Open edX Authorization Systems Explicit Roles Table

edX Platform - Course Roles

System Users	Roles are assigned by instructors in the LMS and by CMS admins in the CMS. Roles are assigned to users (other than students) who need elevated access in the LMS or CMS, but roles may also apply to other systems. Roles can be assigned in the django admin dashboard.
System Role Options	Example roles as named in db: instructor, staff, beta_tester, etc. Example roles as named in Instructor Dashboard/Course Teams: Admin, Staff, Beta Tester, etc.
Example Use Cases	Course level access Course Level Access, granted across an org of the system Role/Permission set likely to be needed for many users Roles need to be assignable within the UI Roles need to be assignable by others with a specific role on the course
System Details	LMS Instructor role can access and assign course roles Roles can be assigned in the membership tab on the instructor dashboard page Roles assigned in the LMS may exist in the CMS CMS Admin role can access and assign course roles Roles can be assigned on course team page Roles assigned in the CMS must also exist in the LMS Connected to the django admin dashboard through admin.py file. Roles assigned on a course by course basis, an org by org basis, or for the entire system.
Data Model	student_courseaccessrole database table in the edx-platform LMS database with course_id, id, org, role, user_id, _sdc_deleted_at fields Note: If the course_id column is an empty string the role is for the org, if the org and course_id are empty strings the role is for the entire system.

comment_client - Discussion Roles

System Users	Roles are assigned by instructors in the LMS. Roles can be assigned to any user who needs elevated access to Discussions. The role of administrator cannot be removed from the instructor.
System Role Options	Example roles as named in the db: Administrator, Moderator, etc. Example roles as named in Instructor Dashboard: Discussion Admin, Discussion Moderator, etc.
Example Use Cases	Discussion Service
System Details	LMS Instructor role can access and assign discussion roles Roles can be assigned in the membership tab on the instructor dashboard page Roles assigned in the LMS only apply to the LMS Discussions Administrator role is given to the instructor by default and cannot be removed. Additional administrators can be added
Data Model	All tables are in the edx-platform LMS database django_comment_client_role table with course_id, id, name fields django_comment_client_role_users table with id, role_id, user_id, _sdc_deleted_at fields django_comment_client_permission_roles table with id, role_id, permission_id fields django_comment_client_permission table with name field

edx Platform - Django Admin Flow

System Users	Roles are assigned by superusers who have django admin access. Any user can be assigned a permission set or a group (that has a permission set) through this process.
System Role Options	Currently Existing Roles Note: Student is not an explicit role at this time. It is an implicit role based on the existence of an enrollment.
Example Use Cases	Higher level system access Specific or individualized access required Higher level of control needed for assigning the roles
System Details	Set in the Django Admin Control Panel users for the instance with superuser role (highest access level) have access to this functionality poor UX, poor discoverability, overly complex and possibly more error prone Note: Other services have their own Django Admin Panels that grant permissions.
Data Model	All tables are in the edx-platform LMS database auth_permission table with codename, content_type_id, id_name fields auth_group table with id, name fields auth_group_permissions table with group_id, permission, permission_id, _sdc_deleted_at fields auth_user table with id, email, username, and many other fields auth_user_groups table with group_id, id, user_id, _sdc_deleted_at fields auth_user_user_permissions table with id, permission_id, user_id fields

edx-rbac

System Users	Each service determines who can assign roles. Each service determines which users roles can be assigned to.
System Role Options	Each service that uses edX-rbac has its own list of explicit roles.
Example Use Cases	Role needed only for a specific service Roles needed across contexts Ability to assign roles needed within the code Ability to manage role permissions within the code
System Details	Each service that follows the edX-rbac spec determines the scope of the role Each service determines what other roles can explicitly grant access and where implicit access can come from (i.e. a system wide role may have implicit access) Roles can be assigned for a feature or the service The edX-rbac spec is designed to be usable by an instance, org, or service Role assignments typically “stored” in the JWT cookie, but roles are stored in the db and therefore can be used from the db.
Data Model	Each service that uses edX-rbac has its own db tables.

content_libraries - v2 Library Roles

System Users	Roles are assigned by the library creator in the CMS. Roles can be assigned in the django admin dashboard.
System Role Options	Roles: admin = Administer users and author content author = Author content read = Read-only
Example Use Cases	v2 Content Library Service
System Details	Set in the CMS Roles can be assigned through the CMS UI Roles can be assigned through the LMS django admin dashboard Roles are assigned per library. Roles can be assigned in the UI by an admin for the library or a user with the global_staff role. Connected to the django admin dashboard through admin.py file.
Data Model	content_libraries_contentlibrarypermission table in the edx-platform LMS database with access_level, id, library_id, user_id, _sdc_deleted_at fields