dr36900

Providing users access to "Login As" B2 without permitting "B2 Links" privilege for their System Role

Discussion created by dr36900 on Jul 25, 2018
Latest reply on Sep 5, 2018 by carlajiji

I initially went to Bb support for help with this issue, but "We are prohibited from assisting clients with Custom Role development."

 

Proposal: a certain set of users (using a custom System Role with limited privileges/access to the SysAdmin tab) want access to the Log In As building block.

Solution: create a custom Institution Role called "Loginas User" and configure the Log In As building block so that Role Name = Loginas User; set Privilege Escalation Prevention = Yes, apply this Institution Role to all users needing access to LoginAs including the requester and the full SysAdmin.

Problems:

setting the B2 to be accessible to this new Institution Role alone does not provide the end-user with access to the link to the "Login As Another User" link in the Tools & Utilities module on the SysAdmin tab.

I can extend the Administrator Panel (Tools and Utilities)>Building Block Links privilege to the System Role for the requester, and that does make the "Login As Another User" link visible and accessible to that user.  Unfortunately, that also seems to allow unintended access to the following:

  • Turnitin Statistics (some write access and delete access for non-default Quickmark Sets via QuickMark Library tab)
  • Read access to Student Goal Performance Export report in JavaScript Option Notation (.JSON) format
  • Access to Portfolio Settings/Manage Portfolios/Portfolio Templates areas associated to Portfolios building block
  • Basic LTI Tools (seems to allow full SysAdmin type access to perform read/write/delete/manage tasks)

 

Which leads to my question: how can I make Login As available to a user without granting write/delete access to the other building blocks listed above?  Other B2s (impersonate, University of York DSK tools) apparently require full SysAdmin access to use and, while they are visible to these users in the Tools & Utilities module, they are not accessible to them. How can I limit access to things like Basic LTI Tools and Portfolios short of disabling those building blocks?

 

Thanks for any insights.

 

We are currently on Learn 9.1 Q4 2017 CU3 and are a managed-hosted institution.  It might also be worth noting that we do have licenses for Community Engagement and Content Management.

Outcomes