Currently, the Role API is only available to access tokens generated by an admin. So, to know what a user can do, I have to get ahold of an Admin token.
This is BAD. This forces me to get a token with god mode access just to do the simple task; for example, checking to see if a user role has enough permissions to use my LTI. For security reasons, and to convince clients that I am very careful of their data, I would rather never ask for an admin access token.
Also, every time a role is changed, I have to find an Admin to approve the LTI again so I can get updated permissions. This can be a real pain if admins are difficult to get access to. Also, it could potentially break my LTI if my record of permissions does not match the canvas record of permissions. There is no way for me to know if the permissions have changed unless an admin logs in.
This can be avoided by allowing a user's role to see and report their OWN permissions. That way when a user accesses my LTI, I can quickly check their role's permissions and notify them if they do not have enough permissions to use my LTI.
Thanks for considering this idea!