Is it possible to limit access or set permissions (only a single course, read-only, etc.) for an access_token?
I don't want a shared resource to have access to my entire account.
Is it possible to limit access or set permissions (only a single course, read-only, etc.) for an access_token?
I don't want a shared resource to have access to my entire account.
Marcus, greetings! I'm pretty sure the access token can't be specific for a course, but to double-check I'm sharing this with the Canvas Developers & Canvas Admins groups in the Community to see if they can help.
Kona
Thank you! We have a project that would require a team development effort, but not all members of the team should have full access to all of my courses.
Marcus, what we do for things like this is create a "development account" in Canvas. That way the access token is linked to this account that doesn't have any real courses or student information.
Kona
Great! I attempted this with an admin (email) account we have here at the University, but it said that the user was not found. How do I create the development account, through you or through our ITS? How do I link it to my course, so that it can access the necessary information? Is there a document on this, somewhere?
Marcus, I'm not sure of the exact way to go about doing this for your specific school. I also don't work for Canvas so I don't have access to your school specific Canvas information.
In general if you create an Development Account (however you need to do this, based on your school) you can then determine if this account has Admin level rights (which would give the account full access to all courses) or teacher level rights (you could add this account just to the specific course you are working on). I'd contact ITS at your school and talk to them about what you are wanting and the best way to create an account so you could access it using Canvas.
And no, as far as I'm aware there isn't a document on this, it's more of what people have figured out as they try to do things. :-)
Kona
In case its of use, or helps anyone else coming across this thread, if you are generating the access token via the OAuth flow you can use scopes to limit the endpoints and methods that can be called. For example, you might only allow course read access.
However, you cannot limit the calls to a specific course.
Using the account generated token, you can limit the access to a specific course by enrolling the user in that course, but the API calls will have all of the permissions of that user's role. Creating a custom role for them might give control over some things.
Would be nice if you could combine the features of both approaches.
Marcus, I'm not sure of the exact way to go about doing this for your specific school. I also don't work for Canvas so I don't have access to your school specific Canvas information.
In general if you create an Development Account (however you need to do this, based on your school) you can then determine if this account has Admin level rights (which would give the account full access to all courses) or teacher level rights (you could add this account just to the specific course you are working on). I'd contact ITS at your school and talk to them about what you are wanting and the best way to create an account so you could access it using Canvas.
And no, as far as I'm aware there isn't a document on this, it's more of what people have figured out as they try to do things. :-)
Kona