Canvas Permissions and Granularity Feature Ideas

millerjm
Community Champion
47
17095

New! July 9, 2018 

  • Posted by Erin Hallmark: Permissions Name Updates (2018-07-14 Canvas Release) - the Permissions page includes updates to permissions names, which have also been grouped according to function. No permissions functionality has been affected.
  • The new User Interface for the Permissions Page will hit production with the July 14th, 2018 update.

You can find when Canvas updates a permission by following Canvas Permission Updates.

Granular Permissions now has a Canvas Studio area: Priority: Granular Permissions 

Exciting new update:  

See Granular Permissions Designs for information about work currently being done based on our feedback to implement changes to permissions to make them more granular!

Background

The original Feature Idea that kicked off all of these was posted by  @kona  with 306 votes and was archived because it was too general of a request.  It was also one of the Top Two Most Important Feature Ideas/Bugs/Issues for Canvas Admins.  Now on PRODUCT RADAR.

cms_hickss made another feature idea:  which was also deemed too general.  This kicked off a lot of other feature ideas, which are listed below. 

(archived) and the later   (Product Radar) would make permissions much easier for admins to manage.

Blog Post on Let's Talk More Granular User/Role Permissions which discusses the difference between user roles and permissions and what exactly is meant by the word granular.

Need and Rationale

Permissions is/are a big deal for institutions and when we have no ability to control permissions it creates a lot of extra work for admins and instructional technologists fixing what people break on accident.

These permissions requests adds up to hours of work each week either cleaning up messes or not giving people access to things because the permissions are so broad that we can't give them access, which then means that the work falls back onto canvas admins or instructional technologists.  Either way, we need a better way of granting/controlling permissions for users.  JS and CS overrides do not work consistently and are ineffective for enforcing permissions to view buttons, etc.

March 2016 update from Allison Weiss

This idea will be considered, along with several others, when we engage in a deep dive and audit of our permissions in Canvas this coming summer. If you are interested in participating in this discussion, please shoot me an email: allison@instructure.com As we consider all of the possible permission granularity requests (see Canvas Permissions and Granularity Feature Ideas), we will be considering a number of different factors, including the COST and the BENEFIT of making a change:

THE COST

What extra work will be required in the Canvas app if we break out this permission?

What is the level of engineering effort required to implement this permission split?

What will it mean for us to support this new permission indefinitely as we add new features?

THE BENEFIT

What use cases would this granular permission support?

How many of our existing customer require support for each of those use cases?

These are not the only considerations, but I mention this line of reasoning because between now and the summertime when we start to dig deep into this topic, voters on this thread have a big role to play in persuading us of the potential benefits to admins and users. Your votes and comments will help us to measure the percentage of our customer base that will actually use the permission split, if implemented.

Bottom line: Keep those votes, comments and use cases coming! They will be very valuable when it comes time to decide which requests to prioritize.

July 27 Update from  @Renee_Carney 

Greetings, Partners on Permissions

Thank you for the time, energy, experience, and knowledge you have put into these threads. The granulated permissions threads have been open and gathering information for almost a year now. This extra time has allowed  our team to collect important feedback and perspectives. Each of the permissions threads contain valuable stories that will help inform development if/when a project is allocated for. Having worked with Allison on these, and now working with Matt G., I know that the product team is sincerely interested in improving permissions, however the magnitude and impact of such a project does not make it one that is easy to squeeze in. We will be archiving these permissions threads for now.  Archiving these threads does not mean they are forgotten; they are set aside, while they are inactive projects on our roadmap. The ideas are monitored, so you can continue to add your examples and use cases to the dialogue. Please follow this thread to receive updates when they are available.

Again, thank you for the rich conversation!

Permissions/Granularity Feature Ideas

Feature IdeaStatusInstructure Response/Related Ideas
New Tool with one permission: 

Blueprint Courses (create / edit / associate / delete)

No Idea OpenedTool added with singular permission to system in July 2017.

radar-icon1.png

Product Radar

[163 votes]

It is clear that the accidental deletion of files is the biggest concern here. As I research a possible solution, is it safe to say that leaving Add and Edit permissions together would not be a concern?

radar-icon1.png

Product Radar

[144 votes]

This seem like another situation where the primary concern is the delete functionality. I will see what kind of effort this would be and will post an update there.

radar-icon1.png

Product Radar

[176 votes]

It seems like most of the concerns regarding this permission are related to the deletion of course sections. If users were limited from deleting SIS created sections, would that solve the problem without further changes?

radar-icon1.png

Product Radar

[123 votes]

January 2016 update from Mccall Smith:

After doing some research we have determined that there is a need for unbundling several permissions. The permissions project is a bigger beast than I originally thought. I know this isn't something we will be able to work on for next 3-6 months but will revisit this.

radar-icon1.png

Product Radar

[182 votes]

Are there other reasons certain users need to be able to add a user to a course but not remove the same student from the same course? If not, I'm inclined to archive this issue.

radar-icon1.png

Product Radar

[144 votes]

February 2016 update from Allison Weiss:
Thanks, everyone for your comments. I will archive this idea for now. But the big takeaway here is that the DELETE permission should generally exist apart from the CREATE and EDIT permissions. Lesson learned and we'll see how we might apply that principle going forward.

radar-icon1.png

Product Radar

[166 votes]

January 2016 update from Jason Sparks:
Thank you all for the additional feedback.  I do understand your need.  We are looking at how we can prioritize this in all of the additional work planned for 2016.  I do not have a timeline, but will share more when I am able.

radar-icon1.png

Product Radar

[146 votes]

...I have a follow-up question to your use case of students moderating class discussions. Does that mean that for one discussion and one discussion only, you would like to set a student as a "Discussion Leader"? Or is this more like a TA where you have a permission set that persists throughout the course?

radar-icon1.png

Product Radar

[155 votes]

I understand the reasons why it would be helpful to separate out the delete permission. I'm looking into how big the effort would be and will post an update here.

radar-icon1.png

Product Radar

[217 votes]

It seems like the group consensus is that it would be more important to separate out the "remove" permission more than separating the management of teachers from the management of TAs and Course Designers. Would that be a fair description? If there were two permissions, "Add other teachers, course designers, TAs, and Observers to the course" and "Remove teachers, course designers, TAs, and Observers from the course" would that be sufficient for your institution?

radar-icon1.png

Product Radar

[158 votes]

February 2016 update from Allison Weiss:

Thanks, everyone for your comments. This is an idea I will archive for now. But the big takeaway here is that the DELETE permission should generally exist apart from the CREATE and EDIT permissions. Lesson learned and we'll see how we might apply that principle going forward.

Archived

[13 votes]

Commons Permissions (Account Roles)

225188_pastedImage_1.png

Cold Storage

 

[15 votes]

New account level permission needed, "View sub-account" permission

225188_pastedImage_1.png

Cold Storage

[17 votes]

Permissions for Designer or TA role to upload SCORM content

225188_pastedImage_1.png

Cold Storage

[3 votes]

A permission setting that controls whether a particular role will receive notifications and announcements

225188_pastedImage_1.png

Cold Storage

[5 votes]

In Account level Groups, allow more permissions Leader vs. User

225188_pastedImage_1.png

Cold Storage

[19 votes]

Course level permission to view all course content

225188_pastedImage_1.png

Cold Storage

[closed without voting]

Was told this should be part of

Separate permissions for course developing and course delivering

225188_pastedImage_1.png

Cold Storage

[closed without voting]

Was told this should be part of

TA to have grading access but not gradebook access

225188_pastedImage_1.png

Cold Storage

[12 votes]

Commons Admin - Need option to give access by role

225188_pastedImage_1.png

Cold Storage

 

[16 votes]

Disable Changing Course Start and End Dates

225188_pastedImage_1.png

Cold Storage

[19 votes]

Disable Changing Start/End Dates

Disable Changing Start/End Dates

225188_pastedImage_1.png

Cold Storage

[15 votes]

Disable Changing Course Start and End Dates

Outcome Delete Permissions for Teacher Role (Course-Level)

225188_pastedImage_1.png

Cold Storage

[6 votes]

Masquerade as View-Only or Options

225188_pastedImage_1.png

Cold Storage

[21 votes]

Remove "Students" from inbox list when "Send Messages" permissions are disabled

225188_pastedImage_1.png

Cold Storage

[4 votes]

Limit visibility to Section Users

225188_pastedImage_1.png

Cold Storage

[48 votes]

Not authorized to view the specified document 2879

??? - Is this completed by Canvas Production Release Notes (2017-04-01) ?  I can't read the feature idea since it's in cold storage.

Let observers see discussion comments for only their student

225188_pastedImage_1.png

Cold Storage

[14 votes]

In Permissions, Add View Files and Access Class Rolls

225188_pastedImage_1.png

Cold Storage

[5 votes]

In Permissions, Separate "View Grades" into 2 Permissions

225188_pastedImage_1.png

Cold Storage

[12 votes]

radar-icon1.png

Product Radar

[105 votes]

Filter Terms: Sub-Account Admins Should Only See Terms For Their Sub-Account

225188_pastedImage_1.png

Cold Storage

[12 votes]

a way to see student view for each student

225188_pastedImage_1.png

Cold Storage

[62 votes]

radar-icon1.png

Product Radar

[153 votes]
Protect students-->Make "send messages to individual users" a more granular permission

225188_pastedImage_1.png

Cold Storage

CompletedCanvas Production Release Notes (2017-04-01) 
Permission Settings Report or Extract

225188_pastedImage_1.png

Cold Storage

In Permissions, Add a "View Only" Permission after Course Conclusion

225188_pastedImage_1.png

Cold Storage

Include file permission options when uploading files via Content Selector.

225188_pastedImage_1.png

Cold Storage

Details no longer viewable [39 votes]
Protect students-->Make "send messages to individual users" a more granular permission

225188_pastedImage_1.png

Cold Storage

Details no longer viewable
https://community.canvaslms.com/ideas/8201 

Archived

[12 votes]

https://community.canvaslms.com/ideas/8354 

Archived

[11 votes]

https://community.canvaslms.com/ideas/7943 

https://community.canvaslms.com/ideas/6389 

Archived

[40 votes]

Archived

[32 votes]

https://community.canvaslms.com/ideas/2477 

Archived

[12 votes]

https://community.canvaslms.com/ideas/9044-blueprint-permissions-make-them-exclusive-for-course-edit... 

Open for Voting

 https://community.canvaslms.com/ideas/8987-allow-observer-permission-to-view-analytics-pages 

Open for Voting

https://community.canvaslms.com/ideas/9332-account-role-with-no-elevated-access 

Open for Voting

https://community.canvaslms.com/ideas/8322 

Archived

[16 votes]

https://community.canvaslms.com/ideas/3282 

Archived

[29 votes]

https://community.canvaslms.com/ideas/4639 

Archived

[17 votes]

https://community.canvaslms.com/ideas/7917 

Archived

[7 votes]

https://community.canvaslms.com/ideas/1051-default-notification-settings-profiles-by-user-role 

Open for Voting

https://community.canvaslms.com/ideas/8354 

Archived

[11 votes]

https://community.canvaslms.com/ideas/8695-select-all-permissions-option 

Open for Voting

https://community.canvaslms.com/ideas/8338 

225188_pastedImage_1.png

Cold Storage

[33 votes]

https://community.canvaslms.com/ideas/8350 

Archived

https://community.canvaslms.com/ideas/7424 

Archived

https://community.canvaslms.com/ideas/4382 

Archived

[4 votes]

https://community.canvaslms.com/ideas/7222 

Archived

[39 votes]

https://community.canvaslms.com/ideas/3436 

Archived

[15 votes]

https://community.canvaslms.com/ideas/7048 

Archived

Determined to be a bug, no update. 
https://community.canvaslms.com/ideas/2468 

Archived

[13 votes]

https://community.canvaslms.com/ideas/1566 Archived
https://community.canvaslms.com/ideas/8806-course-level-permissions-for-startend-date Open for Voting
https://community.canvaslms.com/ideas/6088" modifiedtitle="true" title="Protect students-->Make "... 

Archived

[4 votes]

https://community.canvaslms.com/ideas/5892 

Archived

[18 votes]

https://community.canvaslms.com/ideas/5911 

Archived

[9 votes]

https://community.canvaslms.com/ideas/7504 

Archived

[2 votes]

https://community.canvaslms.com/ideas/2017 

Archived

[37 votes]

COMPLETED

Also similar to this archived idea:  

Add new role permission - Post to Announcements

COMPLETEDCanvas Production Release Notes (2016-11-19)
COMPLETEDCommons Release Notes (2015-11-23)
COMPLETEDSeems to have been changed in April 2016 sometime.  Not in release notes.
COMPLETEDCanvas Production Release Notes (2017-04-01) 

Here are some other things related to Permissions that may be useful:

TAs can now edit course settings?

Student view as a permission

Canvas Permissions for Specific Roles - Share Yours!

Hidden Canvas Permissions

Manage Profile Pictures - Permissions

Further customize instructor permissions

Course Role Permission to create Announcements?

Attendance role and permissions

What does every permission setting impact?

How to set the course details page as read only for faculty??

What does every permission setting impact?

Read SIS Permission What does this allow?

Remove "delete course" permission from teacher

What admin features would you like to see?

Help with a custom JS File??

Account Role - Permissions to view gradebook

ADA Mentor Access Role

Needed Permissions to Allow only Rubric and Outcome

managing student permissions to see folders and upload into them

Is there a permissions setting I can adjust so that a user with "Teacher" role cannot edit the name ...

What permissions trigger Commons admin access?

Sub-account admins being denied permissions

Sub-Account Admin Permissions 

Permissions for Head of Faculty 

Create roles/permissions at the course level

How can I prevent teachers editing the course homepage? 

Are your students able to hack a hidden People page?

James Jones posted How do I see all users that have been added to subaccounts as admins? with a cool way to get a list of all of the admins and sub-account admins.

Canvas Beta Release Notes (2016-03-21)

The good:  Account Roles:  Import SIS Imports and Manage SIS Imports separated!

The bad:   Permanently Delete this Course added to the Change Course State

See Comments:  if we could include this function into the User Permissions options then each school could control which roles have access to performing this function ( Help Admins, Teachers, T.A.'s, Students) I can see this curing a lot of concerns.

Other Important Things to Remember with Roles

When you copy/duplicate an out of the box role it carries with it the category that it was copied from. In other words, if you duplicate the Teacher Role and name it "Principal" (both name and SISID) and then assign that role to a user, other users (including students) will see that user listed under "Teachers" in the People Tool and in the Conversations Tool.

This is bad. Why? Because a student might not know that Person X isn't really a teacher assigned to that course/section and that this person should not be contacted if you have questions or need help with course content.

Newly created roles should not automatically be assigned to the same role category as the role it was duplicated from. 

New!  Granular Permissions now has a Canvas Studio area: Priority: Granular Permissions 

  • Posted by Erin Hallmark: Permissions Name Updates (2018-07-14 Canvas Release) - the Permissions page includes updates to permissions names, which have also been grouped according to function. No permissions functionality has been affected.
  • The new User Interface for the Permissions Page will hit production with the July 14th, 2018 update.
47 Comments
kona
Community Coach
Community Coach

Wow! What a great document! Thank you for putting this altogether!

cms_hickss
Community Coach
Community Coach

 @millerjm ​, all in one document, awesome!

millerjm
Community Champion
Author

We are having the Florida CanvasCon 2016 at  UCF next week so I'm hoping to get some buy-in there...  Smiley Happy

millerjm
Community Champion
Author

Thanks for the edits!

erinhmcmillan
Instructure Alumni
Instructure Alumni
millerjm
Community Champion
Author

Thanks, Erin!  I've updated the document with this information!

erinhmcmillan
Instructure Alumni
Instructure Alumni

Hello anyone following this document,

I also posted this info as a comment in Canvas Beta Release Notes (2016-03-21)​, but just in case:

Our product manager, Allison, is starting a focus group this summer designed to explore granular permission enhancements. This group of admins would help the Canvas product team understand more details about permissions, including use cases for the permission and how they are using a permission. Product can then explore the engineering effort required to effectively implement and support those permissions. If you are passionate about permissions and are interested in being part of this admin group, please email Deactivated user (her email address is in her profile).

Thanks!

Erin

millerjm
Community Champion
Author

This is the sort of information that would assist in getting these changes made during this permissions audit.  This information would need to be added as comments to the individual feature ideas, and if it needs to be modified and pasted to more than one, then please do that.  I know it's tiresome to post the same thing again and again, even though someone else has already done it, but they need to see that it's not just 5 people with these issues!  Some of the reason we haven't gotten much traction because we haven't had enough use cases posted. 

  • What has the current user permissions "bundling" and lack of granularity cost you in terms of support and functionality?
  • What permissions have you HAD to grant to someone simply to allow them to be able to do their job, that you would have rather NOT given?
  • What permissions have you had to DENY giving someone because it gave them access to something that you could not due to security, concern about causing trouble, etc.?
  • What other qualms do you have about this permission?  Do you have any experience in a prior LMS that is somehow related to this permission?
  • What things have cost you more in staff hours because of denying access to someone, means that your department had to research, do work, etc, on behalf of a user that would have been able to do their work if the permissions were granular?
erinhmcmillan
Instructure Alumni
Instructure Alumni

Joni,

I've already shared this document with Allison (and she thinks it is great), so I don't think you need to put these in each of the individual feature ideas.

Thanks!

Erin

KristinL
Community Team
Community Team

This is an amazing list of permissions. It is very helpful to see it organized! Thanks Joni for creating this document. I look forward to collaborating!

cms_hickss
Community Coach
Community Coach

I did notice that as  @Renee_Carney ​ was archiving the permission ideas that was not among them. I'm hoping that means because the new Quiz Tool is being worked on that granular permissions (for the new tool) are being created at the same time.

khirschmann1
Community Novice

I would add a suggest that group leaders should be able to open up a conversation with all group members in one click instead of having to add all group members one at a time to a conversation.  Teacher's can send messages to "All in Students" or all in individual groups, but students can't.

millerjm
Community Champion
Author

Kenny Hirschmann, please open up a separate feature idea for this so that it can go through the voting process... this is simply a compilation of anything that has been suggested related to features.

I'll be happy to add it to this page once it exists!

millerjm
Community Champion
Author

 @Renee_Carney ​, has there been any update from the product team on any of these ideas?  Have any of them made the roadmap?

Thanks! 

chriscas
Community Coach
Community Coach

I just made a new feature idea for course start/end date permissioning at https://community.canvaslms.com/ideas/8338-permissions-for-course-date-settings" modifiedtitle="true....  Please upvote this if possible, as I think there's going to be an even bigger need for it with the new course end date functionality now testing in the Beta environment.  Even without this change, the need to have these boxes places behind a course role based permission has been a need for us for years!

cms_hickss
Community Coach
Community Coach

I have now created a Blog Post on Let's Talk More Granular User/Role Permissions which discusses the difference between user roles and permissions and what exactly is meant by the word granular.

cms_hickss
Community Coach
Community Coach

I'm going to mention it here just so that there's a note about it. The new tool Blueprint came with one set of permissions:

Blueprint Courses (create / edit / associate / delete)

Like the rest, this one too should be granular/separated into at least 4 separate permissions.

chriscas
Community Coach
Community Coach

I totally agree!  To be honest, I'm disappointed after all of the feedback that's been given about permission granularity that Instructure didn't make the permissions of a brand new feature granular to start with.  I understand going back and making existing permissions more granular will require a lot of work to find every case where the "old" permission was used and update it to a new granular version, but for a new feature this should have been done from the start!

Sorry to Instructure for venting here, but this has been a huge issue for Canvas Admins for multiple years and it's frustrating that hardly any action had been taken on this at all.

cms_hickss
Community Coach
Community Coach

I have updated this page to include a link to Canvas Permission Updates which you can follow to be alerted to when Canvas updates or adds a permission.

I've also added a warning about duplicating out of the box roles.

chriscas
Community Coach
Community Coach

Thanks for the update(s), cms_hickss‌!

As for the roles issue, I think some of the justification may come from the behind-the-secenes specs, especially for LTIs.  I'm pretty sure the "base role" is sent via LTI so that the external tools can somewhat figure out what each suer should be able to do in their systems without making admins configure all of the individual roles in each LTI.  We have been careful to create almost all of our custom roles from the base TA role, to avoid some of the student confusion you mentioned, and also help make sure https://community.canvaslms.com/community/answers/partners-platform/evaluationkit?sr=search&searchId..., our course evaluation tool, properly imports the exact rosters we want from Canvas.

I think what we really need is for Canvas to "hide" these base roles in the UI.  Instead of reporting the base role, report the custom role name given by the institution.  I think there would be some additional compute-time to do another database lookup, but it would certainly be worth it in my view.

Jeff_F
Community Coach
Community Coach

cms_hickss, eighteen months ago I didn't comprehend or appreciate the reason why there was so much interest in splitting these permissions apart.  At the time, due to the complexity I felt it would be a convolution of the permissions.  My view has changed since then as I have been seeing situations where my ability to provide solutions is being limited by the available permission set.  

I am wondering if the above are presented in priority order or if Canvas has such a list?  I am aware this was near the top of the priority list from the Khaki meeting but after reading all this here it isn't entirely clear to me which of these above are the most pressing. Out of curiosity, which of the above do you feel are the top five priorities? 

cms_hickss
Community Coach
Community Coach

My guess, and this is only a guess, that because of the way permissions currently sometimes rely on another permission to even work that there isn't a way to pick just 5 of them to split apart. If I was going to say, give us something to start with and this is want I want, then it would be getting the "delete" functionality out of group permission for all of them.

Also, my impression was that this was an item on the roadmap but that roadmap went all the way to 2019.

I believe that it was 6 sprints to get the basic needs done; plus another 6 to completely revamp how the page functions.

Jeff_F
Community Coach
Community Coach

The Delete is indeed a concern.  We implemented a layer of protection as we opted to hide the 'Delete Course' button within Settings from everyone via CSS.  But that is just one aspect of the total concern.  Thank you again for crafting these lists and all the effort put into keeping them updated and current.

Jeff_F
Community Coach
Community Coach

ps.  If I were asked to pick one to be done as a proof of concept it would be the following enrollment permission as issues related to this come up on a near weekly basis.

   In Permissions, Separate "Add/remove other teachers, course designers, TAs, and Observers to the cou...

mzucal
Community Contributor

I find the lack of action in Instructure's part to be disappointing as well. Being able to properly administer the LMS should be a priority.

millerjm
Community Champion
Author

I made some updates and added feature ideas that were missing or new from the document. 

There are several available for voting.  You can find them in the table above.  Sorry for it's lack of organization but it's become rather unwieldy due to the number of requests for changes to this essential administrative functionality of Canvas. 

Please also post any use cases or issues that have come up due to a lack of granular permissions in Canvas!

erinhmcmillan
Instructure Alumni
Instructure Alumni

Hello,

For everyone following this document, you may be interested in participating in this new product priority posted in the Canvas Studio space: Priority: Granular Permissions.

