Found this content helpful? Log in or sign up to leave a like!
			
				
					
						
							Item bank for new quizzes is a huge security risk
						
					
					
				
			
		
	
		
	
	
	
	
	
	
	
	
			
					
				
		
	
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am a noob to the new quizzes feature and how it does item banks. With that out of the way...
When I open the Item Banks link to build a new bank or look at existing banks, and I select "All Banks" I see ALL the banks from across my entire university. Hundreds of banks that are not mine that I did not create, and have nothing to do with my content area.
Worse yet, I can share, copy, edit, and delete any one of these banks.
This is a HUGE security risk and surely this isn't the way Instructure intends for item banks to work. I'm not finding much about it. This is a new thing to my local Canvas admins as well. This renders the new quizzes completely useless to me. All it takes is one unethical individual and thousands of banks are compromised. I'm not going to waste any more time building banks knowing that anyone can delete, edit, or share them.
I'm an IS professor and teach basic computer security, and this just can't be real. This is just mind boggling.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chris_zimmer,
I'm a Canvas admin for my institution, and I can confirm this is a permission that your school/institution admins can adjust. We actually had this on (unknowingly) for years until one of our faculty members recently let me know they could access all of the banks. I worked with Instructure support on this, and they pointed out that we had the "Item Banks - manage account" permission enabled for our teachers. I disabled that and if fixed the issue. We've had New Quizzes (formerly Quizzes2) available for years, so I'm not sure is that permission got set that way initially or not, but your Canvas admins can definitely switch it off unless they have a good reason to leave it enabled.
Hope this helps!
-Chris
 
		
			 
					
				
		
 
					
				
		
 
					
				