Our teachers do not have permission to create or manage LTI external tools for compliance/legal reasons, but if they import (or copy), that import can create external tools. The problem this creates is typically with vendor course cartridges. We define tools at the (sub)account level rather than the course level, but some cartridges contain external tool definitions, so an instructor can import a cartridge which creates an external tool (or multiple) and we (I) have to go behind and clean up these definitions. This is a major maintenance headache since if there are duplicate external tool definitions, neither will work. One security risk is that someone could create a cartridge on a different system that violates our compliance policy and import it to create a potential breach on our system.

Don't let people do things that they don't have permission to do! Imports should respect the permissions of the person initiating the import. This has been reported to Instructure, but is not considered a problem!

admin,instructor