More granular permissions for admins

(6)

Right now setting Permissions for different course and account roles is very difficult because many of the permissions are tied together so you can't have one permission without also having the other checked. Yet, there is no list of what each permission actually impacts and which permissions are related to each other.

 

When we are developing a new role we almost always go through the lengthy process of:

 

  • adding a permission to a role
  • logging in as someone with that role and checking to see if that person can do what they need to do but not things they shouldn't do
  • if the setting isn't correct, then going back to permissions and try checking or unchecking something different to see if we get the desired result
  • wash and repeat

 

If permissions were more granulated and separated out it would be much easier to (1) understand what the permission actually controls and (2) provide the right level access to specific users.

 

Comments from Instructure

The New User Interface is included in the Canvas Production Release Notes (2018-07-14) .  Go check it out!

  Comments from Instructure

The LTI - add / edit / delete permission has been grouped into three separate permissions, as detailed in the  Canvas Release Notes (2022-01-15).

 

 

🔎 This idea has been archived. While this idea isn't open for comments, it is an important part of Instructure’s idea conversations and development process. Contributions like this are valuable as Instructure prioritizes work on new or existing features.

120 Comments
johnsonmatt
Community Explorer

There also doesn't seem to be a way to stop teachers from adding students as observers. I recently found a course where a teacher made a club and since they can't add students (we turn that off because those changes should happen in our SIS and not just be fixed by a teacher without anyone else knowing there is a problem) so to get around this they added all the students as observers since the content was just resources that only needed read ability. Teachers should be able to add a TA or our custom Head of Department role. There should be a matrix that breaks out all of these things, TA, Teacher, etc, and allows a school to say what roles can have other roles. For instance, I should be able to prevent a teacher that has a child in the school as a student from being an observer with their school issued email. What if that teacher leaves in the year but their child stays enrolled? Not every school would want to prevent that but every school should be able to select which other roles a role can have rather than the current implementation where schools are fighting each other on how these permissions work.

mgudites
Community Novice

This DESPERATELY needs to happen. Permissions need to be FAR more granular than they are currently.

It's absurd that, for example, I can't give someone access to associate Blueprint courses without also giving them access to add/edit/delete courses. Or, that to take away "Course Copy" (import) rights from faculty, it means I'm also taking away the ability to edit content in a course.

The "all or nothing" approach of permission levels in Canvas is unacceptable. Please break it out to make permissions more manageable. 

mgudites
Community Novice

I just posted above but only just realized that this thread is FOUR YEARS OLD. That is really disheartening; kinda makes me give up any hope that stuff like this will ever get fixed. I know I've posted similar comments on other threads but, why is it that things that came so easy for us in Blackboard, things that should be a given (I mean, security...COME ON), come with so much difficulty in Canvas? Does Instructure really care that little about stuff like this?! There's nearly 500 upvotes at this point.

jared_flaherty
Community Contributor

YES, do this.     Why are authentication and theme editor in the same group?     If I want to grant theme editor permissions to the marketing dept graphic designer or whatever, they then can get into the authentication area and accidentally, or purposefully, make it so nobody can login.     Please granulate permissions apart from eachother that just have no reason to be lumped together.

millerjm
Community Champion

Hi  @jared_flaherty ‌:  

Here is a feature idea that I found the other day related to that...

https://community.canvaslms.com/ideas/13092-remove-global-announcements-from-settings?sr=inbox 

Yes, terrible, terrible things can happen by assigning users these large buckets of permissions.  Sometimes you have to give permissions because that's just how it's set up and work has to get done. 

We've been on Canvas for 5 years and we've been trying to have these things unbundled since day 1 and I know others have been trying even longer.  

mgudites
Community Novice

And as part of an institution that is brand new to Canvas, that is extremely unsettling to me. Of all things to take a back seat, security should not be one of them.

reynlds
Community Participant

We'd like to hand off branding/theme design, etc., to our web team, but don't want to give them sys admin permissions. Can't do that currently.

PSU_Tony
Community Contributor

Let's see..... Some of us have been waiting for this for 7 years. 

meichin
Community Participant

LOL.  I did have this dream about  starting a chant "More Granular Permissions" at the conference last year, but I didn't follow through.  Smiley Happy

millerjm
Community Champion

Maybe you should do it this year if it's not done.  Smiley Happy

zowada-a
Community Participant

I would join you in that chant 🙂

Nancy_Webb_CCSF
Community Champion

I know this is a very old idea but I'm glad it's still alive. The new UI in Permissions is wonderful so thanks for that.

But we need to add some permissions that cover basic role capabilities, such as roles based on the teacher role allow for doing tasks such as Export a course, reset the course content, edit the course menu, change the start and end dates, choose the course's home page, turn on feature options and more. Roles based on TA also can do most of these things but at least can't reset the course.

We can turn off the ability to upload files or create modules, assignments, and pages, and yet that person will be allowed to change important course settings. Please add these capabilities to permissions so they can be controlled.

cms_hickss
Community Contributor

If you have not seen Canvas Release Notes (2020-06-20), then you have missed the great news of the first set of permissions [https://community.canvaslms.com/ideas/2326-in-permissions-separate-manage-wiki-addeditdelete-pages-i... ] being separated into three!!

