cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
akshya
Community Participant

Using the "List account admins" endpoint with a custom admin role

Jump to solution

Hi There,

I am a developer for an application which utilizes Canvas' REST APIs to get data related to users, user roles, course enrollments, etc. 

The focus of this post is to try and see if one of the available endpoints to detect admin roles would work with custom admin roles. Here is the scenario:

I use the "List account admins" endpoint (https://canvas.instructure.com/doc/api/admins.html#method.admins.index) to detect whether a given user has an admin role. I pass a user_id into the user_id[] parameter. Here is a sample GET request that the application makes:

GET api/v1/accounts/self/admins?user_id[]=462

The user 462 is set up as a custom admin role in this account. It is not using the standard "Account Admin" role, but it is using a custom admin role with a mostly matching set of privileges to AccountAdmin. However, making a GET request to the admins endpoint in this user's context produces a response with status 401 and the following message:

{"status":"unauthorized","errors":[{"message":"user not authorized to perform that action"}]}

The Canvas API documentation doesn't explicitly state exactly what privilege or authorization level is needed to make this request.

- How can we can adjust our custom Admin role so that it is authorized to make a valid request to the admin endpoint?

- Can custom admin roles be detected using any other endpoints? I was unable to find any in the API documentation

Labels (3)
0 Kudos
1 Solution

Accepted Solutions
James
Community Champion

@akshya 

Looking at the source code for the admins_controller.rb index function, the first line says that they must have manage_account_memberships permission. That doesn't help until you know what it does. I found that string in the role_overrides_controller.rb file, where it says that permission is the one needed to add or remove other admins.

That means that you would need to give the "Admins - add / remove" permission in order to use that API call. 

By the way, you can find the source code by clicking on the gray link next to the heading from the API documentation. In this case, it says AdminsController#index. The AdminsController is the name of controller and the fragment #index tells you that you are looking for the index function. Once you click on that, it will open up the source code and then use the browser's find (Ctrl+F) to look for "def index"

View solution in original post

3 Replies
agschmid
Community Contributor

I think  you need to replace the "self" with the actual accountID of the account node in Canvas. 

 

James
Community Champion

@akshya 

Looking at the source code for the admins_controller.rb index function, the first line says that they must have manage_account_memberships permission. That doesn't help until you know what it does. I found that string in the role_overrides_controller.rb file, where it says that permission is the one needed to add or remove other admins.

That means that you would need to give the "Admins - add / remove" permission in order to use that API call. 

By the way, you can find the source code by clicking on the gray link next to the heading from the API documentation. In this case, it says AdminsController#index. The AdminsController is the name of controller and the fragment #index tells you that you are looking for the index function. Once you click on that, it will open up the source code and then use the browser's find (Ctrl+F) to look for "def index"

View solution in original post

akshya
Community Participant

Thank you so much for the reply, @James !! That seems to have done the trick.

The role I was testing did not have the "Admin - add/remove" privilege turned on. Once I turned it on, the Admin API endpoint actually did respond with the expected data.

I could have sworn I did turn this privilege earlier when I was troubleshooting (maybe I didn't, who knows at this point). But this leads me to wonder whether it takes some time for the new privileges to be saved and propagate across the system. Any ideas on this?

In any case, I really appreciate your reply here. It's been very helpful.

-Akshya