Before submitting a feature request, make sure to read our Guidelines & Expectations post
Once your idea is submitted, it will be marked as 'Tracked' when added to our internal feature requests system.
Create a User-Managed Zoom integration, allow opt-in
Jonathan Champ
Whiz Kid
Currently, the Zoom integration requires Zoom admin permissions and arbitrarily brings in "all" recordings, but only new recordings. In addition to the obvious workflow concerns, this is a significant security and privacy concern for our users and our administrators.
Instead of asking for administrator access to Zoom, Panopto should empower users by creating a User-Managed Zoom app: https://marketplace.zoom.us/docs/guides/build#account-level-user-managed-apps
This would allow individual users to opt-in to the Zoom-Panopto integration, thereby consenting and granting access to only their Zoom recordings.
This is something that other users have requested in the past. In particular, this could also allow users to control which recordings are pulled into Panopto automatically and into which folders those recordings should be placed. Example of a request for Zoom integration opt-in: https://community.panopto.com/discussion/517/is-it-possible-for-an-opt-in-integration-with-zoom
We like Panopto and want this to be a success. However, we have denied all previous requests for account-level Zoom integrations due to similarly overreaching permissions requests.
Comments
Hi @Jonathan Champ - We're expecting to ship opt-in/out in the next few weeks. Thanks for your patience! Thanks. -Dave
https://support.panopto.com/s/article/Learn-About-the-Zoom-and-Webex-Meetings-Import-Options
Hi @Dave Hannan - Thank you for the information. This appears to address one of the concerns, specifically "which users' recordings are imported". However, it does not seem to address the core issue: Account-level vs. User-Managed permissions.
If you select "Panopto users must opt-in" that would force users to go into their Panopto user settings and opt all of their Zoom recordings into Panopto. You are correct that the app is still connected at an account level instead of at the user level. Is the issue that all recordings are imported vs just the ones they choose? We do place the imported recordings into a secure subfolder that only the creator has access to and they can map individual Zoom IDs to Panopto folders.
Very good conversation. My organization grappled with this question too. Probably the biggest issue for us - security and privacy. We concluded that Panopto systems and defaults help keep privacy.
-The default for "opt-in" zoom recordings to Panopto, automatically uploads recordings to "My Folder" -> "Meeting Recordings".
-Permission ="creators". This keeps recordings private. Videos need to be moved to course folders. Only students enrolled in the course have access to the videos. Faculty, intentionally would have to move videos to share.
Questions we raised (below) had lots of pros and cons.
1) Should we stay with the default folder mapping or not?
2) Should we allow for automatically deleting videos in Zoom after uploaded to Panopto?
Question: If a person "opts out" for automatically importing Zoom videos to Panopto, can they change their minds later, and how?
@Dave Hannan The problem is that Panopto has access to manage recordings for all accounts. This is far from the principle of least privilege. An honest mistake could delete all recordings from all accounts rather than just the people who opted-in to that risk.
@Elba Rios I do agree that Panopto does their best to protect the videos once they are loaded into Panopto.
Overall, I just don't feel comfortable granting Panopto full control over all of the recordings for all of my Zoom users. That isn't my decision to make for my users. Instead, with a User-Managed app, the user would have the power. The Panopto interface could let users choose which folder is their default "Zoom import" folder and set up their own custom mappings so that all recordings for a recurring meeting are mapped to the correct folder. Users would be able to opt-in and opt-out at any time, again because this method empowers them to do so. Additionally, the users themselves could control whether the Zoom recordings are deleted after the recordings are imported into Panopto. This would also be particularly useful for past recordings, because the user could initiate an import from Zoom from their list of Zoom recordings, sending the recordings to a Panopto folder of their choice.
@Elba Rios I'm not sure if the "opt out"/change mind question is for me or for Dave. In my proposed scenario, there are two levels where a user could opt-out of automatic import. Option 1: Within Panopto, the user would have the ability to control whether Zoom recordings import automatically or only manually. Option 2: Within Zoom, users can manage the User-Managed apps they have "installed". "Uninstalling" the app revokes the permissions that were previously granted. See: https://marketplace.zoom.us/user/installed
@Elba Rios Yes, the user will be able to opt-in/out anytime they like. This will be available under user settings in Panopto - Info tab.
@Jonathan Champ Good feedback! I'll pass it along to our product team.
@Dave Hannan , any update on this?
@Jonathan Champ , Have you come up with a workaround this since the last comment in January?
We've tried the following:
1) Create a batch group in Panopto (for exclusion) -- OUTCOME: Can't exclude.
2) Create Canvas group (faculty of record in the last 2 years) for "inclusion" in Zoom integration. OUTCOME: Zoom does not recognize Canvas groups.
3) Delete "Meeting Recordings" folder for staff - who's account require confidentiality. OUTCOME: New Zoom recordings automatically re-provision the recordings folder in Panopto, and automatically upload new Zoom recordings.
4) Add External group "SAML". CONSIDERATIONS: There's no way to make exceptions within the SAML group.
5) Use the Zoom LTI Pro option for "inclusion". HAVE YOU LOOKED INTO THIS?
Hi @Elba Rios - The new opt-in features will be shipping in a few weeks. I'll ask your CSA to reach out so we can review the changes in more detail to make sure that it's solving your problems. Thanks. -Dave
Hi @Elba Rios
At this time, we are not approving any "Account-level" apps for Zoom. The current Panopto app and the "LTI Pro" app both require access to the entire Zoom enterprise account. This means that only an administrator can opt-in and it opts-in everyone, even those users that do not want to grant that level of access to their meetings and recordings. Further, the LTI Pro app asks for permission to manage user accounts, which is beyond unnecessary for our use case.
The type of apps for Zoom that we have approved are "User-managed" apps. This type of app allows the individuals who want to use it the ability to opt-in for themselves and does not force anyone to grant unwanted access.
In reviewing the functionality offered by the current Panopto app for Zoom and the current LTI Pro app for Zoom, it seems like the benefits are quite a bit less than what I would hope for. Overall, it seems like the LTI Pro app attaches a small amount of metadata to the meetings so that external tools like Panopto can use that metadata to map the content to folders. The Panopto app then queries "recent" recordings and schedules an import of those recordings into specific folders on the Panopto side, optionally honoring the LTI Pro configuration to determine to which folders those recordings are imported.
If Panopto allows us to import using the Panopto API all of the pieces that their internal Zoom integration processes, then it would be completely possible to create a tool that lets individual users decide which of their meetings/recordings in Zoom that they want to move to Panopto and where. It would also allow users to do this for recordings that were not previously imported or that were created prior to activating the integration (I believe you can pay separately for importing previous recordings, but remember hearing that it is not part of the stock integration and likely follows the existing all-or-nothing approach).
I don't want to upset the apple cart here, but I'd like to be able to:
For now, I think the workaround is upload the MP4 and import the transcript. At least we know this consistently meets all of the criteria listed.