[API] Using login[declared_user_type] to control which roles a user can have in +people

Status: Added to Theme Submitted by on ‎05-15-2023 11:54 PM
Problem statement:

 

We have a problem with teachers being able to add students to courses as teachers (even just accidentally). Most are unaware of the consequences (ie. markbook visibility, course editing etc). We want students to be restricted to student roles and privileges in all cases, so that it's impossible for a student account to have any elevated privileges. At the same time, we want teachers to be able to assemble their own cohorts in courses without the possibility of handing out elevated privileges.

Proposed solution:

Currently, user accounts have an attribute login[declared_user_type]. As the documentation states, it does not change any Canvas functionality with respect to their access. I'm proposing that it actually be activated to restrict user access.

Canvas could give admins an option to restrict people to the role types listed in the user's login[declared_user_type]  attribute. Adding a person to a course would then only work if the role(s) specified in login[declared_user_type] was chosen in the +people dialogue. If teachers really need to add students with a teacher role, the students could get another login with the login[declared_user_type] set to teacher. The login[declared_user_type] attribute could possibly have multiple values, then we could add teachers as students to training courses if their declared_user_type was [student, teacher].

User role(s):

admin,instructor,student,ta,designer,observer

Added to Theme

Make account configuration more flexible through new account settings Theme Status: Identified

4 Comments
jpoulos
Instructure Alumni
Instructure Alumni
‎05-30-2023 02:48 PM
Status changed to: Seeking Clarity

Thanks for the submission!

I understand the problem statement, but the solution seems ill-fit to solve it and actually be adopted in a widespread way. Many institutions do not use this optional field of "declared_user_type".

It seems more prudent for the system to warn when enrolling a user as a teacher if they do not currently have teacher enrollments; or more generally, when enrolling a user as a course admin role (teacher, TA, designer base roles) if they do not currently have one.

Would this alleviate this pain point in a simpler way?

julian_ebeli
Community Participant
Author
‎05-31-2023 05:15 PM

Hi jpoulos, thanks for responding. I've re-written the proposal to try to clarify my intent.

On the idea of having a warning mechanism in the +people dialogue, if there is an organisational policy to not have students in teacher roles then having a choice is not necessary, right! When we see this happen in our system, it's because the teachers are looking for the path of least resistance, they are often under time pressure, they are not realising the implications.

We had students with teacher roles get elevated access in LTI's via ENV["current_user_roles"] with nasty security implications outside of Canvas. Now we literally have to manually search the system for students with teacher roles and change them.

jpoulos
Instructure Alumni
Instructure Alumni
‎06-23-2023 11:20 AM

Thanks for the clarification @julian_ebeli. It seems like this might best fit as a new account setting like "Restrict enrollments to a users declared user type", so I've associated this theme to the Make account configuration more flexible through new account settings theme. If enabled, Canvas would only allow a user to take on roles with the base role declared in that setting.

jpoulos
Instructure Alumni
Instructure Alumni
‎06-23-2023 11:20 AM
Status changed to: Added to Theme