Update August 9, 2018

Canvas has provided their own, much more awesome, solution to this with the July 14, 2018, release. Documentation is available in the Canvas Admin Guide What user roles and permissions are available in Canvas? 

The Canvancement no longer functions because of changes, but even more important, it's not needed anymore. Users who were using it should uninstall the script.

Note that people who are self-hosting and aren't upgraded may still benefit from the script.

Original Post

Quick Install

For those power users who are impatient, here are the quick install steps.

1. Install a browser add-on: Greasemonkey for Firefox or Tampermonkey for Firefox/Chrome/Safari.
2. Install the Permission Page Role Sorter user script.
3. Navigate to the Admin Permissions page and click on the name of any role to move that role to the front of the list

Note that step 1 is only necessary if you haven't already installed the extension.

The Problem

This Canvancement is in response to the https://community.canvaslms.com/ideas/3358-permissions-page-improvements" modifiedtitle="true" title... feature request by  @vrichter . The issue with the Permissions Page is that there are so many roles and so many permissions that you cannot see them all without scrolling or setting the zoom level so small that you can no longer read things. There are scrollbars if needed, but they scroll the entire page and this scrolls the names of the roles off the top or the names of the permissions off the left.

Some people have gotten creative, like putting tape on their monitor so they can follow the right columns as they scroll down and lose the names of the roles off the top. There is no good fix for scrolling to the right -- the only real suggestions being to shrink the font size or buy a really large monitor. Other people did a screen capture, cut out the roles that weren't needed, and then printed it on legal size paper, but that doesn't address the issue of making changes on the computer where the scrolling issues still exist.

The suggested resolution on that page was to make this act like the gradebook where the column and row headings remain fixed on the screen as the user scrolls.

At first, I thought that was probably the best solution as well, but then as I started to look into the situation, I came up with a couple of different ideas. You could hide all of the columns that you're not using or you could move the column that you want to the beginning. The first idea only took a couple of lines of jQuery to accomplish while the second was a little more difficult with about 10 lines.

After thinking about it, I decided that it would be more useful to move the current role to the beginning. I don't do a lot of work with roles and permissions, but I could envision the need to compare two roles to each other, looking for differences. With the current system, they are most likely not next to each other and it makes comparison difficult, especially once you scroll down and the lose the headings. But if you could move both of your roles to the beginning, then they would be side by side to make the comparison easier and they would be the first two columns so easier to locate when you scrolled and lost your headings.

Neither of those was interactive, though, and that would be critical for ease of use. That's where this script comes in.

The Solution

The Permission Page Role Sorter script adds an event listener to the headings at the top of the course roles table and the account roles table in Canvas and then waits for someone to click on the headings.

When the name of the role is clicked, it moves that column to the front of the list next to the permission labels.

Example

Here is the default Permissions page for our Canvas instance.

The primary order of the roles (columns) is Student, TA, Teacher, Designer, and Observer. Immediately following any of those built-in roles are the roles that are based off of the built-in role and those are listed in alphabetical order. Our Advisor and Dean roles are based off the Teacher role, so they follow Teacher with Advisor coming alphabetically before Dean.

But let's say that you want to compare the Student TA (based off a student role) with the Accommodations TA (based off the teacher role). Those are in columns 4 and 7 (not counting the permissions). When you scroll vertically, you lose those headings.

With this script, you can click on the names of the roles at the top of the columns to move that column to the beginning of the list. If I want Student TA in the first column and Accommodations TA in the second column, I would first click on the ACCOM TA label to move it into the first column, shifting everything else to the right. Then I would click on the Student TA label to move it into the first column, shifting everything else, including the ACCOM TA to the right. We now have Student TA in the first column and ACCOM TA in the second column.

Here is a short video demonstrating that. It's 18 seconds long and most of that is me talking through what I want to happen.

Technical Details

The script runs on *.instructure.com/account/*/permissions. If you are using a custom domain, you will need to modify the //@ include line of the source code to match your instance.

