Hi,

Bringing an interesting topic to the table. Our institution is quite new to Canvas, and are figuring out a lot of things as we go. We have quite a few vendors that request API access and most go through the channels of setting up a developer key and securely passing on that key to them.

This is the way we would prefer.

However, a few vendors are requesting to use user-generated bearer tokens instead. We would like to keep things secure and only give them access to what they need, so we generally do not want to generate a token from our Account Admin account and give them full access.

To combat this, we ask them to give us a list of permissions they would need to accomplish this, and set up a Role, that we tie with a user, to which is given an admin with that restricted role. (Doing so also requires that we generate a unique alias email since Canvas doesn't like users sharing emails.) Then we log in as that user, generate the token, and send it over to the vendor.

The issue is, the vendors don't really know what permissions are needed to create that role in Canvas, so they end up just sending out the API endpoints that they need. I don't know exactly which permissions grant those APIs, if there's any dependency needed from certain permissions. Are we setting ourselves up to overcrowd the amount of permissions in Canvas?

You can imagine the headache this is already starting to generate.

My question is, how do other schools handle these requests? Are we taking too cautious of an approach?

Any help is appreciated.