Welcome to the Panopto Community

Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.

Create a User-Managed Zoom integration, allow opt-in

Currently, the Zoom integration requires Zoom admin permissions and arbitrarily brings in "all" recordings, but only new recordings. In addition to the obvious workflow concerns, this is a significant security and privacy concern for our users and our administrators.

Instead of asking for administrator access to Zoom, Panopto should empower users by creating a User-Managed Zoom app: https://marketplace.zoom.us/docs/guides/build#account-level-user-managed-apps

This would allow individual users to opt-in to the Zoom-Panopto integration, thereby consenting and granting access to only their Zoom recordings.

This is something that other users have requested in the past. In particular, this could also allow users to control which recordings are pulled into Panopto automatically and into which folders those recordings should be placed. Example of a request for Zoom integration opt-in: https://community.panopto.com/discussion/517/is-it-possible-for-an-opt-in-integration-with-zoom

We like Panopto and want this to be a success. However, we have denied all previous requests for account-level Zoom integrations due to similarly overreaching permissions requests.

Tagged:
9 votes

New · Last Updated

Comments

  • Dave HannanDave Hannan Administrator

    Hi @Jonathan Champ - We're expecting to ship opt-in/out in the next few weeks. Thanks for your patience! Thanks. -Dave

    https://support.panopto.com/s/article/Learn-About-the-Zoom-and-Webex-Meetings-Import-Options

  • Jonathan ChampJonathan Champ Whiz Kid
    edited January 2021

    Hi @Dave Hannan - Thank you for the information. This appears to address one of the concerns, specifically "which users' recordings are imported". However, it does not seem to address the core issue: Account-level vs. User-Managed permissions.

  • Dave HannanDave Hannan Administrator
    edited February 2021

    If you select "Panopto users must opt-in" that would force users to go into their Panopto user settings and opt all of their Zoom recordings into Panopto. You are correct that the app is still connected at an account level instead of at the user level. Is the issue that all recordings are imported vs just the ones they choose? We do place the imported recordings into a secure subfolder that only the creator has access to and they can map individual Zoom IDs to Panopto folders.

  • Very good conversation. My organization grappled with this question too. Probably the biggest issue for us - security and privacy. We concluded that Panopto systems and defaults help keep privacy.

    -The default for "opt-in" zoom recordings to Panopto, automatically uploads recordings to "My Folder" -> "Meeting Recordings".

    -Permission ="creators". This keeps recordings private. Videos need to be moved to course folders. Only students enrolled in the course have access to the videos. Faculty, intentionally would have to move videos to share.

    Questions we raised (below) had lots of pros and cons.

    1) Should we stay with the default folder mapping or not?

    2) Should we allow for automatically deleting videos in Zoom after uploaded to Panopto?

  • Question: If a person "opts out" for automatically importing Zoom videos to Panopto, can they change their minds later, and how?

  • @Dave Hannan The problem is that Panopto has access to manage recordings for all accounts. This is far from the principle of least privilege. An honest mistake could delete all recordings from all accounts rather than just the people who opted-in to that risk.

    @Elba Rios I do agree that Panopto does their best to protect the videos once they are loaded into Panopto.

    Overall, I just don't feel comfortable granting Panopto full control over all of the recordings for all of my Zoom users. That isn't my decision to make for my users. Instead, with a User-Managed app, the user would have the power. The Panopto interface could let users choose which folder is their default "Zoom import" folder and set up their own custom mappings so that all recordings for a recurring meeting are mapped to the correct folder. Users would be able to opt-in and opt-out at any time, again because this method empowers them to do so. Additionally, the users themselves could control whether the Zoom recordings are deleted after the recordings are imported into Panopto. This would also be particularly useful for past recordings, because the user could initiate an import from Zoom from their list of Zoom recordings, sending the recordings to a Panopto folder of their choice.

  • @Elba Rios I'm not sure if the "opt out"/change mind question is for me or for Dave. In my proposed scenario, there are two levels where a user could opt-out of automatic import. Option 1: Within Panopto, the user would have the ability to control whether Zoom recordings import automatically or only manually. Option 2: Within Zoom, users can manage the User-Managed apps they have "installed". "Uninstalling" the app revokes the permissions that were previously granted. See: https://marketplace.zoom.us/user/installed

  • Dave HannanDave Hannan Administrator

    @Elba Rios Yes, the user will be able to opt-in/out anytime they like. This will be available under user settings in Panopto - Info tab.

    @Jonathan Champ Good feedback! I'll pass it along to our product team.

  • @Dave Hannan , any update on this?

    @Jonathan Champ , Have you come up with a workaround this since the last comment in January?

    We've tried the following:

    1) Create a batch group in Panopto (for exclusion) -- OUTCOME: Can't exclude.

    2) Create Canvas group (faculty of record in the last 2 years) for "inclusion" in Zoom integration. OUTCOME: Zoom does not recognize Canvas groups.

    3) Delete "Meeting Recordings" folder for staff - who's account require confidentiality. OUTCOME: New Zoom recordings automatically re-provision the recordings folder in Panopto, and automatically upload new Zoom recordings.

    4) Add External group "SAML". CONSIDERATIONS: There's no way to make exceptions within the SAML group.

    5) Use the Zoom LTI Pro option for "inclusion". HAVE YOU LOOKED INTO THIS?


  • Dave HannanDave Hannan Administrator

    Hi @Elba Rios - The new opt-in features will be shipping in a few weeks. I'll ask your CSA to reach out so we can review the changes in more detail to make sure that it's solving your problems. Thanks. -Dave

  • Hi @Elba Rios

    At this time, we are not approving any "Account-level" apps for Zoom. The current Panopto app and the "LTI Pro" app both require access to the entire Zoom enterprise account. This means that only an administrator can opt-in and it opts-in everyone, even those users that do not want to grant that level of access to their meetings and recordings. Further, the LTI Pro app asks for permission to manage user accounts, which is beyond unnecessary for our use case.

    The type of apps for Zoom that we have approved are "User-managed" apps. This type of app allows the individuals who want to use it the ability to opt-in for themselves and does not force anyone to grant unwanted access.

    In reviewing the functionality offered by the current Panopto app for Zoom and the current LTI Pro app for Zoom, it seems like the benefits are quite a bit less than what I would hope for. Overall, it seems like the LTI Pro app attaches a small amount of metadata to the meetings so that external tools like Panopto can use that metadata to map the content to folders. The Panopto app then queries "recent" recordings and schedules an import of those recordings into specific folders on the Panopto side, optionally honoring the LTI Pro configuration to determine to which folders those recordings are imported.

    If Panopto allows us to import using the Panopto API all of the pieces that their internal Zoom integration processes, then it would be completely possible to create a tool that lets individual users decide which of their meetings/recordings in Zoom that they want to move to Panopto and where. It would also allow users to do this for recordings that were not previously imported or that were created prior to activating the integration (I believe you can pay separately for importing previous recordings, but remember hearing that it is not part of the stock integration and likely follows the existing all-or-nothing approach).

    I don't want to upset the apple cart here, but I'd like to be able to:

    • let the users decide who can access their content (so users maintain more control)
    • let the users decide which content they want to migrate (so only the right Zoom recordings are imported)
    • let the users decide where they want that content to go (i.e. folders where could the user can upload themselves)
    • not discriminate between newly created content and historical (because everything we have prior to now is "historical")

    For now, I think the workaround is upload the MP4 and import the transcript. At least we know this consistently meets all of the criteria listed.

Sign In or Register to comment.