It checks to make sure it is on the permissions page. I do this as a sanity check and to make it easier for someone to incorporate into the global custom JavaScript for their instance. I have not tested this in our global JavaScript since we have few administrators and all of them are already running other Canvancements that require a User Script manager, but it may be as simple as dropping it into your file.

There is a check to make sure the tabs for the course roles and account roles exists. In my development, it was always there before it got to my code, but it wasn't there in the HTML of the page and is loaded dynamically, so I thought it best to check. I don't know if the checking part actually works since it was always there for me, but I suspect that it does as it was fairly boilerplate.

It makes sure that you're not clicking on the edit or delete icons that Canvas has. It will work if you click on the role label or if you click in the table heading around the label but miss the actual label.

I could have taken the heading that you clicked in and worked up the DOM to find the table that it belongs to. Instead I used the sample code to find the table based off the portion that was visible at the time with the aria-hidden=false attribute. I did it this way so that if someone wanted to use the other code that I had for hiding the other columns, they could replace a single function with the supplied code and have that functionality.

New! July 9, 2018 
Posted by Erin Hallmark: Permissions Name Updates (2018-07-14 Canvas Release) - the Permissions page includes updates to permissions names, which have also been grouped according to function. No permissions functionality has been affected.
The new User Interface for the Permissions Page will hit production with the July 14th, 2018 update.

You can find when Canvas updates a permission by following Canvas Permission Updates.

Granular Permissions now has a Canvas Studio area: Priority: Granular Permissions 

Exciting new update:  

See Granular Permissions Designs for information about work currently being done based on our feedback to implement changes to permissions to make them more granular!

Background

The original Feature Idea that kicked off all of these was posted by  @kona  with 306 votes and was archived because it was too general of a request.  It was also one of the Top Two Most Important Feature Ideas/Bugs/Issues for Canvas Admins.  Now on PRODUCT RADAR.

cms_hickss made another feature idea:  which was also deemed too general.  This kicked off a lot of other feature ideas, which are listed below. 

(archived) and the later   (Product Radar) would make permissions much easier for admins to manage.

Blog Post on Let's Talk More Granular User/Role Permissions which discusses the difference between user roles and permissions and what exactly is meant by the word granular.

Need and Rationale

Permissions is/are a big deal for institutions and when we have no ability to control permissions it creates a lot of extra work for admins and instructional technologists fixing what people break on accident.

These permissions requests adds up to hours of work each week either cleaning up messes or not giving people access to things because the permissions are so broad that we can't give them access, which then means that the work falls back onto canvas admins or instructional technologists.  Either way, we need a better way of granting/controlling permissions for users.  JS and CS overrides do not work consistently and are ineffective for enforcing permissions to view buttons, etc.

March 2016 update from Allison Weiss

This idea will be considered, along with several others, when we engage in a deep dive and audit of our permissions in Canvas this coming summer. If you are interested in participating in this discussion, please shoot me an email: allison@instructure.com As we consider all of the possible permission granularity requests (see Canvas Permissions and Granularity Feature Ideas), we will be considering a number of different factors, including the COST and the BENEFIT of making a change:

THE COST

What extra work will be required in the Canvas app if we break out this permission?

What is the level of engineering effort required to implement this permission split?

What will it mean for us to support this new permission indefinitely as we add new features?

THE BENEFIT

What use cases would this granular permission support?

How many of our existing customer require support for each of those use cases?

These are not the only considerations, but I mention this line of reasoning because between now and the summertime when we start to dig deep into this topic, voters on this thread have a big role to play in persuading us of the potential benefits to admins and users. Your votes and comments will help us to measure the percentage of our customer base that will actually use the permission split, if implemented.

Bottom line: Keep those votes, comments and use cases coming! They will be very valuable when it comes time to decide which requests to prioritize.

