@bmtcril: remember we talked about the usage of this generic scope? I think we found one!

I was thinking of changing NAMESPACE to an empty string cause I'm not sure how descriptive is sc. What do you think?

FYI @MaferMazu @BryanttV

What did "sc" stand for?

Maybe we could change it to something related to "anonymous", as if it's supposed to identify scopes that don't map to specific objects, then they are "anonymous"?

Thinking on the usage of a namespaced key, it would look something like:

"anon^*"

Otherwise if we use an empty string, it woud be like "^*" right?

Won't this cause confusion because of the "missing" namespace?

sc means scope 🥲, not very explicit though. Initially was only to have base definitions for all the other scopes, but now we can use it for global scopes so it might make sense to change this namespace.

Won't this cause confusion because of the "missing" namespace?

I think it will! Considering what I said here, https://github.com/openedx/openedx-authz/pull/132/files#r2486208488, instead of anonymous, should we use global or some synonym?

I think global makes the most sense, but whatever we use needs to be something that will never get a real value of the same name, right?

Exactly! What about these?

1. global: global^* (++1 most votes)
2. instance: instance^*

In all cases, having something like can_create_libraries in NAMESPACE^* would mean I can create any number of libraries in my Open edX instance. This only makes sense for the * external key, right? It wouldn’t make sense for a specific key or would it also apply there? If so, then maybe we won't get values with the same name?

My understanding here is that in the case of the can_create_libraries permission, global^* Would mean that it applies to anything, not only libraries, but in practice can_create_libraries will only be evaluated on lib objects.

But, if at some point we add some more generic permissions, like can_create, that could apply that more than one domain object, then we could define more specific things, like global^*:DemoX:CSPROB, that would apply on anything on the org DemoX that is called CSPROB (courses, libs, etc). But this is a whole different level of complexity that I don't think we need now.

The thing with can_create_libraries is that we can't actually evaluate it with a concrete library, but only against the instance (not sure how to call it) so it could be similar to can_create but only checked in context of libraries - hopefully I'm not getting all of this mixed up (so please correct me if I'm wrong!) 😅

that would apply on anything on the org DemoX that is called CSPROB (courses, libs, etc). But this is a whole different level of complexity that I don't think we need now.

I totally agree. Do you think global^*:DemoX:CSPROB wouldn't work for that can_create case? Oh I understand now! We should consider also cases without the *!

Oh you are right, for can_create_libraries it doesn't make sense to specify a concrete library, so global makes sense there. It would make sense for something like can_edit_library instead.

Generic or global?

If this is a question on naming, I think global is clearer.

I initially used generic scope cause this scope can be specialized into other scopes: content libraries, courses... But this might be too ambiguous. It might make sense making it global when not specialized?

Global makes more sense to me 👍

If this is a question on naming, I think global is clearer.

What did "sc" stand for?

Maybe we could change it to something related to "anonymous", as if it's supposed to identify scopes that don't map to specific objects, then they are "anonymous"?

Thinking on the usage of a namespaced key, it would look something like:

"anon^*"

Otherwise if we use an empty string, it woud be like "^*" right?

Won't this cause confusion because of the "missing" namespace?

Should we change this to GLOBAL_SCOPE_WILDCARD?

Done! Thanks for the suggestion :)