Add course-level & account-level permissions for LTI installation

Idea created by Steven Williams on Jul 22, 2016
      This idea has been developed and deployed to Canvas


      Idea open for vote Wed. August 3, 2016 - Wed. November 2, 2016  Learn more about voting...

    Currently, all users with editing access to a course site (via the course-level and account-level "Manage all other course content" permission) have the ability to install a third-party LTI tool within a course. This setting bundles together Modules, Collaborations, LTI, Home Page, Chat, Attendance into a single permission.


    Unlike all the other content types included in this permission, which are all native to Canvas, LTI tools have the ability pass through a great deal of student data to a third-party site. This can create legal risks around FERPA and other laws related to student records and privacy.


    Currently, some universities use Javascript in order to suppress the options to add an external app when a page is rendered within Canvas. However, this does not have any impact on a user's ability to add an LTI tool, and they can still do so via workarounds including importing a course archive that already has the tool enabled.


    Adding granularity to this permission would allow institutions to better fulfill their obligations to protect the privacy of student data, and make decisions locally about who should have the ability to install tools that pass student information outside of Canvas.



      Comments from Instructure


    For more information, please read through the Canvas Production Release Notes (2016-11-19)