In the course settings the option "Course - Visibility" allows users with the "Courses - change visibility" permission to open up the course to users who don't hold a course enrolment. Institution visibility allows users who are authorised on the Canvas site, but not enrolled on the course, to access the course via the course URL. However, their access is restricted so that they CANNOT see Grades, People, Discussions, Announcements. A user accessing this way CAN see Assignment titles, Quiz titles (but not the quiz questions) and course Pages to get a general feel of the course design and content. A user accessing this way can also access external LTI tools. The experience of the user varies between LTI vendors because it is up to the LTI tool vendor to decide how "No course role" is interpreted when the LTI is accessed. From 10 LTI tools we tested with Institutional visibility, three LTIs denied access, four LTIs mapped this to the LTI Student role, and two LTIs mapped this to the LTI Instructor role. In this last case, the user (not enrolled on the course) was able to change any of the LTI instance configuration such as editing LTI assessment descriptions, due dates, view solutions and everything else an Instructor would be able to do. Instructure cannot control how LTI vendors chose to implement the LTI specification and how Canvas roles are mapped to LTI roles and there is no expectation that they should.
When setting a course with Course - Visibility = Institution, there is an additional option to customise user access to the Syllabus and the Files in the course. For example, to prevent Institution access to the course Files. Extending these customisation options to include control over access to third-party LTIs would solve this problem and allow course designers to remove access to external LTIs from non-enrolled users. This would also prevent LTIs featuring assessments from being compromised by non-course members.
