More granular permissions for admins

(6)

Right now setting Permissions for different course and account roles is very difficult because many of the permissions are tied together so you can't have one permission without also having the other checked. Yet, there is no list of what each permission actually impacts and which permissions are related to each other.

 

When we are developing a new role we almost always go through the lengthy process of:

 

  • adding a permission to a role
  • logging in as someone with that role and checking to see if that person can do what they need to do but not things they shouldn't do
  • if the setting isn't correct, then going back to permissions and try checking or unchecking something different to see if we get the desired result
  • wash and repeat

 

If permissions were more granulated and separated out it would be much easier to (1) understand what the permission actually controls and (2) provide the right level access to specific users.

 

Comments from Instructure

The New User Interface is included in the Canvas Production Release Notes (2018-07-14) .  Go check it out!

  Comments from Instructure

The LTI - add / edit / delete permission has been grouped into three separate permissions, as detailed in the  Canvas Release Notes (2022-01-15).

 

 

🔎 This idea has been archived. While this idea isn't open for comments, it is an important part of Instructure’s idea conversations and development process. Contributions like this are valuable as Instructure prioritizes work on new or existing features.

120 Comments
asatkins
Community Novice

JanineJones​ have you considered separating SIS courses from Manually created courses by sub account? You could set permissions to a police state in the SIS sub account and let everything be open in the Manually created courses sub account (including activating the ability to create/delete courses for teachers) without compromising the integrity of your SIS courses.

millerjm
Community Champion

I just spent two days testing what each permission did for a not-quite-admin role.  I was unable to set up exactly the role that I need due to the lack of granularity.

I need the ability to give my techs access to view LTI settings at the root level but not modify or create new ones for troubleshooting purposes, and then be able to add LTI apps/tools at the subaccount level.  We did not want to give them access to the Root Account - > Settings -> Settings.  However, for them to have even view-only access to the LTI settings, they have to have full access to everything under Root Account -> Settings. 

Our previous systems - ANGEL and Sakai - both had the ability to choose much smaller levels of permissions vs. blanket sets of permissions.  I'm putting in another feature request related to scrolling problems on the permissions screen (row and column titles do not scroll).

ldprogrammers
Community Novice

We need to have course rights override admin rights.  If we have admins who are enrolled as students in courses, they would have integrity issues as they would be able to view all quizzes/answers, edit grades, etc.  In a higher education institution, this is a major issue as we encourage our staff to continue their eduction.

cms_hickss
Community Contributor

To workaround this issue, we created a set of (work)usernames for our employees that have the Admin rights to do their day to day job. They use their official usernames for all academic work.

This helped Teachers know who was moving around in their courses as the work usernames clearly identify the person and that they work for our department. We also have a script (called the Nanny Checker) tied to our workflow system that basically checks to make sure anyone in our department (or with a work username) isn't doing something naughty.

ldprogrammers
Community Novice

At scale, this is a difficult solution for our large institution. 

cms_hickss
Community Contributor

I don't know if this will help, but when we made the transition to Canvas we batched added the 80 work usernames into Canvas. The biggest issue we had is that there is no way to instantly assign them a role on upload, so that part was multistep as we have several different types of Admin roles based upon what they do in our department.

i will also add, the Identifier in the work usernames helps students in the course trying to email the teacher/TA not choose the Support person who has enrolled in the course to assist the Teacher (or other students).

That all said. For our part-time student employees who work on our Support Team we have a tool that uses API calls. They access that system with their official usernames. Then select the course they are trying to assist a student or teacher with, as long as they are not a student in that course, this tool (through an API call) enrolls them as a teacher (with the special work username) and then when they complete the work ticket, unenrolls them.

kristin_bayless
Community Contributor

Yesterday, while investigating the permission "manage (create/edit/delete) groups", which is turned off for our students, I found that students do have the ability to create groups through People>Groups.  While it takes a while to load, and there is a resulting "Whoops" message that pops up, when the page is refreshed the groups are there.  This has been an issue for a few years now, so when support said they'd escalate the issue, I'm not expecting a quick response (sorry to sound pessimistic). 

