Community help

olguin · ‎05-16-2025

Hello,

This is the first time in 5 years that I am creating a subaccount admin role and wanted advice from others. The default subaccount admin role has all permissions enabled. I've gone through all the permissions and although I know everyone's needs are different, are there any permissions that would suggest them not having? Any permissions that you would suggest I look over closely?

They need to be able to:

create courses
copy courses
assign user roles and permissions
provide support for that departments users
manage LTIs

Thanks for any advice!

Debbie

Jeff_F · ‎05-17-2025

Hello @olguin - below are the permissions that I would not enable -

Account-level settings - manage
Data Services - manage
Storage Quotas - manage (We do not change this - everyone gets 500MB. We ask for OneDrive be used for Files and Studio/ Stream for media content (i.e., larger files))

I recommend creation of guidelines ahead of enabling 'Admins - add/remove' and 'Permissions - manage'. For certain, everyone would need to be on the same page with assigning permissions. To share, we follow the least access privilege model which is partly explained here:

Restricting access: Users and processes should only have access to the data, resources, and functionalities they need to perform their designated roles.
Just-in-time privileges: Elevated privileges should be granted only when and for as long as they are required, then revoked.
Separation of duties: Tasks should be separated and performed by different individuals with distinct roles, further limiting access.
Auditing and monitoring: Regularly audit and monitor admin access to ensure compliance and identify potential issues.

I would also implement a shared change log where all subaccount admins documented notable changes to the LMS. For example, installation of an LTI to the subaccount, system settings changes, etc.

References:

https://community.canvaslms.com/t5/Canvas-Resource-Documents/Canvas-Account-Role-Permissions/ta-p/38...

https://csrc.nist.gov/glossary/term/least_privilege

View solution in original post

chriscas · ‎05-18-2025

Hi @olguin,

For our subaccount admin role, we have the following permissions disabled:

Admins - add / remove
Data Services - manage
Developer Keys - manage
Impact - Manage
Manage Account Calendars
Manage LTI
Reset Multi-Factor Authentication
SIS Data - import
Storage Quotas - manage
Users - Manage Access Tokens

In addition, we have the following permissions disabled for "official" SIS course subaccounts

Users - Students
Users - Teachers

As you said, everyone's wants and needs will probably be a little different here, but hopefully you'll have a shorter list of things to consider from the posts here.

-Chris

View solution in original post

Jeff_F · ‎05-17-2025

Hello @olguin - below are the permissions that I would not enable -

Account-level settings - manage
Data Services - manage
Storage Quotas - manage (We do not change this - everyone gets 500MB. We ask for OneDrive be used for Files and Studio/ Stream for media content (i.e., larger files))

I recommend creation of guidelines ahead of enabling 'Admins - add/remove' and 'Permissions - manage'. For certain, everyone would need to be on the same page with assigning permissions. To share, we follow the least access privilege model which is partly explained here:

Restricting access: Users and processes should only have access to the data, resources, and functionalities they need to perform their designated roles.
Just-in-time privileges: Elevated privileges should be granted only when and for as long as they are required, then revoked.
Separation of duties: Tasks should be separated and performed by different individuals with distinct roles, further limiting access.
Auditing and monitoring: Regularly audit and monitor admin access to ensure compliance and identify potential issues.

I would also implement a shared change log where all subaccount admins documented notable changes to the LMS. For example, installation of an LTI to the subaccount, system settings changes, etc.

References:

https://community.canvaslms.com/t5/Canvas-Resource-Documents/Canvas-Account-Role-Permissions/ta-p/38...

https://csrc.nist.gov/glossary/term/least_privilege

chriscas · ‎05-18-2025

Hi @olguin,

For our subaccount admin role, we have the following permissions disabled:

Admins - add / remove
Data Services - manage
Developer Keys - manage
Impact - Manage
Manage Account Calendars
Manage LTI
Reset Multi-Factor Authentication
SIS Data - import
Storage Quotas - manage
Users - Manage Access Tokens

In addition, we have the following permissions disabled for "official" SIS course subaccounts

Users - Students
Users - Teachers

As you said, everyone's wants and needs will probably be a little different here, but hopefully you'll have a shorter list of things to consider from the posts here.

-Chris

Subaccount Admin Permissions Advice

Admin

How to have 6 Mastery Levels when your Account is ...

Late penalty for discussion boards

Weighted grade books and transfer students' grades

Grades Disappearing from Rubric in SpeedGrader

Google Submissions Missing Annotation Tools in Spe...

How to have 6 Mastery Levels when your Account is ...

Change navigation menu items

Where are my files used?

Editing papers submitted via Canvas Assignment

student cannot open power point

You're signed out

Subaccount Admin Permissions Advice

Community help

View our top guides and resources: