Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Participant

Granular Permission Changes -- Impact on Existing Roles

Hi All,

Hope everyone's week is off to a great start!  I have been meaning to post something about this for a while in the community, but I wanted to share some of the issues we've been having with Instructure rolling out more granular permissions.  I know we were one of the louder voices pushing for this, and in my experience having a larger permission set allows for far better role customization (such as in Moodle, D2L, etc.).

We're a large district, four colleges, 5-7k classes, 70-80k unique users per term, and we run Canvas from one instance with a huge number of subaccounts.  That said, we had setup the roles in such a way were the sub-admins from each college had the appropriate permissions from within  their college subaccount, and had permissions at the top level, etc. (such as the ability to act as).  What has been happening lately is that as permissions are rolled out, some of what our roles have been able to do now is not possible.  We've worked with Instructure and have multiple cases open, but often we'll get responses that we need to add permissions to the roles we aren't comfortable with.

We have 27 different course/admin roles currently, and when for instance a subaccount admin no longer has permission to manage enrollment status in their courses due to a role they have at the account level in Canvas, that seems to be a usability issue.  The solution seems often to be adding additional permissions, but again we aren't comfortable with many of those, as the users have elevated permissions only for their college and other similar subaccounts (such as Dev, Clubs&Orgs, etc.).

Mainly I am wanting to see if other higher ed users have been seeing this as well.  There are so many functions in Canvas not tied to a specific permission but are dependent upon a number of other permissions being enabled.  If you do have a large number of roles or multiple colleges with different admins at each sharing an instance I would be curious to hear how you have been managing.

I do like that Instructure is listening to feedback and creating more granular permissions, it has just been  a bumpy road for us as we've already created so many roles based on what the permissions were initially.

Thanks for your time reading this!


Labels (3)
1 Reply
Community Participant

Hi Ken, permissions are a bit of a mine-field IMO. Especially due to those dependencies on other permissions that may or may not be required in order to complete an activity in Canvas. I think that even Instructure struggles to clearly document permissions themselves - we have those two PDFs to navigate:

I'm in higher education and we have at least 40 course and account roles across 100's of sub-accounts. Recently-ish, we decided we needed to completely review how we manage permissions and roles. It started out with a couple of Admins working on it and we were making slow progress. We started by applying a risk rating to each permission. That in itself was a big job as we had to develop a risk matrix first, and then go through every single permission and apply the rating. That is where we got up to. 

Our next steps are to be confirmed but we suspect we'll take a look at our roles again, but this time from a risk lens. At the same time, we'll need to work out what is the minimum set of permissions required in order for a user to complete an activity in Canvas. And then check that against our current role/permission set-up. Or something along those lines. 

Long story short, it turned out to be a massive job, and we have now got more resources involved in getting this sorted. If we have any break-through moments, and someone comes up with a simple way for us to manage this, I'd be happy to share it with you. Feel free to get in touch. 

I do love the more granular permissions too by the way. Keep that coming at us Instructure!