10071
Community Participant

I really wish they would make this happen

 

siren_vegusdal
Community Participant

There have been some changes lately in the possibilities for finer granulations regarding permissions. Some good, but not all:

I would really like to get back the possibility to decide what my lower-level admins are permitted to do as account admins.
To be more specific: I would like them to be able to impersonate a user and I would like them to be able to change roles within a course that has been populated from SiS or invited to a Course created via SiS (because they are admins).

I would also like my teachers to be able to change roles for people in courses (even when the course has been created by the SiS integration) after the initial role has been given - sometimes you would like to give a person a new role - if you invited somebody as a teacher, you are not allowed (as a teacher, or lower-level admin) to change this role later on.. to f.eks an observer. This might also be a problem related to GDPR and privacy legislation.
To conclude: As a top admin in Canvas, I would like to be able to decide which permissions I give my users.

@apondi_olum 
@claus_wang 

 

chriscas
Community Coach
Community Coach

@siren_vegusdal ,

A couple comments for you (from someone who has been harping for more granular permissions for years now)...

On the "act as" issue.  I know a lot of people have voiced a request for this to be available for subaccount admins, including some of my colleagues at our larger campus.  I can definitely see why Instructure doesn't allow this though because of all of the complexities that would be involved.  If a subaccount admin could perform "act as" actions, they could then also get access to courses outside of their subaccount.  As an example, they could act as a teacher in one of the courses in their subaccount, but that teacher also has courses in another subaccount outside of the admins area.  In that scenario, the admin would either get access to material they weren't intended to have, or it wouldn't be a true "act as" experience if anything outside of the admins subaccount was removed.  *IF* you are okay with subaccount admins having extended access, you could create a very limited role at the root account level (perhaps just giving the "act as" permission and a couple more), and add all of your subaccount admins into that new role in the root account too.  That is what we do here.  It seems very similar to having subaccount admins able to "act as" by default, but this workaround shows deliberate decisions were made about the extra access.  I think Instructure would get negative feedback no matter what they did in regards to the subaccount admins here if they ever tried.  If you'd like more info on this, let me know.  I'm happy to share our role permissions.

On the users issue, I think most institutions regard the SIS as the highest official record store.  I know we do here, and letting teachers change roles populated by the SIS would be fraught with issues.  That's not to say there aren't legitimate use cases though.  I'm just imagining the worst case scenarios if this were possible...  Fro example, changing a student to some other role would remove their access to submit work, and would also remove them from the gradebook.  Changing a TA to an observer would not allow them to make changes or perhaps view certain content.  If the role is coming from the SIS, we'd usually view it as official, and if someone was prevented from doing their official duties, that would not be good.  Have you tried just giving permission to add users as a workaround?  While confusing, Canvas seems to let users have more than one role in a course.  Perhaps you could let your teachers add observers, TAs, etc instead of changing the SIS role?  That way the SIS role still exists, but the alternate role would exist too.  This would only work if the teacher wanted to give more access rather than restrict it (but again, restricting SIS created roles could end up in very tricky situations that might cause more issues than it would solve).

-Chris

siren_vegusdal
Community Participant

Thank you for your feedback @chriscas 

You are kind of making my point. I do agree that the SiS is the main source of data to Canvas, and the point is not to give teachers the opportunity to mess with that. (I do want my admins to be able to "mess" with that though..but that is a different discussion). 

The point is that my University has a slightly different approach to who gets to do what, and I would like to decide that in Canvas at my institution - and you follow the policy in your institution - instead of Canvas deciding this for us both. So even more granularity would be good. 

For instance: we give our teachers the permission to invite colleagues to their courses. The problem is that Canvas has denied the same teachers the right to remove the ones they have invited and/or change the role they have given them in the course because the course has been created by a SiS integration. As soon as we are in a manually created course they are able to edit and remove. 
While writing I thought of a thing that might help the situation for users... they are allowed to create sections so I guess if they created a section named (lecturers or guests.. or..) hopefully they would be able to edit the role of the invited after the fact...or at least remove them from the section and the course. 

Thanks for the tip about a top-admin role with just a few permissions- that is a workaround that might work for us - so instead of giving them the permission on a subaccount - they get it at the top level...

- Siren

 

chriscas
Community Coach
Community Coach

Hi @siren_vegusdal ,

Have you by chance reported the removal issue to Canvas support?  My understanding was that if you give the permission to remove, it should work as long as the enrollment was manually created, and have nothing to do with the course being created via SIS.  On the permissions page, the details say "If an enrollment is created via SIS, only admins can remove the enrollment from a course. To remove a user via SIS ID, SIS Data - manage must also be enabled."  If you're seeing contrary behavior, which is sounds like you are, I'd definitely let Canvas support know.  We don't let teachers change enrollments in our SIS-created courses at all, so I'm not really able to test this out in our instance.

-Chris

canvas_support6
Community Explorer

We are reviewing our user roles in canvas and find we also require more granular Admin permissions in order to delegate access appropriately. The worst problem we have is for the "Account-level settings - manage" permission. I have created an independent idea for this issue here: 

https://community.canvaslms.com/t5/Idea-Conversations/Make-the-quot-Account-level-settings-manage-qu...

Simon

 

KristinL
Community Team
Community Team
Status changed to: Archived

Hi!

Thank you to everyone who has collaborated in this thread during the last 5.5-years. To simplify our idea process, this thread has been Archived. In the future, please create more granular requests. It's really difficult to manage all the updates when ideas are complex.

Here's a list of the updates related to the requests made in this thread: