Are you comfortable granting admin level permissions to third party integrations?  As a Canvas Admin, we go with the vendor instructions to install Developer Keys, API Keys, LTI apps, Admin level Access Tokens, custom JavaScript, etc. 

If the third party integration uses API Keys then there is the option to Enforce Scopes but then not all tools use that.  

The one I am concerned right now for an accessibility management tool one of our colleges wants to pilot has one of the installation parts requesting for an Admin level Access Token where one of the Account Roles permission is the "Permissions - manage" that has access for both View and Manage permissions.  The vendor says they need that permission to detect if a user has an Admin Account Role because they have different functions for users with admin roles.  But without a "View only" type of permission to get that Admin Account level role then the only option is to give the most powerful "Permissions - manage" for this tool.  If that permission was split into two where I could just give View but not Manage then I probably would be less concerned.

So do you just "trust" the third party integration vendor with your entire Canvas system?  Because granting "Permissions - manage" basically allows them if they wanted to set all Allow permissions, create any full access Account Admin, and then do anything an Account Admin could do including deleting everything in your Canvas instance (courses, users, sub-accounts, roles, etc.).  That does not seem like security best practices to me.

While we do require third party integrations to submit their VPAT or ACR (to cover accessibility) and their Data Privacy Policy (to cover FERPA and privacy laws) for us to review and approve before installing tools, we should also be considering security issues such as what I mentioned above.  I do not think a HECVAT covers those specifics.

So what does your institution do with admin level access requests for third party integrations?  Do you just go with it?  Do you make the vendor sign some sort of agreement document to keep your Canvas system secure and not make any admin level system changes without first reviewing with your Canvas Account Admin?

Thank you!