Authorization best practice OEP needed

[robrap]

It would be great to have an Authorization best practice OEP that works much like OEP-4: Authentication, which is less about making decisions than being an index of ADRs, documents, and introductory text regarding our Authorization best practices.

However, at this time, those best practices may be somewhat controversial because we are lacking said document. This issue can be used to collect documentation, comments, etc. regarding this topic in preparation for some future OEP.

Here is some context of what exists today:

• A fairly recent (2023) Platform Roadmap issue on Authorization (Platform Roadmap).
• A library (2019) edx-rbac used for Authorization.
  • A search of our public docs for rbac.
  • A public Confluence page on Authorization and edx-rbac
• The very old (2016) OEP-9: User Authorization.
  • The OEP doesn't even mention edx-rbac.
  • The OEP predates our use of Provisional status to show something aspirational.
  • It is unclear how much we are following this OEP, if at all.
  • The OEP doesn't mention the numerous ways authorization is handled today, either as Rejected/Deprecated ways or otherwise.
• Scopes documentation:
  • Deleted OEP on scopes (initially merged as Under Review)
  • ADRs 5-7,11,12 in edx-platform.

[robrap]

Here is a newer Google doc on Roles and Permissions that is a WIP at this point.

[hsinkoff]

Tech Spec related to the RBAC project.

[sarina]

I think an Authorization OEP is a good idea, but as a project we're pretty far away from it. Adding the Discovery label to it and tagging @feanil and @ormsbee to keep in the backs of our minds as we approach the R&P work.

[robrap]

I'm not sure if 100% of this is covered, but it was already completed with this OEP: https://open-edx-proposals.readthedocs.io/en/latest/best-practices/oep-0066-bp-authorization.html

[sarina]

Ha! I only saw OEP-9 in the right sidebar listed as obsolete and didn't follow the link to OEP-66. Thanks Robert!