When an institutional admin creates a subaccount role with elevated permissions, the role’s permissions work when other users are enrolled via the UI, but do not work when imported using SIS Imports.
For example, a Canvas admin creates a subaccount-level “SuperTeacher” role (based off the teacher role) granting extra permissions to edit student access. The SuperTeacher role’s extra permissions work only with students enrolled via the UI, but do not work with any student enrolled with SIS Import. Even a subaccount admin cannot edit students enrolled by SIS Imports, only a Canvas institutional-level admin can edit students brought in by SIS Imports.
We were told this behavior is by design, but common sense suggests specially created roles need to work in a uniform manner - regardless of the method users are enrolled.