Course Access Control — Org-Member Restriction
Course Access Control — Org-Member Restriction
As of v1.0.68, the platform enforces that only authenticated members of the organization that owns a course may view, enroll in, or access individual lessons. This access control model is applied automatically across all learner-facing pages.
How It Works
Every learner-facing page in the course delivery flow — including the course catalog, course detail page, enrollment action, and individual lesson pages — performs an org-membership check before rendering content or allowing any action.
The check follows two steps:
- Authentication check — Is the user logged in?
- Org-membership check — Does the authenticated user belong to the organization that owns the course?
If either check fails, the user is immediately redirected to the SSO login flow for the owning organization.
Learner requests page
│
▼
Is user authenticated?
├── No → Redirect to SSO login
└── Yes ↓
Is user a member of the owning org?
├── No → Redirect to SSO login
└── Yes → Serve page / allow action
Protected Pages and Actions
| Page / Action | Protection Applied |
|---|---|
| Course catalog | Org-membership check |
| Course detail page | Org-membership check |
| Enroll in course | Org-membership check |
| Individual lesson page | Org-membership check |
Redirect Behaviour
- Unauthenticated users are redirected to the SSO login flow before any course content is revealed.
- Authenticated users from a different organization are also redirected to the SSO login flow. They do not receive an explicit "access denied" message that would confirm the course exists.
- After successful SSO authentication, users who are valid org members are returned to their originally requested page.
Configuration
No additional configuration is required to enable org-membership enforcement — it is active by default for all courses. Access control is derived from:
- The organization ownership of the course (set at course creation or import time).
- The authenticated user's org membership, as asserted by the SSO identity provider.
Ensure your SSO provider is configured to assert the correct organization membership claims. Refer to the SSO Integration guide for claim mapping details.
Security Considerations
- Protection is applied at the server level on every page render and every action — there is no client-side-only gating.
- Lesson-level enforcement is independent of course-level enrollment status, meaning a user cannot access a lesson URL directly without passing the membership check.
- Cross-org access is not possible regardless of how a URL is obtained (e.g. shared link, imported bookmark).