Community Help

ward_michael · ‎03-25-2025

Are you comfortable granting admin level permissions to third party integrations? As a Canvas Admin, we go with the vendor instructions to install Developer Keys, API Keys, LTI apps, Admin level Access Tokens, custom JavaScript, etc.

If the third party integration uses API Keys then there is the option to Enforce Scopes but then not all tools use that.

The one I am concerned right now for an accessibility management tool one of our colleges wants to pilot has one of the installation parts requesting for an Admin level Access Token where one of the Account Roles permission is the "Permissions - manage" that has access for both View and Manage permissions. The vendor says they need that permission to detect if a user has an Admin Account Role because they have different functions for users with admin roles. But without a "View only" type of permission to get that Admin Account level role then the only option is to give the most powerful "Permissions - manage" for this tool. If that permission was split into two where I could just give View but not Manage then I probably would be less concerned.

So do you just "trust" the third party integration vendor with your entire Canvas system? Because granting "Permissions - manage" basically allows them if they wanted to set all Allow permissions, create any full access Account Admin, and then do anything an Account Admin could do including deleting everything in your Canvas instance (courses, users, sub-accounts, roles, etc.). That does not seem like security best practices to me.

While we do require third party integrations to submit their VPAT or ACR (to cover accessibility) and their Data Privacy Policy (to cover FERPA and privacy laws) for us to review and approve before installing tools, we should also be considering security issues such as what I mentioned above. I do not think a HECVAT covers those specifics.

So what does your institution do with admin level access requests for third party integrations? Do you just go with it? Do you make the vendor sign some sort of agreement document to keep your Canvas system secure and not make any admin level system changes without first reviewing with your Canvas Account Admin?

Thank you!

Jeff_F · ‎04-02-2025

Yes, we absolutely perform a full review to include accessibility and security. If the vendor is asking for a permission level we are not comfortable with then we pass on the tool and tell them why. I would never ever assign a vendor account or integration critical permissions such as 'Act As' or 'Permissions - manage'. I can confidently state that everyone on our support team would not consider this. Not for a second.

ward_michael · ‎04-02-2025

Thank you, Jeff_F, for your stance on this subject and reinforcing my security concerns!

I also submitted this Canvas Idea for Instructure to consider separating the View from Manage for Permissions.

https://community.canvaslms.com/t5/Canvas-Ideas/Permissions-Separate-the-quot-Permissions-Manage-quo...

Granting Admin Permissions to Third Party Integrations

Admin

Excluding task sheet from TurnItIn

Text input field in five-question essay quiz not s...

Resizing an assignment

Non-Instructor Evaluators (Assessors) in Outcomes

Bulk Date Editor Not Showing Checkpoint Discussion...

Excluding task sheet from TurnItIn

Text input field in five-question essay quiz not s...

Resizing an assignment

Non-Instructor Evaluators (Assessors) in Outcomes

quizzes in classroom (modules)

You're signed out

Granting Admin Permissions to Third Party Integrations

Community Help

View our top guides and resources: