Found this content helpful? Log in or sign up to leave a like!
Hi @jlee16,
I'll try to give the best answer I can without going super far in the weeds in this...
Essentially, when a 3rd party tool is launched from Canvas via the LTI standard, some information about the user, course, etc is sent to that 3rd party tool so it can determine how to function for the user. One of the core elements involved is the user's roles. This sounds pretty simple, but the devil is in the details...
As you know, a user can have different roles in different courses (a student in one course, a TA in another, a teacher in a third, etc). This is very handy as it matches many realities in the real world where people can have multiple roles, but it can also lead to confusion for 3rd party tools. There are three different categories of role info that are required by the LTI standard. ..
The first is the "system" role, which in almost every case I know for a logged in user with Canvas will have a value of "person#user". The second is the "membership" role (only used when launching from within a course), which would be a user's course level base role, such as membership#Instructor". The third one, which tends to be where issues come is, is the "institution" role... The institution role will be any role the user has in any Canvas course they belong to, and will also indicate if they are an admin. To illustrate a real-world example, I'm pasting a screenshot of what is sent to 3rd party tools for me (I'm a root Canvas admin, and have also added myself as a teacher and a student in various courses)
So as you can see, the tool sees that I have 3 institution roles (Administrator, Instructor, and Student), along with my system role of User and my membership of Instructor (this launch info is from a course where I'm a teacher).
So tools developers get all of this info and have to decide which role to look at to figure out what sort of access to give that user in their tool. A lot of admins heavily suggest that developers use the membership role, as it is the most specific info about the user from where they launched the tool. If the tool only works in the course, that's a viable option. However, tools which are placed in areas outside of a course (like global navigation or user navigation) won't have that membership value to look at. This is where the issue can creep in... If a user is only a student everywhere, there will only be a student role sent, and the tool can easily know to give them whatever a student should see. If the user is a student in one course and a teacher in another, the tool has to decide which of those to use (and usually pics the role with the greater access). So there are times where a student who's added as a TA or Teacher to provide assistance or work on a project will get more access to third party tools, even within courses (because the tools don't all use the membership role, even if it's available), than they really should.
So in closing, this isn't really an API issue at all, but I only mentioned it around the API request because the original poster had asked about getting elevated permissions to use more of the API than their normal role would allow.
I hope this makes sense and helps you out a bit. Feel free to reply if you have any questions or need additional detail on any of this!
-Chris
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in
