Community Help

skhagen · ‎08-07-2018

We're interested in creating a sub-account-level role (or is it an account-level role with people assigned to department sub-accounts?) for a visiting accreditation team.

Below is the list of permissions that make sense to me at first glance. This is probably more expansive than needed. I think the 4 starred items might be all that is needed. A few questions:

Does that work how I've described it?
I've read about there being underlying permissions of a particular role, such that when a new role is created based on that role it still has those underlying permissions. Is there a list of those somewhere? Do any of them present a risk if used by a visiting accreditation team? (The team is covered under FERPA, so that's not an issue.)
Am I missing any critical permissions in the list below?

Thanks for any insight!

Admin Account Permissions

Statistics - view

*Courses - view list

Course & Account Permissions

*Submissions - View and make comments

Analytics - view pages

Question banks - view and link

Announcements - view

*Course content - view

*Discussions - view

Quizzes - view submission log

Courses - view usage reports

skhagen · ‎08-08-2018

I'm going to clarify my own question.

I found the awesome permissions document (thank you, Related Content feature of the Community).

Are the permissions with the * in that document and below the underlying permissions I described before? That is to say, the document calls them un-editable, which I'm taking to mean they have to be associated with any account-level role.

If I've got that right, I think the evaluator/accreditor role would need these settings at least:

Account admin*

Admins - add/remove*

Submissions - View and make comments

Grades - view all grades (not sure on this one - required for Speedgrader view?)

Grades - edit (must be enabled for Speedgrader view)

Course content - view

Discussions - view

This is a good illustration of why making permissions more granular is important. Ideally we'd be able to have Submissions - View, Course content - view, and Discussions - view (in green) without the others (in red).

Am I right? Am I missing something? I'm a sub-admin, so I can't test it myself.

@kona ‌, can you point me in the right direction?

skhagen · ‎08-17-2018

As an update, the official decision is that this is too much access, so we won't be creating the role. Specifically the inseparability of these is problematic:

Submissions - View and make comments

Grades - view all grades (not sure on this one - required for Speedgrader view?)

Grades - edit (must be enabled for Speedgrader view)

kellyrouska · ‎08-31-2023

Apologies for kicking up this old thread. I'm curious as to what the ultimate solution was on how you were able to give access to the team to your Canvas courses. We're currently trying to find the best way. Thanks!

kathy_ehmann · ‎09-01-2023

We have this question too! I would love to see how other institutions have handled this.

chriscas · ‎09-01-2023

We created course level roles called "reviewer" and "reviewer with grades" that we use both for internal review procedures as well as external accreditation too. I guess luckily for us, our accreditors so far have never asked for across the board access to our LMS, but rather have given us a list of courses they wanted to access. I'd be super hesitant to create even a limited admin account role and give that out, just because permissions are not always granular enough, and giving even limited account admin access can grant extra abilities you wouldn't want viewers to have at all (like the ability to wipe out your LTI whitelist, for example).

-Chris

Sub-account level role for accreditation visitors

Admin

Administrator

You're signed out

Sub-account level role for accreditation visitors

Admin

Administrator

Community Help

View our top guides and resources: