Has anyone noticed that subaccount admins are also Studio Admins? This became apparent as a student contacted our support team as he could not create and post content to Studio. It would seem that one of our +250 subaccount admins accessed the Studio settings and disabled all the student permissions. As far as I was aware just two of us were Studio Admins so this appears to have been a change (??).
Does anyone else see that subaccount admins are also Canvas Studio admins? This is a problem for the issue noted above but it is also a security issue as this gives access to create developer and LTI keys, as well as the user list (create/ edit user).
I am faced with the prospect of running a report to list all the subaccount admins (150-200?) and then using the search tool to find and remove the permission from each. That isn't necessarily fun but it is doable. However, how do we know that this will not reoccur when a new subaccount admin is created?
ps. our Canvas Support ticket #: 05388972
April 3 update: it was 250 subaccount admins.
How did you resolve this?
We are also really upset by this. Initially we where 2 people with admin rights in Studio and the decision from Instructure to publish an update that result in this behaviour without notification is reprehensible.
I initially ran a report to list all out subaccount admins by email and then used that list in conjunction with an iMacro script I wrote to search for the email in the long list and then the code deselected the check mark in the Admin box. But a few weeks later I noted they were all back. The happy end to the story was when we received a note stating Canvas Engineering resolved the issue.
@perolavb -- it turns out Engineering did in fact resolve the issue. One notable caveat is that if you have anyone with root admin access they will continue to have a Studio admin role. That is what I was seeing.
To try to confirm all is well I went to my Studio admin user list, waited for it to full load, copied the entire page and pasted to a Noptepad ++ file. I then seared for 'Yes' and filtered by Match Whole Word Only and Match Case. I then copied the results of that search and pasted into Excel. Next I filtered by text so only users with our email domain were showing. The only people I was seeing were those with the root admin access.
It is a few steps to verify but I felt better after confirming all is well.
Here is the support case we had #05388972.
@Jeff_F thanks a lot for the response and update.
When you say root admin you mean admins at the root account level right?
We are a quite small educational institution (about 12000 canvas users), and we have a lot of admins at the root account level with custom admin roles with very limited admin permissions. So it's still problematic for us that all types of admins independent of role permissions in Canvas automatically get full admin rights in Studio.
We will have to discuss this further with Instructure.
@perolavb - yes, that is correct, Admins at the root level automatically become Studio admins.
We have also applied a custom admin role at the admin level with very limited admin permissions - in fact just one permission - and they too are Studio Admins. Not at all what I would like to have but it is so much better than the hundreds we previously had with all the sub account admins being Studio admins.
I found out what triggers the admin status in Studio.
If a canvas user have some sort of admin role (in our case at root account level) and this user don't exist as user in Studio. The first time this user opens studio the user is created in Studio with admin privileges.
If i remove admin status from this user the effect is "persistent" until the user opens studio again. Then the admin role is reset. 💀
I would encourage you to verify that this isn't the case for sub-account admins as well.
EDIT: We have confirmed that this don't affect the admins on sub accounts.
All in all this is just another example of a poorly designed/engineered system by Instructure.