Community Help

YunyiZhang · ‎10-14-2022

We have created a Role with these permissions in Canvas:

Announcements - view
Conversations - send messages to individual course members
Course Content - view
Discussions - create
Discussions - post
Discussions - view
Grades - view all grades
Item Banks - manage account
SIS Data - read
Student Collaborations - create
Users - act as
Users - view list

Then we generated an "access token" for a user under that Role, and tried accessing the "/api/v1/users/:user_id/courses" API in this way: https://oohlala.instructure.com/api/v1/users/sis_login_id:abc@test.com/courses?access_token=****

The response is: { "status": "unauthorized", "errors": [ { "message": "user not authorized to perform that action" } ] }

In this document: https://canvas.instructure.com/doc/api/courses.html, we found this description

List courses for a user
GET /api/v1/users/:user_id/courses
Scope: url:GET|/api/v1/users/:user_id/courses
Returns a paginated list of active courses for this user. To view the course list for a user other than yourself, you must be either an observer of that user or an administrator.

We cannot find the permissions needed for the "administrator". Does anyone know what permissions we should add to our Role in order to access that API?

chriscas · ‎10-17-2022

Hi @YunyiZhang,

I can tell you that it works for me using a role with the following permissions:

Courses - view list

SIS Data - manage

SIS Data - read

Statistics - view

Users - manage login details

Users - view list

Users - view login IDs

Users - view primary email address

Some of those may be unnecessary, but it's the most limited admin role we have quickly available to test with. I think perhaps it's the view login IDs you need in addition to the view course list, as you're using the sis_login_id as part of your API query.

-Chris

View solution in original post

CanvasNeil · ‎10-16-2022

Try adding the "Courses - add / edit / delete" permission to your role.

chriscas · ‎10-16-2022

I'm guessing "Courses - view list" is probably needed, although it appears to be geared more towards course lists for an account than a user. I'd suggest trying it out.

-Chris

YunyiZhang · ‎10-17-2022

@CanvasNeil @chriscas

We tried adding the permissions you suggested:

Course Content - add / edit / delete
Courses - view list

It still doesn't work -- we got the same response: { "status": "unauthorized", "errors": [ { "message": "user not authorized to perform that action" } ] }

We also tried adding another permission:

Users - allow administrative actions in courses

And it still didn't work...

We noticed that if we add Role "Account Admin" which has all permissions to our user, we can indeed get a good response from the "/api/v1/users/:user_id/courses" API. But our customer doesn't want to grant us all the permissions, so we still need to figure out which permission is specifically needed for that API.

Is there any other permissions we should give it a try?

chriscas · ‎10-17-2022

Hi @YunyiZhang,

I can tell you that it works for me using a role with the following permissions:

Courses - view list

SIS Data - manage

SIS Data - read

Statistics - view

Users - manage login details

Users - view list

Users - view login IDs

Users - view primary email address

Some of those may be unnecessary, but it's the most limited admin role we have quickly available to test with. I think perhaps it's the view login IDs you need in addition to the view course list, as you're using the sis_login_id as part of your API query.

-Chris

YunyiZhang · ‎10-18-2022

Thank you @chriscas ! Your permission list worked for us. We did more testing to narrow it down, and it turned out that we only needed to add one permission from your list to our Role:

Users - manage login details

With that permission, the API started to work.

Thanks!

nbarnes · ‎11-28-2022

Thank you for updating this post with the needed privileges, Yunyi. We have had one of our vendors using the same token for years and then just last month they started getting the "unauthorized" message when attempting to use the courses API. We submitted a ticket with Instructure on October 19 but it has remained idle since then. We may try adding "Users - manage login details" to the account role we are using for this vendor, but only as a test. The details of what this permission allows include:

Allows user to create accounts for new users.
Allows user to remove and merge users in an account.
Allows user to modify user account details.
Allows user to view and modify login information for a user.

We don't believe we should have to grant all these things in order for our vendor to see a list of courses. It's very frustrating that our vendor has been able to access the courses API until recently without any problems, but we can't get any help from Instructure on how to resolve.

What permission is needed for the "GET /api/v1/users/:user_id/courses" REST API?

Canvas

Course access

Canvas Outcomes Report

Saving quiz results as a pdf in new update

Media Comment Windows Steals Focus

Images causing you sleepless nights? It's time to ...

Course access

Login Problems

Connect Front Page to a Course

Is this a FERPA Violation?

Canvas Outcomes Report

You're signed out

What permission is needed for the "GET /api/v1/users/:user_id/courses" REST API?

Community Help

View our top guides and resources: