Make the "Account-level settings - manage" permission more granular

0 Likes
(12)

We have been conducting security reviews of user roles in Canvas and want to redesign the roles to allow the minimum access necessary for individuals to still be able to complete their work.

We have repeatedly struck an issue with the "Account-level settings - manage" permission, where many roles need access to the subaccounts. Some needing read only access and others manage access. But this course grained permission also enables some of the most critical features in Canvas: Authentication, Theme Editor, Account Settings and Terms. 

In order to give sub-account access and withhold access to the other features we are proposing a Javascript Theme filter that hides and inactivates the more powerful screen controls. This workaround is a last resort for us and will only keep users from making mistakes in the UI. It can still be bypassed by a malicious party and must also be maintained over time to avoid accidental exposure. 

We need Canvas to implement more granular permissions for "Account-level settings - manage" to break it down for safer delegation. At a minimum, we would like sub-account access to be removed from this role. Does Canvas have any plans to do this?

10 Comments
david_heath
Community Member

yes! this is definitely much needed

Maeve_McCooey
Community Contributor

Yes, linked to this, it would also be great if the Canvas data portal link could be removed for those that do not have access to the portal due to its all or nothing nature. Socially distanced fist bump for this idea 🤜🤛!

Naomi
Community Team
Community Team
Status changed to: Open
 
dgioia3stlcc
Community Member

We would also like to see this.  Particularly the terms management.  We would like to configure our SIS integration to be able to create terms without giving it full admin access to everything. 

kirsten_ryall
Community Participant

200% support for this. Having to resort to custom solutions is never ideal. In my role, I'd be comfortable with 'view only' of sub-accounts. I do not want access to authentication, theme editor, terms etc. These are managed by other teams at my institution, and I'd prefer not to have access to them at all. The impact of someone accidentally altering terms, themes or our auth system without proper knowledge and experience, is very worrisome indeed. 

PhillipJacobs
Community Member

Very much would like to see this implemented! Themes is mostly managed by our course development teams, terms lower level admins who are responsible for SIS integration and the remaining 3 should only be managed by higher level admins. Since the impact especially at the root level can be wide ranging.

More than one permission for things like Themes would be nice to have. The basic which can use default GUI options versus another for adding custom JS and CSS.

For the sub-accounts a view versus manage would be great as well. I do not want to have to assign every sub-account to a person to allow them to add account roles to each, but do not want them to be able to change the structure.

chris_sweets
Community Explorer

I very much need this! 

I need two separate groups of users to each have one of the listed permissions.  I need to be able to grant designers themes access, but nothing else, and to grant access to change the term dates to people who should not be able to change all systems settings, or things like sub-accounts or authentication. 

These permissions are broken up into five categories in the help menu, why are permissions lumped like this?  It seems that if there are five distinct categories in the "What this affects" documentation, it should be five separate permissions.

abbyrosensweig
Community Participant

Yes! We want this to be able to pull subaccount management out from the other permissions (and having granularity overall would be nice).

ejlichten
Community Member

This is very much needed.

ProductPanda
Instructure
Instructure
Status changed to: Archived
Comments from Instructure

As part of the new Ideas & Themes process, all ideas in Idea Conversations were reviewed by the Product Team. Any Idea that was associated with an identified theme was moved to the new Idea & Themes space. Any Idea that was not part of the move is being marked as Archived. This will preserve the history of the conversations while also letting Community members know that Instructure will not explore the request at this time.