Create a User-Managed Zoom integration, allow opt-in
Jonathan Champ
Whiz Kid
Currently, the Zoom integration requires Zoom admin permissions and arbitrarily brings in "all" recordings, but only new recordings. In addition to the obvious workflow concerns, this is a significant security and privacy concern for our users and our administrators.
Instead of asking for administrator access to Zoom, Panopto should empower users by creating a User-Managed Zoom app: https://marketplace.zoom.us/docs/guides/build#account-level-user-managed-apps
This would allow individual users to opt-in to the Zoom-Panopto integration, thereby consenting and granting access to only their Zoom recordings.
This is something that other users have requested in the past. In particular, this could also allow users to control which recordings are pulled into Panopto automatically and into which folders those recordings should be placed. Example of a request for Zoom integration opt-in: https://community.panopto.com/discussion/517/is-it-possible-for-an-opt-in-integration-with-zoom
We like Panopto and want this to be a success. However, we have denied all previous requests for account-level Zoom integrations due to similarly overreaching permissions requests.
Comments
Hi @Jonathan Champ - We're expecting to ship opt-in/out in the next few weeks. Thanks for your patience! Thanks. -Dave
https://support.panopto.com/s/article/Learn-About-the-Zoom-and-Webex-Meetings-Import-Options
Hi @Dave Hannan - Thank you for the information. This appears to address one of the concerns, specifically "which users' recordings are imported". However, it does not seem to address the core issue: Account-level vs. User-Managed permissions.
If you select "Panopto users must opt-in" that would force users to go into their Panopto user settings and opt all of their Zoom recordings into Panopto. You are correct that the app is still connected at an account level instead of at the user level. Is the issue that all recordings are imported vs just the ones they choose? We do place the imported recordings into a secure subfolder that only the creator has access to and they can map individual Zoom IDs to Panopto folders.
Very good conversation. My organization grappled with this question too. Probably the biggest issue for us - security and privacy. We concluded that Panopto systems and defaults help keep privacy.
-The default for "opt-in" zoom recordings to Panopto, automatically uploads recordings to "My Folder" -> "Meeting Recordings".
-Permission ="creators". This keeps recordings private. Videos need to be moved to course folders. Only students enrolled in the course have access to the videos. Faculty, intentionally would have to move videos to share.
Questions we raised (below) had lots of pros and cons.
1) Should we stay with the default folder mapping or not?
2) Should we allow for automatically deleting videos in Zoom after uploaded to Panopto?
Question: If a person "opts out" for automatically importing Zoom videos to Panopto, can they change their minds later, and how?
@Dave Hannan The problem is that Panopto has access to manage recordings for all accounts. This is far from the principle of least privilege. An honest mistake could delete all recordings from all accounts rather than just the people who opted-in to that risk.
@Elba Rios I do agree that Panopto does their best to protect the videos once they are loaded into Panopto.
Overall, I just don't feel comfortable granting Panopto full control over all of the recordings for all of my Zoom users. That isn't my decision to make for my users. Instead, with a User-Managed app, the user would have the power. The Panopto interface could let users choose which folder is their default "Zoom import" folder and set up their own custom mappings so that all recordings for a recurring meeting are mapped to the correct folder. Users would be able to opt-in and opt-out at any time, again because this method empowers them to do so. Additionally, the users themselves could control whether the Zoom recordings are deleted after the recordings are imported into Panopto. This would also be particularly useful for past recordings, because the user could initiate an import from Zoom from their list of Zoom recordings, sending the recordings to a Panopto folder of their choice.
@Elba Rios I'm not sure if the "opt out"/change mind question is for me or for Dave. In my proposed scenario, there are two levels where a user could opt-out of automatic import. Option 1: Within Panopto, the user would have the ability to control whether Zoom recordings import automatically or only manually. Option 2: Within Zoom, users can manage the User-Managed apps they have "installed". "Uninstalling" the app revokes the permissions that were previously granted. See: https://marketplace.zoom.us/user/installed
@Elba Rios Yes, the user will be able to opt-in/out anytime they like. This will be available under user settings in Panopto - Info tab.
@Jonathan Champ Good feedback! I'll pass it along to our product team.
@Dave Hannan , any update on this?
@Jonathan Champ , Have you come up with a workaround this since the last comment in January?
We've tried the following:
1) Create a batch group in Panopto (for exclusion) -- OUTCOME: Can't exclude.
2) Create Canvas group (faculty of record in the last 2 years) for "inclusion" in Zoom integration. OUTCOME: Zoom does not recognize Canvas groups.
