I don’t know much about OpenEdx authorization but as a user with a bit of technical knowledge, I want to share some problems I have faced and possible solutions.
It’s a very old problem with RBAC, let’s say I have 2 staff with slightly different permissions, for example, one of them can not grade student submissions but the other can, with the current system I can not do anything to achieve this, and with different combination of permissions, it could lead to the creation of a lot of roles, and yet not dynamic.
To make it both user-friendly and dynamic, I can think of a system that only contains Staff, you create a staff and then assign a predefined set of permissions (for example Staff, Limited Staff, Studio author, Sales,…) for them, and then the course admin can further tunning these permissions per staff to add or remove permission. This can be achieved easily with a page of permission (or groups of permissions) with checkboxes.
In the back end, developers can check for permission on resources rather than roles.
What do you think about this?