To me it speaks to the larger issue of needing permissions to reliably do what is expected from the description and nothing more.  When I grant permission to see the users at the root level, I should not be giving access to also delete those users.  When I turn off the ability to create groups, the users should not be able to do this. 

Administrators need to be able to rely on the Canvas permission settings.

Gina_Smith
Community Novice

I, too, have strong feelings about permissions needing more granularity.  Other permission areas where improvements would benefit us are:

1. Modify the user interface so the row and column headings are fixed.  After you have created 'x' number of roles the column and row headers scroll off the page so you can no longer see which permissions belong to which role. It makes editing permissions very difficult.

2, Provide the ability to run a provisioning report on roles and the ability to use an SIS Import to batch assign users to roles. We use Dropout Detective so most of our staff have the Advisor role at multiple sub-account levels. It literally took us days to assign all the right people to the right sub-accounts under the current design.

3. It would also be great to be able to go to a User's Profile and see all the roles they are assigned and the sub-account where each role has been assigned.  It would then be awesome to be able to add/edit/delete that user's roles from their User Profile. We have users who have different roles at different sub-accounts and you have to go to each sub-account and search for a user's name to figure out if they have a role assigned.

Thank you for considering these!

asatkins
Community Novice

Oh man, that would be a dream. It would be SO nice to be able to to tell from the user page what permissions they have. Maybe near where the "managed accounts" area is? Adding admins would be amazing as well, we have a feed to add users, but the permissions have to be done manually. If we could build that in it would be amazing. And the scrolling is certainly annoying. We've considered changing the name of our roles just to try to fit them all in, lol.

powellj
Community Participant

This is exactly my biggest issue with the existing permissions controls. In our previous LMS, I had pages upon pages of finite permission items to select from. Having things grouped like it is in Canvas makes it very difficult.

vrs07nl
Community Contributor

not sure how related this comment is to this thread but could be taken into account given that it concerns how permissions / roles appear in canvas

  1. We have a situation where we have created a new role based on TA  called Programme Management. However when you look at course people section the role says Programme Management  but the person’s profile / enrollments  displays as TA. I have raised a ticket on this as not sure this is actually what I should be seeing
  2. We have also attempted to create additional roles based on student permissions / role but have had to delete these and would recommend that no additional roles are created at all based on student

Being able to (un)enrol users by role across more than one course at a time would also be a real admin time saver

I raised my first point with zendesk yesterday 1 June and got two replies

  • We will need to look into this more closely with our colleagues and developers, I apologize for any inconvenience caused.
  • I have reported the issue to our engineers for further investigation
kona
Community Champion

vrs07nl​, I think this is similar to what you were asking about - - It doesn't specify course or at a higher level, so you might want to go in and add your comments/feedback to it.

Chris_Hofer
Community Coach
Community Coach

vrs07nl​...also kind of related to your first point, I've got this Feature Idea floating out there with several votes...almost to the 30 needed to push it through to the next stage!!! 

kona
Community Champion

Just saw that you got the needed 30! Smiley Happy

Chris_Hofer
Community Coach
Community Coach

HappyPanda.png

vrs07nl
Community Contributor

hopefully that was my colleague and  I !

millerjm
Community Champion

I've just created a new idea related to scrolling problems on the permissions screen.   @scottdennis ​, I wasn't sure if it should be a separate idea or if it should be lumped in with this one? 

millerjm
Community Champion

In order to give access to "View Prior Enrollments," we had to give teachers the ability to add/remove students from the course, which we don't want to do. The option to view prior enrollments is associated the the teacher permission "Allow users to add and delete students from course" option.

We had update the JavaScript override to remove the + People button for teachers so that you can have the View Prior Enrollments option, without giving the teachers the option of manually adding users. This isn't a really secure method of locking down these permissions...and doesn't take away the ability for them to delete users from the course. 

scottdennis
Instructure
Instructure

Hi Joni,

Thanks for creating the new idea and thanks also for checking.  I agree that it should be a separate idea submission.

kona
Community Champion

Separate, but absolutely related!