At the moment an LTI tool can find out the role of a user in Canvas (eg Teacher/Student/TA), or the LTI role that the user has. For lots of LTI tools this is enough, however when a tool integrates tightly with Canvas (eg using a API Developer Key) it's helpful to know what permissions a user has. This can allow a tool to disable functionality and provide a much better user experience. As an example we have a locally developed tool that allows user to upload some files into Canvas using a API Developer Key. When a user launches the tool we don't know if they have permission to actually upload files (while roles are a rough guide if the permissions are changed in lower sub-accounts they might not be accurate) and so the user can end up getting an error after attempting the upload. If we knew earlier we could have presented a nice message indicating that the functionality wasn't available because they don't have the upload permission.
In https://github.com/instructure/canvas-lms/commit/bb6bd0aeace148d1b6aa8a6291a3d0476a7d9661 an internal variable expansion was added that allows permissions to be added to the custom variables passed across to a tool. It would be useful if this variable expansion could be promoted from an internal one to be full documented.
