feat: add platform-level glob scope

[BryanttV]

Resolves: #268

Description

This PR adds platform-level glob scopes so role assignments can target all resources of a type across the entire platform, not just within a single organization or specific scope.

Problem

Org-level globs (course-v1:OpenedX+*, lib:DemoX:*) grant access within one org. Some use cases need platform-wide coverage (e.g., a role on all courses everywhere) without assigning per-org globs.

Solution

• Introduce PlatformGlobData and PlatformCourseOverviewGlobData for the course-v1:* pattern (all courses on the platform).
• Split scope registration in ScopeMeta:
  • org_glob_registry: org-wide patterns (renamed from glob_registry)
  • platform_glob_registry: platform-wide patterns
• Add IS_ORG_GLOB / IS_PLATFORM_GLOB flags where IS_GLOB is derived from both.

Additional changes

• Add new registry helpers: get_all_org_glob_namespaces, get_all_platform_glob_namespaces, get_all_registered_scopes)
• PlatformCourseOverviewGlobData included in SCOPES_WITH_ADMIN_OR_SUPERUSER_CHECK |
• In scopes REST API users with a platform glob see unfiltered course/library querysets (same as full platform access)

Related Pull Requests

• feat: add platform glob scope support openedx-platform#38660

Testing Instructions

To test these changes, you can check the REST API.

1. Use the /api/authz/v1/roles/users/ endpoint to add platform-level permissions:

   {
       "users": [
           "john"
       ],
       "role": "course_admin",
       "scopes": [
           "course-v1:*"
       ]
   }

2. Validate the permissions /api/authz/v1/permissions/validate/me

   [
       {
           "action": "courses.view_course_team",
           "scope": "course-v1:OpenedX+DemoX+DemoCourse"
       },
       {
           "action": "courses.manage_course_updates",
           "scope": "course-v1:edunext+RBAC+2026"
       },
       {
           "action": "courses.manage_advanced_settings",
           "scope": "course-v1:any-org+any-course+any-run"
       }
   ]

Response

[
    {
        "action": "courses.view_course_team",
        "scope": "course-v1:OpenedX+DemoX+DemoCourse",
        "allowed": true
    },
    {
        "action": "courses.view_course_team",
        "scope": "course-v1:edunext+RBAC+2026",
        "allowed": true
    },
    {
        "action": "courses.view_course_team",
        "scope": "course-v1:any-org+any-course+any-run",
        "allowed": true
    }
]

Example scope keys

Pattern	Type	Meaning
course-v1:*	Platform glob	All courses on the platform
course-v1:OpenedX+*	Org glob	All courses in org OpenedX
course-v1:OpenedX+Demo+2026	Concrete	Single course

Merge checklist

Check off if complete or not applicable:

• Version bumped
• Changelog record added
• Documentation updated (not only docstrings)
• Fixup commits are squashed away
• Unit tests added/updated
• Manual testing instructions provided
• Noted any: Concerns, dependencies, migration issues, deadlines, tickets

[openedx-webhooks]

Thanks for the pull request, @BryanttV!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[BryanttV]

Hi everyone! This PR is ready for review, however, I have a few questions related to this PR that I'd like to resolve. @mariajgrimaldi @MaferMazu @rodmgwgu @bmtcril

1. This is how it is returned in the /assignments endpoint. Should the org property be "*" since it applies to all organizations at the course level? Or should it be left blank?, Or have some other value?

   {
       "is_superadmin": false,
       "role": "course_admin",
       "org": "*",
       "scope": "course-v1:*",
       "permission_count": 29,
       "full_name": "John Doe",
       "username": "john",
       "email": "john@doe.com"
   }

2. In the /scopes endpoint, only library-specific or course-specific scopes are returned. Should we also return org-level and/or platform-level scopes?

[MaferMazu]

Hello @BryanttV, thanks for this PR.

Regarding your questions:

In the /scopes endpoint, only library-specific or course-specific scopes are returned. Should we also return org-level and/or platform-level scopes?

As a cold answer, I'll say yes, probably we would need that. But it could be out of scope of this PR. I'll open an issue about it.

This is how it is returned in the /assignments endpoint. Should the org property be "*" since it applies to all organizations at the course level? Or should it be left blank?, Or have some other value?

I think it is better to maintain the wildcard to be consistent when someone has permissions across the platform (for example, global staff), and it is easier to handle (because leaving it blank could mean other things).

Notes from my first review:

When I try to assign a user as a course_user on the platform, I get a bad request.

Request:

{
    "users": [
        "course_user"
    ],
    "role": "course_user", // The role to add users to
    "scope": "course-v1:*" // The scope to add users to
}

Answer

{
    "role": [
        "Role 'course_user' does not exist in scope 'course-v1:*'"
    ]
}

We should be able to apply all course roles over this platform course's global scope, right?

