[DEPR]: Libraries' Roles and Permission System

[MaferMazu]

RFC Start Date

2025-10-16

Target Plan Accepted Date

2025-10-30

Target Transition Unblocked Date

December 2025 (With Ulmo cut)

Earliest Breaking Changes Unblocked Date

April 2026

Earliest Open edX Named Release with Breaking Changes

Verawood

Rationale

The Roles and Permissions improvement project aims to enhance the management of permissions on the Open edX platform. To mitigate the possible risk associated with completely overhauling a core system like authorization, our primary strategy is to implement a staging or phased migration plan. We will start migrating the current library permissions and roles to the new authorization system.

Removal

• Libraries Roles and Permission System
  • API methods regarding authorization in https://github.com/openedx/edx-platform/tree/a0b4f8168659795a5c356e83b4dfed16fb4282ae/openedx/core/djangoapps/content_libraries/api
  • The Rest API methods regarding authorization in https://github.com/openedx/edx-platform/tree/a0b4f8168659795a5c356e83b4dfed16fb4282ae/openedx/core/djangoapps/content_libraries/rest_api
  • The library's permissions: https://github.com/openedx/edx-platform/blob/a0b4f8168659795a5c356e83b4dfed16fb4282ae/openedx/core/djangoapps/content_libraries/permissions.py
  • ContentLibraryPermission model: https://github.com/openedx/edx-platform/blob/a0b4f8168659795a5c356e83b4dfed16fb4282ae/openedx/core/djangoapps/content_libraries/models.py#L186

Replacement

• New AuthZ System: https://github.com/openedx/openedx-authz
  • API: [FC-0099] feat: add public API to interact with roles and permissions openedx-authz#75
  • Rest API: [FC-0099] feat: add rest api for roles and permissions openedx-authz#84
  • Libraries permissions and roles: [FC-0099] docs: add the default roles and permissions documentation openedx-authz#94
  • Policy: [FC-0099] feat: add default policy and fix tests openedx-authz#92

Deprecation

• We'll mark the rest api methods regarding authorization in content libraries as depr.
• We'll mark the ContentLibraryPermission model as depr.

Additional Info

Note

For the Ulmo release, we are going to add this new authorization system without removing the existing one, following the expand-contract deprecation model.

More information: openedx/openedx-authz#66

Task List (Transition Unblocked)

• Having a migration script to transform existing explicit role assignments into the new authorization model

Task List (DEPR)

• Remove the code mentioned in the removal section.

[feanil]

@MaferMazu are there any operator changes here, is there an operator scrip that operators need to run or will it be automatic?

This DEPR may not be needed if there is no end-user or operator impact so we're looking to better understand what the plan is before the next named release.

[MaferMazu]

@MaferMazu are there any operator changes here, is there an operator scrip that operators need to run or will it be automatic?

No, there is no operator change here.

We migrate the content library data via a Django migration, which is performed automatically. Details: openedx/openedx-authz#134

---

The only possible impact we had for operators or end-users is the changes in Django Admin, if someone sets the library team in the content library module in Django Admin, it won't have an effect. - It is a hidden way, but it is a way. And I forgot to mark it as deprecated or directly remove the inline of the admin page before the Ulmo release.

I can open a PR about it, but I'm not sure we still need this DEPR ticket. What do you think?

Django Admin Page affected.

[feanil]

Gotcha, is it possible to just remove the option to change the library teams via django admin if it's going to have no effect? Then people can't do the wrong things and expect them to work. It sounds like this DEPR is useful for maybe communicating that the admin UI for managing library permissions is going away?

[dianakhuang]

We think that this is worth a DEPR, even if we think the DEPR impact will be low. We don't need a long comment period for this, so we can move it into Plan Accepted.