3) Delete "Meeting Recordings" folder for staff - who's account require confidentiality. OUTCOME: New Zoom recordings automatically re-provision the recordings folder in Panopto, and automatically upload new Zoom recordings.
4) Add External group "SAML". CONSIDERATIONS: There's no way to make exceptions within the SAML group.
5) Use the Zoom LTI Pro option for "inclusion". HAVE YOU LOOKED INTO THIS?
Hi @Elba Rios - The new opt-in features will be shipping in a few weeks. I'll ask your CSA to reach out so we can review the changes in more detail to make sure that it's solving your problems. Thanks. -Dave
Hi @Elba Rios
At this time, we are not approving any "Account-level" apps for Zoom. The current Panopto app and the "LTI Pro" app both require access to the entire Zoom enterprise account. This means that only an administrator can opt-in and it opts-in everyone, even those users that do not want to grant that level of access to their meetings and recordings. Further, the LTI Pro app asks for permission to manage user accounts, which is beyond unnecessary for our use case.
The type of apps for Zoom that we have approved are "User-managed" apps. This type of app allows the individuals who want to use it the ability to opt-in for themselves and does not force anyone to grant unwanted access.
In reviewing the functionality offered by the current Panopto app for Zoom and the current LTI Pro app for Zoom, it seems like the benefits are quite a bit less than what I would hope for. Overall, it seems like the LTI Pro app attaches a small amount of metadata to the meetings so that external tools like Panopto can use that metadata to map the content to folders. The Panopto app then queries "recent" recordings and schedules an import of those recordings into specific folders on the Panopto side, optionally honoring the LTI Pro configuration to determine to which folders those recordings are imported.
If Panopto allows us to import using the Panopto API all of the pieces that their internal Zoom integration processes, then it would be completely possible to create a tool that lets individual users decide which of their meetings/recordings in Zoom that they want to move to Panopto and where. It would also allow users to do this for recordings that were not previously imported or that were created prior to activating the integration (I believe you can pay separately for importing previous recordings, but remember hearing that it is not part of the stock integration and likely follows the existing all-or-nothing approach).
I don't want to upset the apple cart here, but I'd like to be able to:
For now, I think the workaround is upload the MP4 and import the transcript. At least we know this consistently meets all of the criteria listed.
Last week I determined that about 85% of my Panopto content is coming from Zoom, but only ~55% of those videos are ever watched. As a result, I have about 70K sessions with no views which total about 50K hours of content. Given the upcoming changes to the pricing model, that represents a substantial cost.
A number of customers have asked Panopto for a way to import specific recordings (as opposed to importing all of them). Apparently such a change is not possible due to the way Zoom and Panopto are integrated.
But could Panopto implement something similar to the publisher approval workflow which already exists for regular video content? A process in which users would be asked if they want to save their cloud recordings after they have been imported from Zoom?
I envision something like the following:
Since this process is essentially just an implementation of a content retention policy but it is applied close to the point of intake (as opposed to doing so later), the specific actions and timings should be configurable by at the site level. (Maybe we want to give users 30 days to do anything. Then we elect to archive the recording in 30 days and then delete it 60 days later. Another customer may choose to give users only 7 days to act and then delete the recording immediately knowing that it can be retrieved from the Panopto Recycle bin for 90 days.)
It seems like it would also be possible to have any Meeting IDs which are mapped to folders or any meetings which are from an LTI integration be exempted from this process. They should go where they’re supposed to without any action required. This would reduce the impact on course related content and require minimal changes in user behavior.
If a user has not acted on a recording and indicated their preference, Panopto could also send the users follow up emails prior to any action taking place (perhaps a week before and the day before?).
* In order to reduce the quantity of emails users receive (since I often see multiple recordings for the same meeting), it may be helpful send users a daily email which contains a list of their imported recordings as opposed to sending one for every recording. The emails might just take users to a page in Panopto (in the user's settings?) where they can review and take action on any Zoom recordings which they have not yet acted upon. The email could also let customers share their content retention policies.
I suspect we are all importing a lot of content which is not actually needed. This process seems like it could be a relatively simple way to reduce that.
And perhaps most importantly, right now Panopto admins are solely responsible for managing storage. This process would let us shift some of that responsibility to the users and give them some control over their own content.
Yet another reason that I asked for a User-Managed integration: https://community.panopto.com/discussion/1041/create-a-user-managed-zoom-integration-allow-opt-in
It should be possible for Users to have control over which content is being pulled into Panopto. And granting blanket access to Panopto to manage the whole process leaves us with problems like this where all newly created content comes through. There's no opportunity to change your mind later if you want something imported and you don't have a way of importing one specific recording using the advanced Zoom import functionality. 😥