Add course-level & account-level permissions for LTI installation
This idea has been developed and deployed to Canvas |
Idea open for vote Wed. August 3, 2016 - Wed. November 2, 2016 Learn more about voting... |
Currently, all users with editing access to a course site (via the course-level and account-level "Manage all other course content" permission) have the ability to install a third-party LTI tool within a course. This setting bundles together Modules, Collaborations, LTI, Home Page, Chat, Attendance into a single permission.
Unlike all the other content types included in this permission, which are all native to Canvas, LTI tools have the ability pass through a great deal of student data to a third-party site. This can create legal risks around FERPA and other laws related to student records and privacy.
Currently, some universities use Javascript in order to suppress the options to add an external app when a page is rendered within Canvas. However, this does not have any impact on a user's ability to add an LTI tool, and they can still do so via workarounds including importing a course archive that already has the tool enabled.
Adding granularity to this permission would allow institutions to better fulfill their obligations to protect the privacy of student data, and make decisions locally about who should have the ability to install tools that pass student information outside of Canvas.
Comments from Instructure |
For more information, please read through the Canvas Production Release Notes (2016-11-19)