Body
Introduction
Our colleges operate within the constraints of enterprise systems and policies. There are some key things that vendors should know when working with faculty and college support staff:
-
We run a single instance of Canvas at https://learn.vccs.edu (an alias of vccs.instructure.com), administered by the System Office
-
There are twenty-three colleges, and a system office, on this single instance of Canvas
-
Each college has a Canvas sub-account with college-level administrators
-
Instructors cannot create LTI tools (Apps) in their courses
-
College-level administrators cannot create LTI tools
This means
-
We very strongly prefer tools that are installed at the Account level (not the course level), and preferably once at the root VCCS account
-
Instructors and local administrators can import a course package, but that package may not create an LTI tool. We recommend that instructors use the Select Content option and not import the tool configuration for that reason.
-
Tools should not be configured to place themselves into Course Navigation as enabled by default unless a college has specifically requested it
Policy
The reason we do not allow instructors and colleges to create LTI tools themselves is because we have compliance requirements (security, accessibility, privacy, standards, etc.).
Process
-
Instructor makes a request to local college administrator
-
Local college administrator gathers some basic information and requests from VCCS
-
VCCS reviews, validates technical requirements, and refers to our Compliance team
-
Compliance team reviews vendor documentation
As of October 2021, our process includes that all tools provide a VPAT or WCAG statement of accessibility compliance.
Canvas Privacy Level
|
Privacy Compliance Documentation Required from Vendor
|
Anonymous
|
None
|
Name Only or Email Only
|
HECVAT Lite
|
Public
|
SOC 2 Type 2 Report
If not available, then a
HECVAT Full
Our compliance team will note deficiencies and ask for remedies before making a recommendation.
|
5. If your tool passes the Compliance review, it can be installed by System Office IT.
SSO Portal
We have an SSO Portal which supports SAML 2. There is a single IDP with claim attributes to identify school affiliations and type of user. Some applications (e.g. tutoring, course evaluations) are a good fit for this (potentially in addition to Canvas).
Access to our LMS and Other Systems
We occasionally have vendors contact us to request access to our LMS. There are ways we can facilitate this within the constraints of our security policies. Local colleges can assist with this.
If a product has been purchased through a contract, it may have undergone a compliance review already, but products under a certain dollar threshold may not have. This means that it’s possible to purchase a product that may not meet our system-level requirements.
Other considerations
Some vendors request a user developer key or an administrator type account token. Our very strong preference is for vendors to use a developer key to take users through the OAuth permissions process so that they only have the permissions that they need. In fact, Instructure insists on this:
“Note that asking any other user to manually generate a token and enter it into your application is a violation of Canvas' terms of service. Applications in use by multiple users **MUST* use OAuth to obtain tokens*.”
An administrator token is really an end run around permissions structures and not looked on kindly.
LTI 1.3 offers better ways for vendors to work with Canvas and other LMS.
Contacts