaranteed delivery must implement their own retry logic.
 
 #. **``actor`` is nullable.** Non-request contexts (management commands, background tasks)
-   record ``None``, logged as a system operation. ``actor`` is stored as a FK to ``User``
-   with ``SET_NULL``: deleting a user loses attribution for their audit records. This is
-   accepted because user deletion is rare in Open edX (retirement anonymizes rather than
-   hard-deletes), and the FK enables admin filtering by actor. If unconditional attribution
-   durability is needed, ``actor`` should be a plain string field instead.
+   record ``None``, logged as a system operation. ``actor`` is stored as a plain username
+   string rather than a FK to ``User``. Attribution is preserved unconditionally: deleting
+   or retiring a user does not affect existing audit records. This also avoids a dependency
+   on the ``User`` table from the audit log, keeping audit records fully independent from
+   live data.
 
 #. **Audit records are independent from live authorization state.** Deleting a subject,
    scope, or role does not remove its audit history. Records may reference identifiers that
diff --git a/openedx_authz/api/roles.py b/openedx_authz/api/roles.py
@@ -243,7 +243,7 @@ def assign_role_to_subject_in_scope(subject: SubjectData, role: RoleData, scope:
                 subject=subject.namespaced_key,
                 role=role.namespaced_key,
                 scope=scope.namespaced_key,
-                actor=get_current_user()
+                actor=getattr(get_current_user(), "username", None)
             )
         )
     )
@@ -294,7 +294,7 @@ def unassign_role_from_subject_in_scope(subject: SubjectData, role: RoleData, sc
                     subject=subject.namespaced_key,
                     role=role.namespaced_key,
                     scope=scope.namespaced_key,
-                    actor=get_current_user()
+                    actor=getattr(get_current_user(), "username", None)
                 )
             )
         )
diff --git a/openedx_authz/migrations/0008_roleassignmentaudit.py b/openedx_authz/migrations/0008_roleassignmentaudit.py
@@ -1,14 +1,11 @@
-# Generated by Django 4.2.24 on 2026-04-14 09:51
+# Generated by Django 4.2.24 on 2026-04-15 16:48
 
-from django.conf import settings
 from django.db import migrations, models
-import django.db.models.deletion
 
 
 class Migration(migrations.Migration):
 
     dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
         ("openedx_authz", "0007_coursescope"),
     ]
 
@@ -32,20 +29,37 @@ class Migration(migrations.Migration):
                         max_length=20,
                     ),
                 ),
-                ("subject", models.CharField(max_length=255)),
-                ("role", models.CharField(max_length=255)),
-                ("scope", models.CharField(max_length=255)),
-                ("timestamp", models.DateTimeField()),
+                (
+                    "subject",
+                    models.CharField(
+                        help_text="Namespaced key of the subject (e.g. 'user^john_doe').",
+                        max_length=255,
+                    ),
+                ),
+                (
+                    "role",
+                    models.CharField(
+                        help_text="Namespaced key of the role (e.g. 'role^library_admin').",
+                        max_length=255,
+                    ),
+                ),
+                (
+                    "scope",
+                    models.CharField(
+                        help_text="Namespaced key of the scope (e.g. 'course-v1^course-v1:org+course+run') or glob pattern.",
+                        max_length=255,
+                    ),
+                ),
                 (
                     "actor",
-                    models.ForeignKey(
+                    models.CharField(
                         blank=True,
+                        help_text="Username of the user who performed the operation, or None for system-initiated actions.",
+                        max_length=150,
                         null=True,
-                        on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="performed_role_assignment_audits",
-                        to=settings.AUTH_USER_MODEL,
                     ),
                 ),
+                ("timestamp", models.DateTimeField()),
             ],
             options={
                 "verbose_name": "Role Assignment Audit",
diff --git a/openedx_authz/models/core.py b/openedx_authz/models/core.py
@@ -288,12 +288,11 @@ class Operations(NamedTuple):
         max_length=255,
         help_text="Namespaced key of the scope (e.g. 'course-v1^course-v1:org+course+run') or glob pattern.",
     )
-    actor = models.ForeignKey(
-        User,
-        on_delete=models.SET_NULL,
+    actor = models.CharField(
+        max_length=150,
         null=True,
         blank=True,
-        related_name="performed_role_assignment_audits",
+        help_text="Username of the user who performed the operation, or None for system-initiated actions.",
     )
     timestamp = models.DateTimeField()
 
diff --git a/openedx_authz/tests/api/test_roles.py b/openedx_authz/tests/api/test_roles.py
@@ -6,13 +6,13 @@
 """
 
 from importlib.resources import files
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch
 
 import casbin
 from ddt import data as ddt_data
 from ddt import ddt, unpack
 from django.test import TestCase
-from openedx_events.authz.signals import ROLE_ASSIGNMENT_CREATED, ROLE_ASSIGNMENT_DELETED
+
 
 from openedx_authz.api.data import (
     ActionData,
@@ -52,7 +52,7 @@
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 from openedx_authz.models import ExtendedCasbinRule, Scope, Subject
-from openedx_authz.models.core import RoleAssignmentAudit
+
 
 
 def _mock_get_or_create_scope(scope_data):

Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ def assign_role_to_subject_in_scope(subject: SubjectData, role: RoleData, scope:`
`243`	`243`	`subject=subject.namespaced_key,`
`244`	`244`	`role=role.namespaced_key,`
`245`	`245`	`scope=scope.namespaced_key,`
`246`		`- actor=get_current_user()`
	`246`	`+ actor=getattr(get_current_user(), "username", None)`
`247`	`247`	`)`
`248`	`248`	`)`
`249`	`249`	`)`
`@@ -294,7 +294,7 @@ def unassign_role_from_subject_in_scope(subject: SubjectData, role: RoleData, sc`
`294`	`294`	`subject=subject.namespaced_key,`
`295`	`295`	`role=role.namespaced_key,`
`296`	`296`	`scope=scope.namespaced_key,`
`297`		`- actor=get_current_user()`
	`297`	`+ actor=getattr(get_current_user(), "username", None)`
`298`	`298`	`)`
`299`	`299`	`)`
`300`	`300`	`)`