Enterprise role assignments will record a customer UUID ------------------------------------------------------- Status ====== Accepted - January 2021 Context ======= The ``SystemWideEnterpriseUserRoleAssignment`` model is used to grant role-based permissions to enterprise users. These permissions generally control the users' access to data and ability to perform certain functions within an enterprise customer. This assignment model does `not` currently refer to any specific customer - the "context" to which a role is applied is inferred from a user (an ``auth.User`` record) having been "linked" to a customer via the ``EnterpriseCustomerUser`` model. However, a single ``auth.User`` may be linked to multiple ``EnterpriseCustomers``, and if that user is assigned a role (such as ``enterprise_admin``), it is inferred that the role assignment applies to **every** customer to which the user is linked. This is undesirable; we generally do not want an admin of `Customer A` to also have admin permissions for `Customer B` (to which the user may be linked as a mere ``learner``). Instead, the ``SystemWideEnterpriseUserRoleAssignment`` model should explicitly record *which* customer the assigned user has the given role in. Decisions (interspersed with Consequences) ========================================== We'll add an ``enterprise_customer`` field to the assignment model ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * It will be an optional field. It should be a foreign key on ``EnterpriseCustomer.uuid``. * Via an edx-rbac change, we will also add a boolean ``applies_to_all_contexts`` field, which is a wildcard that, if true, indicates the user has the role assigned for every customer. It should default to ``false``. * The semantics of ``applies_to_all_contexts`` imply that ``enterprise_customer`` will sometimes be null. For example, a user assigned the ``enterprise_openedx_operator`` role will have ``applies_to_all_contexts`` set to ``true`` and an ``enterprise_customer`` as ``null``. * We will add a customer validator to enforce that the ``enterprise_customer`` field can be null only when ``applies_to_all_contexts`` is true. We'll backfill the values of this field ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * We'll make the current, implicit assignments (that is, if a role is assigned to a user, that role applies to the user in every customer to which the user is linked) explicit by filling in the UUID value of the linked enterprise customer. * For ``enterprise_openedx_operator`` roles, the ``applies_to_all_contexts`` field will be marked true. We'll do a hand-audit of enterprise_admin role assignments ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * For every user who is effectively an admin of two different enterprise customers, we'll have to manually determine (with help from our support team) which of the two customers they are actually an admin of, and which they are simply a learner within (unless they're truly an admin of both). The context of a system-wide enterprise assignment is determined from ``enterprise_customer`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * This is true for every role. * If ``applies_to_all`` is true, ``get_context()`` should return the wildcard context token "*". * The code that populates the user JWTs with (role name, customer UUID) pairs shouldn't have to change - that code should only be looking at the ``get_context()`` method of the role assignment class. Admin forms must record a value for ``enterprise_customer`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * It would be nice to "auto-populate" it somehow if the user is linked to only one enterprise customer. This field will be populated by signal handlers related to enterprise user CRUD operations ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Every user will get an ``enterprise_learner`` role assignment for the given enterprise. * Pending admin "conversion" will result in an ``enterprise_admin`` role assignment for the given enterprise. * We'll delete the role assignment when an ``EnterpriseCustomerUser`` is deactivated.