Another thing I found is that it is better to use @property def is_glob instead of cls.IS_GLOB = cls.IS_ORG_GLOB or cls.IS_PLATFORM_GLOB, because that could be insecure (the evaluation of the property will occur in runtime, meanwhile the attribute cls.IS_GLOB could be static thanks to inheritance).

[BryanttV]

Thanks for the review! @MaferMazu

As a cold answer, I'll say yes, probably we would need that. But it could be out of scope of this PR. I'll open an issue about it.

Thanks! I agree that we should address this in another PR

I think it is better to maintain the wildcard to be consistent when someone has permissions across the platform (for example, global staff), and it is easier to handle (because leaving it blank could mean other things).

Yes, I also agree with returning *. However, changes should be made to the frontend so that it doesn't just display the * directly.

We should be able to apply all course roles over this platform course's global scope, right?

Yes! This applies to all roles, but the course_user role doesn't exist, which is why it's failing. However, if you try it with any other course role, it should work. The roles where it shouldn't work are the library roles.

Another thing I found is that it is better to use @Property def is_glob instead of cls.IS_GLOB = cls.IS_ORG_GLOB or cls.IS_PLATFORM_GLOB, because that could be insecure (the evaluation of the property will occur in runtime, meanwhile the attribute cls.IS_GLOB could be static thanks to inheritance).

I followed your suggestion and added IS_GLOB as a property here: 1168bee

[MaferMazu]

Yes! This applies to all roles, but the course_user role doesn't exist, which is why it's failing. However, if you try it with any other course role, it should work. The roles where it shouldn't work are the library roles.

🙈 Yes, you are right, it works as expected!

[MaferMazu]

Thanks for addressing my feedback. This looks good to me.

[bmtcril]

Looks good, just a couple of nits because I'm paranoid

[bmtcril]

I don't think these checks / assignments make sense since these are all ClassVars? They should always be assigned. If we are clearing them for testing or something it might make more sense to create a method just for that purpose.

[BryanttV]

I'm really not sure why this was done in the first place, however, removing the code doesn't seem to affect anything anywhere.

@mariajgrimaldi, you implemented this. Do you see any concerns we should take into account? Or can we remove it? For now, I made this commit: f142a26

[bmtcril]

Same comment as above regarding unknown scopes. Can we also create an _is_org_glob to specifically check that format and tighten this up to check for that?

[BryanttV]

Yes, agreed. I created a new _is_org_glob method to perform the explicit check.

[bmtcril]

Same as above, I'd just like to be explicit in our checks of the org globs too.

[BryanttV]

Done!

[bmtcril]

Can we tighten up this check too?

[bmtcril]

I've actually found something testing locally. I think we're in a weird place with global permissions where we're actually using is_staff / superuser, but allow ScopeData(external_key="*") to be created via the public API.

When a user is created with this scope it breaks _filter_allowed_assignments / get_visible_role_assignments_for_user and the REST endpoints that use them with a NotImplementedError for everyone (I think). We should probably refuse to accept those until we're ready to use authz for those assignments instead, and should probably also catch and log NotImplementedError s in _filter_allowed_assignments so bogus rows fail gracefully instead of breaking things.

[bmtcril]

I know this is an example, but PlatformContentLibraryGlobData doesn't exist?

[BryanttV]

Yes, it's just an example. At the moment, that scope doesn't exist. I'll remove it.

[bmtcril]

Not in your changes, but a 3rd place where we could stop defaulting and raise an error on unknown scopes.

[BryanttV]

Yes, I agree. I added those changes in this commit: b9dd29b

[BryanttV]

Thanks for the review, @bmtcril!

I've actually found something testing locally. I think we're in a weird place with global permissions where we're actually using is_staff / superuser, but allow ScopeData(external_key="*") to be created via the public API.

When a user is created with this scope it breaks _filter_allowed_assignments / get_visible_role_assignments_for_user and the REST endpoints that use them with a NotImplementedError for everyone (I think). We should probably refuse to accept those until we're ready to use authz for those assignments instead, and should probably also catch and log NotImplementedError s in _filter_allowed_assignments so bogus rows fail gracefully instead of breaking things.

I took your suggestions into account and restricted the use of ScopeData(external_key="*") and properly handled the NotImplementedError. Additionally, I added extra validations in the serializer to prevent creating a global scope and return a controlled error.

[BryanttV]

I had to add a new commit to fix some tests that weren't using a valid namespace: 8d7c87f

[bmtcril]

Should we return this here, or raise? I'm not sure what the success case would be for something that got here.

[BryanttV]

ScopeData was being returned for the lib^* and course-v1^* cases. However, I added new changes to specifically handle those cases, and to raise an exception for any other case: 3590a75

[bmtcril]

This seems good to me, pending Maria's input on the open question in data.py and a decision on my last comment about returning a ScopeData or raising a ValueError.