APAC Priority Item Detail - LTI administration and security

Document created by Stuart Ryan Champion on Feb 15, 2018
Version 1Show Document
  • View in full screen mode

Description

Canvas has given teachers considerable control for managing their own LTI/External Apps.

Although the LTI standard does limit the data available to these external applications, most institutions would still prefer to control what is appropriate and would choose to use the eduappcenter.com whitelist system.

Unfortunately there are two ways to bypass the current controls that should prevent unintended LTI installations.

  1. Items from Canvas Commons can be imported into a course and result in an LTI installation attempt.
  2. Imported .imscc packages can be imported and result in an LTI installation attempt.

The LTI installation attempt is only successful if the LTI does not require a secret and key. If the LTI does require a secret and key, the installation will fail (as listed in the import log), but still be added to the the course menu navigation and application list. An administrator will only know of these new LTI’s if they run a LTI Report and compare it against the institutions whitelist.

 

A vote for this item, is a vote for the following recommendations to help take control of the issue:

  1. When importing content from Canvas Commons or using the Import tool, a new option to prevent LTI installations attempts is defaulted to [prevent].
  2. A new account role setting [LTI import] can prevent/allow LTI installation attempts not on the whitelist. (Imported files or items from the commons would behave, same as now.)
  3. Administrators are notified of LTI installation failures.
  4. The Administrators LTI Report matches LTIs against the appropriate managed whitelist for the course it’s installed on. This would make it easy to identify LTIs that were installed either by an administrator or by some other means that may warrant further investigation.  https://community.canvaslms.com/docs/DOC-12627-421480121

 

Business Impact

The recommended changes to The LTI management options allow for institutions to better implement their own policies and help prevent and manage unintended LTI installations.

 

Additional Resources

NA

 

This also appears in the APAC Areas of Priority

 

Votes

 

Who (@ yourself)Vote ForVote AgainstNotes
Mark Van de Velde yesMain sponsor.

Attachments

    Outcomes