Notification of Group Ownership Issue for LMS Groups
Hello - We want to let you know about an already corrected issue that impacted all Panopto sites with an LMS integration.
What is the issue?
Panopto’s LMS integrations automatically create and populate user groups to manage access to videos and folders. Beginning on January 8th, in some cases, Panopto created new user groups with the incorrect owner. Instead of an owner of “System” the owner was the first user to click the LTI link within the LMS, which could include students. The issue occurred in cases where the user groups did not already exist: new courses that were not batch provisioned. This bug was resolved on February 24th and the user groups with incorrect owners were updated to “System” on March 21st.
What permissions do user group owners have?
Users within Panopto that have creator permission to at least one folder are able to access the “User Groups” system menu. For those users, if they open the settings for a user group where they are an owner, they can access and temporarily modify group membership.
Could a student have modified access to content?
Yes, if a student modified a user group’s membership, it would temporarily change the set of users that can access the content to which the user group has access.
Since these groups are created and maintained by Panopto’s LMS integrations, each user’s group memberships update on every sign-in or LTI link click-through from the LMS. This means any users who may have been granted incorrect membership to a group would have subsequently been automatically removed by their next access of Panopto via the LMS.
For this problem to occur, a student with creator access to a folder in Panopto, would need to first browse into the System menu for managing User Groups, which they previously had access to. Amongst all user groups on the Panopto site, they would need to identify a group where they are the owner. They would then be able to open the settings for that group and temporarily modify its membership.
When will this be resolved?
We have removed any user accounts that were unintentionally made owners of the group. There is no action required to resolve this issue.
For any questions, please contact Panopto Support online at support.panopto.com.