July 27 Update from  @Renee_Carney 

Greetings, Partners on Permissions

Thank you for the time, energy, experience, and knowledge you have put into these threads. The granulated permissions threads have been open and gathering information for almost a year now. This extra time has allowed  our team to collect important feedback and perspectives. Each of the permissions threads contain valuable stories that will help inform development if/when a project is allocated for. Having worked with Allison on these, and now working with Matt G., I know that the product team is sincerely interested in improving permissions, however the magnitude and impact of such a project does not make it one that is easy to squeeze in. We will be archiving these permissions threads for now.  Archiving these threads does not mean they are forgotten; they are set aside, while they are inactive projects on our roadmap. The ideas are monitored, so you can continue to add your examples and use cases to the dialogue. Please follow this thread to receive updates when they are available.

Again, thank you for the rich conversation!

Permissions/Granularity Feature Ideas

Here are some other things related to Permissions that may be useful:

TAs can now edit course settings?

Student view as a permission

Canvas Permissions for Specific Roles - Share Yours!

Hidden Canvas Permissions

Manage Profile Pictures - Permissions

Further customize instructor permissions

Course Role Permission to create Announcements?

Attendance role and permissions

What does every permission setting impact?

How to set the course details page as read only for faculty??

What does every permission setting impact?

Read SIS Permission What does this allow?

Remove "delete course" permission from teacher

What admin features would you like to see?

Help with a custom JS File??

Account Role - Permissions to view gradebook

ADA Mentor Access Role

Needed Permissions to Allow only Rubric and Outcome

managing student permissions to see folders and upload into them

Is there a permissions setting I can adjust so that a user with "Teacher" role cannot edit the name ...

What permissions trigger Commons admin access?

Sub-account admins being denied permissions

Sub-Account Admin Permissions 

Permissions for Head of Faculty 

Create roles/permissions at the course level

How can I prevent teachers editing the course homepage? 

Are your students able to hack a hidden People page?

James Jones posted How do I see all users that have been added to subaccounts as admins? with a cool way to get a list of all of the admins and sub-account admins.

Canvas Beta Release Notes (2016-03-21)

The good:  Account Roles:  Import SIS Imports and Manage SIS Imports separated!

The bad:   Permanently Delete this Course added to the Change Course State

See Comments:  if we could include this function into the User Permissions options then each school could control which roles have access to performing this function ( Help Admins, Teachers, T.A.'s, Students) I can see this curing a lot of concerns.

Other Important Things to Remember with Roles
When you copy/duplicate an out of the box role it carries with it the category that it was copied from. In other words, if you duplicate the Teacher Role and name it "Principal" (both name and SISID) and then assign that role to a user, other users (including students) will see that user listed under "Teachers" in the People Tool and in the Conversations Tool.
This is bad. Why? Because a student might not know that Person X isn't really a teacher assigned to that course/section and that this person should not be contacted if you have questions or need help with course content.
Newly created roles should not automatically be assigned to the same role category as the role it was duplicated from. 

 New!  Granular Permissions now has a Canvas Studio area: Priority: Granular Permissions 

Posted by Erin Hallmark: Permissions Name Updates (2018-07-14 Canvas Release) - the Permissions page includes updates to permissions names, which have also been grouped according to function. No permissions functionality has been affected.
The new User Interface for the Permissions Page will hit production with the July 14th, 2018 update.

Most publishers need to do certain things like see the list of users, manage assignments and quizzes, manage content, and edit grades but shouldn't have access to things like becoming other users or creating new courses.  Other vendors need a more limited data set where they see information inside courses but don't need to write information into a course.

Below are two of my standard account roles that I use for third-party vendors depending on what they need to access:

Vendor (read/write) 

•    Read SIS data
•    View statistics
•    View the list of courses
•    Add, edit and delete events on the course calendar
•    Edit grades
•    Manage (add / edit / delete) assignments and quizzes
•    Manage (add / edit / delete) course files
•    Manage all other course content
•    Manage learning outcomes
•    Manage wiki (add / edit / delete pages)
•    See the list of users
•    View all grades
•    View all students' submissions and make comments on them
•    View course content
•    View the group pages of all student groups
•    View usage reports for the course

Vendor (read-only)

•    Read SIS data
•    View statistics
•    View the list of courses
•    See the list of users
•    View course content
•    View discussions
•    View usage reports for the course

This document was generated from the following discussion: Vendor Roles?