cancel
Showing results for 
Search instead for 
Did you mean: 
tiffany_morgan
Surveyor

How to remove Settings > Generate New Access Token from a specific Role

Jump to solution

Hello

I am wondering if is possible to remove the ability to generate a new access token for the teacher role? If so, how would I go about doing that?

Thanks!

Tags (2)
1 Solution

Accepted Solutions

Hi  @tiffany_morgan ​,

I guess you could remove the button from Canvas entirely using CSS or hide it for anyone who has a teacher role enrollment (including admins) using JS.

I'm curious to know why you would want to do this?  Having access tokens doesn't let a user have access to anything in Canvas that they wouldn't via the UI.  I've even heard of a programming teacher who created an assignment where his students built something that would hit the Canvas APIs so that they would have access to an enterprise level API without being able to affect anything that they shouldn't.

View solution in original post

9 Replies
Stefanie
Community Team
Community Team

 @tiffany_morgan ​, someone from Canvas Admins​ or Canvas Developers​ will probably have to weigh in on this, so I've shared your question with those groups.

Hi  @tiffany_morgan ​,

I guess you could remove the button from Canvas entirely using CSS or hide it for anyone who has a teacher role enrollment (including admins) using JS.

I'm curious to know why you would want to do this?  Having access tokens doesn't let a user have access to anything in Canvas that they wouldn't via the UI.  I've even heard of a programming teacher who created an assignment where his students built something that would hit the Canvas APIs so that they would have access to an enterprise level API without being able to affect anything that they shouldn't.

View solution in original post

Hi Scott

Thanks for the reply. It's not a dealbreaker, and mostly curiosity at this point as I don't believe our instructors would use it. Ideally I would like to review the documentation about what info is be made available via an instructor generated token/API, but wasn't able to find that. For now I was hoping it was just a permission I could turn off until I had a chance to review the feature for instructors in more detail and then enable, as needed (I say all this while also saying I am very very new to using API's myself).

If it becomes mission critical to hide it is good to know it's possible via css or js

Thanks again

Tiffany

Hi Tiffany,

I can't point you to documentation off the top of my head but I can tell you that using APIs and access tokens will not let the user do anything or access anything that they cannot do through the user interface. So for example; a student could conceivably see their own grades but couldn't look at grades for another or update grades.

I think you are probably correct that a vast majority will probably never use it, but then that is probably why it is buried as far in Settings as it is.

Not sure if it will help or not, but we've been using Canvas since 2012 and never had an issue with this feature. I also agree that the vast majority will probably never find it and even those who do probably won't know what to do with it!

As a reason for keeping this functionality available to faculty,  @James ​ has created some awesome tools for faculty that allow them to do things that Canvas currently doesn't have in place - ex: Change all assignment due and availability dates on one page. This is a huge timesaver for faculty, but requires them to use their own Access Tolken from Canvas in order to run the program.

Funny you should mention the due date project in this context. It turns out that harris60​, the originator of that feature idea, works at a university that keeps faculty from getting access tokens, much like  @tiffany_morgan  was asking about.

That's why he was never able to use the code I wrote. Now, if I could figure out how to make the automated process work where my app asks for permission from Canvas, it should bypass their replacement of the button (since it's just done with JavaScript) and he could get in.

Funny that you would provide that link, because I was googling this issue before I posted and found that Indiana University has a page for instructors to request a token (For Canvas at IU, how can I request an API token?) , so my thought was "well it must be possible to hide it if they made a request form!"

In any event, I'll put this all on the back burner until I have a real need to address it, and agree, it's likely to be ignored  by instructors.

Thanks again to everyone for the help!

Hi, Tiffany. That is not a request form. The page you linked to shows how to go to the very feature you wish to disable.