How to do you handle permissions issues with faculty?
Hi! We have many faculty using course copy (in Canvas but this probably applies to other LMSs), and they have linked to Panopto videos in assignments, pages, or modules using the regular embed codes or links (that they find under the "Share" tab of their video) versus the Panopto LTI in the rich content editor.
This causes permissions issues with students as faculty are using links that direct to a video in a previous course. Without using the LTI students are not added to the viewer group.
One thing we realized is the confusion that exists for faculty regarding the "Panopto LTI" and the regular "embed code". It's SO easy to go to the video, click "Share" and see the Link and Embed code at the bottom. That's how they get into the "my students can't view my video" situation. Does anyone have an effective/creative way to direct faculty to use the LTI when embedding links in course content to avoid permission issues at the beginning of every semester? Any of your other higher ed or education customers with any insights?
Answers
Yeah, this is something I've seen many times. Unfortunately, we allow for Creators to set sessions to "Anyone with the link (unlisted)" and that is a way for course staff to get around the issue as opposed to the better/preferred way of embedding via the Panopto LTI tool and not using hard links. I think the only way out of this for the near term is through outreach: support articles, educating your school liaisons (and teaching staff), workshops, etc.
In Canvas at least, I think the best option is to have them use the Panopto tool in the WYSIWG editor. It creates a unique and custom group which leverages the Canvas API.
When a video is embedded that way, it grants that group viewing rights to the video.
When students encounter a video embedded in a Canvas course, it automatically adds the student to that group and they can view the video in question.
It's pretty seamless.
With LTI Deep Linking in place, Canvas users who arrive at a Panopto video embedded into Canvas are provided with the access required to view it.
https://support.panopto.com/s/article/Learn-About-How-the-Canvas-Integration-Manages-Permissions
It also is supposed to work with their Course Copy functionality.
I also have a script we wrote which runs on AWS that creates a Private and Shared folder for all my Panopto users. The Shared folder is set to "Your Organization (unlisted) Anyone at your org who has the link". Any videos placed in their Shared folder should be viewable by all students.
We turned on a feature last year which will attempt to sync permissions when a user encounters the "Request Access" page. The result of this will be that as long as a video is stored in the proper location (in the course folder) and the groups are left in place, students will be able to access course content. This feature really helped to reduce the sharing/permissions issues that come up.
We train users that the best way to share things is to use the LTI/WYSIWG tool for the reasons that Chaz shared, but some users want to just share links, or they want to share via an email directly to students, or in a PowerPoint, etc. In those cases, the feature to sync permissions JiT covers most of the gaps. There are still situations where things are stored somewhere other than the course folder and in those cases, we tell folks to either add the auto-managed course groups to their folder, move things into the course folder, or that they will need to manage permissions manually.
I also periodically audit when folks are directing a large number of viewers to things in their My Folder to hopefully either help them start using their course folder or a shared folder if it is a departmental thing. I am still working on getting AD groups into the fold in Panopto, which should cover most of our remaining sharing needs, but it turns out that is a much larger discussion/goal than I initially expected.
@Michael Espey where do I find that sync permissions feature? Is that in Panopto or my LMS (Blackboard Original now, will be D2L in near future.) We've had issues with this in the past, but more so with instructor using the Panopto Video Link Tool, not as much with LTI embeds.
Thank you.
@Kevin Hartman It is a "super user" setting that is available to Panopto Support under 'Attempt Permissions Sync on Request Access Page'. There is another setting under our IDP config under 'Sync permissions for this provider on Sign-In from other providers' that will sync all IDPs a user has logged in from when they sign into one. I am not sure if it is available for D2L, but we turned this setting on along with the 'Sync on Request Access Page' setting, and both seem to be working really well.
I am not sure of any drawbacks to either setting, rather, why it isn't the default state. I assume it is just much more "expensive" in that it will run that sync quite frequently. Panopto said in my initial inquiry that there wasn't any performance degradation beyond how long it takes to authenticate and that seemed OK to me. It seems to be working well for us and we haven't heard of any rate limiting coming in from anyone involved. We had a huge reduction in the number of access issues we saw with the move from 5.6 on prem (no deep-linking with the LTI) to 6.0 in the cloud (with deep-linking) and I saw a similar reduction when we turned on these settings.
As it stands, I see maybe 2 or 3 a semester now. Most, if not all, come from folks who had a new departmental account set up in Zoom and they used it to record to the cloud without telling us. When they log into the same account in Panopto through SAML, it doesn't have an email associated out of the box, so the video is lost in the void until we move it for them.
@Michael Espey thank you for the information. I think we might have tried this at one point with Panopto (we had a call with a super user engineer) and it still wasn't working the way it should. We left it as it might be something on our end with our instances of Shibb and BB and how they were talking to each other, but I'm not sure, way above my head. I think it might have worked on our Dev site but not our Prod site. It was a while ago and I can't remember now, then 2020 happened so it's all been a blur...