Thanks,

Erin 

hesspe
Community Champion

I agree, and have this to add.  In the summary it says:

It seems like the group consensus is that it would be more important to separate out the "remove" permission more than separating the management of teachers from the management of TAs and Course Designers. Would that be a fair description? If there were two permissions, "Add other teachers, course designers, TAs, and Observers to the course" and "Remove teachers, course designers, TAs, and Observers from the course" would that be sufficient for your institution?

I don't know about "consensus" but that is very much not the case for us.  We want to give teachers the ability to add TAs but not other Teachers.  Why? Because  Teachers can add other Teachers who can add other Teachers, and pretty soon it's "turtles all the way down."  As dense as this discussion is, I wonder if anyone will see this comment, and if not, how can I break through the "consensus" wall?

millerjm
Community Champion
Author

Peter, there is a lot more information at https://community.canvaslms.com/message/87795-granular-permissions-designs  about the current redesign of permissions.  I would encourage you to add your feedback there. 

vanzandt
Community Champion

Not sure where the best place to share this is, or how to link it for consideration in the Granular Permissions priority, but I thought folks here would at least have interest.  I just posted a feature idea for adjusting the course-level permission for Gradebook History.

https://community.canvaslms.com/ideas/10571-change-gradebook-history-permission 

cms_hickss
Community Coach
Community Coach

New Items

  • Posted by Erin Hallmark: Permissions Name Updates (2018-07-14 Canvas Release) - the Permissions page includes updates to permissions names, which have also been grouped according to function. No permissions functionality has been affected.
  • The new User Interface for the Permissions Page will hit production with the July 14th, 2018 update.
cesbrandt
Community Champion

My apologies if I missed the answer to this, but there is a LOT of content to this idea group. So, my question: will this revamp include updating the output to the ENV variable in JavaScript? The reason I ask is because, currently, all account-level roles assigned to account 1 are given the declaration of being "root_admin" and all other account-level role assignments are declared as "admin," with absolutely 0 consideration for the actual roles assigned.

Why does this matter? Well, with core Canvas it wouldn't. The only way this comes into play as an issue is with custom JavaScript that wants to add/remove/change functionality based upon the roles of a user. I'd say that nearly all of the manipulations of core Canvas functionality this would be used for are permission-related and are included in this idea group, but there's also custom functionality that could be added. We have various little code snippets to help make certain information easier to retrieve for certain roles (i.e., module IDs), but it's entirely unneeded by others.

The solution is to use API calls to lookup the actual roles assigned, but this won't consistently work due to the restrictions on the roles a user may have, requiring elevated access to the API. Obviously, this is a security risk in that it would require providing elevated credentials into client-side executable code, big no-no. Alternatively, a third-party server could be used to do the validation server-side, but that's excessive for so small a purpose.

millerjm
Community Champion
Author

Hi cesbrandt‌, thanks for the feedback.  Can you post a feature idea for this and I'll add it to this list.  I have not seen one directly covering what you mention, but those are definitely some great points that I'd forgotten about since there were so many other issues with permissions...

cesbrandt
Community Champion

Yeah, I wasn't sure if I'd simply missed it with the extensive amount of ideas involved in this, so I figured I'd ask before posting an idea about it. ^^'

I'll get that up in a bit. Smiley Happy

Edit (16:15 EST): Here it is: https://community.canvaslms.com/ideas/12436. I hope I was thorough enough in explaining the idea. ^^'

millerjm
Community Champion
Author

cesbrandt‌ - I added it to the list.  Thanks so much for the detailed explanation and use cases that you put into your idea!

khirschmann1
Community Novice

I'm not sure if this has been mentioned, but I don't understand why Discussions - Moderate needs to be checked in order to create announcements.  I thought the whole point of this request was to unbundle permissions.

erinhmcmillan
Instructure Alumni
Instructure Alumni

Hi, Kenny,

Discussions and Assignments still share some of their codebase, and completely breaking apart the permissions would be a separate project. Perhaps that's something they'll handle more specifically in the future. 

Thanks!

Erin

khirschmann1
Community Novice

Perhaps so, but I'm not talking about assignments, I'm talking about announcements.

erinhmcmillan
Instructure Alumni
Instructure Alumni

Sorry. I often type assignments when I mean announcements. Smiley Happy

judy_seiffert
Community Participant

I have read the feature ideas on this page and found them to be most helpful and would like to propose the following Feature Idea.

Root account admins need the ability to create custom roles to assign to specific users and not have the role available for others to assign.

  • Add one more category to the role_dim workflow_state indicating that the role is [custom]
  • Add a radio button to the New Course Role screen, 'Role Status' Custom.
  • If Role Status is marked as Custom the role is hidden/not listed for others to assign. 
  • Account Roles with the permission 'Permissions-manage' will be allowed to see roles with the Custom workflow_state in the list of roles to select. 
  • Course Roles with the permission(s) Users - add / remove students in courses & Users - add / remove teachers, course designers, or TAs in courses will note be able to see roles with the Custom workflow_state in the list of available roles to select. 
  • Why this is needed.  Offers more flexibility to root admins to customize roles for specific people, adds security to the system, eliminates the need for a custom java script. 

If this idea has already been posted, please let me know so I can vote up!

18shumwaysam
Community Novice

I would love to see Canvas Permissions and Granularity turn out looking somewhat similar to the scoping that's now available on developer keys. Our university has hesitations about giving third-party integrations access to add/edit/delete courses, users, groups, etc. when the apps only really need read access to the API's in those permission sets, but some of the integrations work best with access tokens and we're having a difficult time scoping user permission roles down enough that we're comfortable giving them out. Creating permission sets based on the individual API's seems like the best option in terms of clarity and granularity.

cms_hickss
Community Coach
Community Coach

As I seem unable to Edit the document today, but still want to share a little good news. I'm just adding it as a comment.

On Tuesday, July 23rd Canvas made a note on the https://community.canvaslms.com/ideas/1527-more-granular-permissions-for-admins?messageTarget=all&st... Idea.

We're assessing each permission 1 at a time.  Some are included in our product plan for Q3 2019 and will influence development within Canvas.

It comes with the additional caveat of:

Adding this idea to our product plan means we will be working on it, but it does not guarantee that it will be developed exactly as defined by the idea, or that it will be added to the production environment.
cms_hickss
Community Coach
Community Coach

[Edit 12:90pm ET] Renee Carney let me know that the update on the https://community.canvaslms.com/ideas/1527-more-granular-permissions-for-admins page was incorrect and permissions are NOT on the plan for Q3 2019.  Smiley Sad

vanzandt
Community Champion

Still shows up on the Priorities & Ideas page, but I guess if they are not working on it this quarter, then maybe we all different definitions for the term Priorities.  Smiley Happy  Thanks for keeping a close eye on this, and for keeping us all updated cms_hickss!

cms_hickss
Community Coach
Community Coach

If you have not seen Canvas Release Notes (2020-06-20), then you have missed the great news of the first set of permissions [https://community.canvaslms.com/ideas/2326-in-permissions-separate-manage-wiki-addeditdelete-pages-i... ] being separated into three!!

stelpstra
Community Champion

This document has been edited on 7 September 2018 for the last time, even though the topic is still highly relevant and some parts have recently been released, which is hopeful.

I'd like to add a new idea to the list https://community.canvaslms.com/ideas/17273-separate-permission-for-posting-grades-apart-from-editin... 

Please add your vote if you think this is a welcome addition!

erinhmcmillan
Instructure Alumni
Instructure Alumni

@millerjm if you're still maintaining this document, some of the links you used aren't redirecting (we didn't cover all of them). You may want to see what you can update directly in the document?

Thanks!

Erin