On the Hidden Canvas Permissions thread there was some discussion of sharing permission structures that work for people. I don't want them to get lost on the other thread, so I thought we could start this place to compare notes and give new admins or admins creating new roles a place to start for general permissions. I've been pondering how to communicate this and the best I've come up with is an excel document with all of the course and account level permissions. I can't think of an easier way that wouldn't be a giant pain to update as Canvas makes edits.
I've attached the sheets I came up with, anyone interested is welcome to help make them prettier or easier to use
My thought is if you are willing, share the name of the role and the intended behavior of the role along with the permissions you have set to make that happen. If there are specific questions/comments feel free to speak up, and then we'll all learn from one another.
Here's my suggested template, feel free to adjust:
Account or Course level Role:
Role Intended Behavior:
(Attach Filled out Excel sheet with permission)
Because there will almost certainly have to be edits to roles as Canvas edits permissions, I'm going to post mine in the comments.
Role Name: K-12 Instructional Designer
Account or Course level Role: Account
Role Intended Behavior: Edit staging and live courses, but not interact with live teachers/students. As this role is part of our in- office staff and we're a K12 (No FERPA) it isn't the end of the world if this person sees student grades/progress, but this role is designed to not mess with live users as much as possible. In a higher ed environment this could work as a sub-account level role in a sub account with only staging/dev courses. One the big ones for us is that this role does not have masquerade privileges. As masquerade page views are still recorded as the student's as well as the admin's, that permission is jealously guarded to keep the integrity of page views for troubleshooting.
Some of the outliers include "Edit Grades", which seems outside of the scope of this position, but this permission is required for adding/editing the grading scheme, which has to be added to each new course before it goes live. Our SIS grading scheme doesn't match Canvas' so a custom one must be set. It has the unfortunate byproduct of also allowing this person to edit grades for live students, which they are not permitted to do by institutional policy, but we can't prevent by permission.
Another outlier is "Post to discussions", which is enabled because we use discussions in training courses for faculty and not in student courses, because of the lack of ability to moderate them before they go live. If we moved to using these in live student courses we would reconsider this permission for this role.
Be sure to click into the second tab of the attached Excel sheet (Account level).
Role Name: K12 Academic Adviser
Account or Course level Role: Account
Role Intended Behavior: Our advisers are the one-stop fix for our students. They answer basic clarification questions on content, help with Canvas navigation trouble, do basic troubleshooting and generally are available to our students. I think this position is pretty unique to online only schools, because a lot of these questions would go to a teacher in a face to face setting, but with our teachers offsite and not available by the phone, our advisers are a great first line of defense for families to get a quick and accurate answer. Again, because these are K12 students, this role does have access to view student grades, which would not work in higher ed.
Role notes- This permission level does not have masquerade for the reasons listed above. We have three leadership positions in a "Senior Adviser" role and they do have the ability to masquerade if the the adviser needs this.
Outlier permissions include "create web conferences" which we use to allow the advisers to hold social hour conferences in our homeroom courses, "add/remove teachers" which is a weird one but allows the advisers to see the teacher user pages to help troubleshoot and "manage quiz/assignments" because without the ability to hit 'edit' on a quiz, advisers can't see the questions given on that assessment to help students troubleshoot/understand. None of these are permissions we were crazy about giving, but they're all connected to other things this role needs.
Sorry this isn't in the Excel format, but I had posted this in another thread and wanted to share it here too. The post was related specifically to roles given to third-party vendors and their data access tokens.
Below are two of my standard roles that I use for third-party vendors depending on what they need to access:
Oh, interesting. Do you give them sub account level permissions for the things they need to see or are they in the whole account? I would have assumed that "edit grades" would be an issue with FERPA or accreditation?
And maybe I misunderstand what you're using them for
These are account level permissions for trusted vendors that we already have contractual relationships with -- McGraw-Hill, Pearson, Cengage, Examity, etc. Some of the publishers only needed to access course info, but other that need to push quiz grades and things like that back into the LMS need higher levels of permissions. Edit grades is a must for these tools in order to write grade info back into the Canvas gradebook.
This is more a request for guidance than a "how I did it", but I would really like a course-level "grader". This role would be someone who could see student submissions, add comments, and then record grades. I tried creating one based on the standard 'TA' role. I could set the permissions to the courses, but I found that there are other, non-published permissions that are tied to the role that are inherited from the 'TA' role.
So, what does that mean? If I have a user with the grader role on a course, and the student uses the "Ask Your Instructor a Question" link in the help screen, the question is sent to the instructor, the TAs (if any) AND the Grader, since the grader was based on the TA! So, the 'grader' role really isn't a grader, it's a TA with fewer permissions. This is very problematic, and impacts all roles that are inherited from another standard role. And since you can't create a custom course role without basing it on an existing standard role, all custom roles will have some features that tied to them that are not published.
When I pinged Canvas support about this, the response I got was "here is some JS/CSS to suppress the 'Ask Your Instructor a Question' link out of help"...
Is this grader unique to specific courses? Or could they be in all courses and only grade for the ones they need?
Here's my thought, you could consider making this person a limited (sub)/account level admin and then adding them as a silent observer (not observing anyone) to the courses you wanted them to grade. That way there shouldn't be a question of which courses- they can just look at their course list, but the admin role would allow them to grade once they got there. The observer role shouldn't bother any of the other users and won't trigger the teacher/TA communication channels like you were talking about.
The only problem with this is that it gives them access to the entire sub account, at minimum. If this is someone for whom that wouldn't be an issue, I would be happy to help you figure out what kind of account permissions you can try. If not I'll have to think on it
Did you ever get your course-level grader role to work? If so, how did you set it up? The suggestion to implement account level permissions probably won't work for us for several reasons. At UCSC, a "grader" is an undergraduate who is hired to read/grade the work of other undergraduates. Typically, in our current system, the instructor adds the grader to the course and assigns them the role of TA, which in our current system is a role specifically for grading.