cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmsmit49
Community Participant

Sub-Account Admin Privileges

Jump to solution

Canvas Admins Hello everyone! I realize I know the answer to this question deep down, but wanted to confirm with the brains in the community - 

The highest sub-account admin privileges can never create new user accounts in the institutional Canvas, only parent account admins can perform this function, correct? I created a test sub-account admin privilege where I enabled SIS-import in this specific sub-account but it looks like this specific admin still doesn't have access to this. I do know that he can add users into courses if they already have existing accounts. 

If someone has a special trick to give one single sub account admin the ability to create new accounts via .SIS import, I'm dying to know! 

My instance of Canvas is for Continuing and Professional Education, so our courses are non-credit based. We offer courses to a lot of private companies and I would like this particular individual to be able to upload these thousands of employees on his own without having access to our whole entire parent account, if that makes sense.

Thanks in advance! 

1 Solution

Accepted Solutions
jmsmit49
Community Participant

 @stuart_ryan ‌ Thank you for your response. Unfortunately, my institution doesn't have a lot of dev resources for this type of thing and I only have 1 use case so far (so maybe in the future if it comes up again). 

I ended up giving this user two admin permissions, one at the parent account level and one at the sub-account level. At the parent account level, I enabled SIS import privilege but removed any privilege related to changing anything master settings at the parent account or anything that could be harmful. And then I left the basis sub-account privileges the same. It's been working ok for now!

I will let you know if this becomes a possibility for my institution in the future. 

Thanks!

Jackie 

View solution in original post

8 Replies
william_dastrup
Community Participant

Hoping there is a way to do this even if it is through the UI.

stuart_ryan
Community Coach
Community Coach

Hi  @jmsmit49 ,

What you have proposed is my understanding also, in order to create users at the institutional level, you have to have admin privileges at the institutional level (not the sub-account). Update: In looking around for feature ideas that may have already existed I noted on the official documentation that this is confirmed How do I import SIS data to a Canvas account? 

The inner geek in me is thinking there is something you could put together using the APIs, but, it would require development and ongoing maintenance to support. Is that something your institution has the capacity to do?

Essentially, at my last institution, we built a separate and specific front end which would permit certain users to upload a CSV and then it would process it at the Institutional Level. This enabled us to work around such situations.

Having said that, the other avenue you could look at is a Feature Idea in the Canvas Studio space.  I did have a look and the only previous feature idea I could find was https://community.canvaslms.com/ideas/11593  which is in the https://community.canvaslms.com/groups/cold-storage group (you may need to request access to see items in here, if you can't already).

Unfortunately, that Feature Idea only garnered 7 upvotes. However, as with everything, times change, and sometimes a refresh and re-angling of Feature Ideas can mean more votes. Also, I very much think that the championing by the original author goes a long way too!

I hope that helps, please let us know if the development route is a possibility and I can share this with the appropriate groups to get some insight into that for you.

Hope that helps!

Stuart

We really wanted others to be able to create the users in the system in their specific parts of the organization, each in their own sub account.  We turned on open registration in the top account level settings.  This allows for someone in the sub-account to put in an email address for someone they want to invite to their class even if they do not have an account.  An email gets sent to that address that invites them to finish setting up their account. and then they are enrolled in the class.  Can anyone see a downside of doing it this way?

Hi Will -

Does your institution use Catalog? If so, that's the only downside I would see to this. For example, my institution uses catalog so we have open registration disabled because we collect enrollment data and revenue through catalog for reporting purposes. 

jmsmit49
Community Participant

 @stuart_ryan ‌ Thank you for your response. Unfortunately, my institution doesn't have a lot of dev resources for this type of thing and I only have 1 use case so far (so maybe in the future if it comes up again). 

I ended up giving this user two admin permissions, one at the parent account level and one at the sub-account level. At the parent account level, I enabled SIS import privilege but removed any privilege related to changing anything master settings at the parent account or anything that could be harmful. And then I left the basis sub-account privileges the same. It's been working ok for now!

I will let you know if this becomes a possibility for my institution in the future. 

Thanks!

Jackie 

View solution in original post

 @jmsmit49 ‌ I'm trying to follow along with what you've done. Just to confirm, you went into the Top Account >  Permissions > Accounts Roles tab, then Added Role, then locked that down to just SIS Import. Then, did you assign the one user account to two roles: the sub account Admin and the top account "admin" role? Or did you create two accounts for the one person?

Hi Jackie, that is awesome news that you came up with a workaround (and thank you for sharing). 

Zachary, that sounds like exactly what Jackie did, though I would mention you may need to expand just beyond that single permission (to give basic View access).

From what I understood from Jackie, it sounds like she started largely with a copy then removed all the account write permissions (but left the basic list and read access), you *may* need those basics to replicate the behaviour, hence wanted to mention that.

Hope that helps!

Stuart

jmsmit49
Community Participant

 @stuart_ryan ‌  @zachary_rose ‌ What you described up there is exactly what I did. I create copies of different account level permissions and tweak them per sub-account admin dependent on what they need to do within reason. I don't create 2 accounts for them.

Since account level permissions trump course level permission/sub-account permission, it didn't matter what I gave them at the lower level. Let me know if I can help clarify anything, happy to help!