The Zoom Marketplace Review Team has a dedicated review process before an application (app) gets published to the App Marketplace, inclusive of usability and security evaluations. Customers can embed the Zoom Meetings, Webinar, or Phone experience into existing apps and workflows, referred to as integrations, as well as use apps that are integrated into Zoom products and services, referred to as Zoom Apps. There are two types of apps on the Marketplace: 1st-party apps built by Zoom and 3rd-party apps built by 3rd-party developers.
This article provides IT administrators, managing their Zoom Account as a member of the IT organization, and Chief Information Security Officers an overview of user roles, their access to user data on the account, app permissions, and the data apps may access, with insights throughout on how the Zoom Security Review process evaluates all apps on the App Marketplace.
This article contains:
Firstly, it's important to understand the default roles a user on a Zoom Account can have. The following chart provides details on the relationship between the three default Zoom roles, permissions for those roles, and their applicability to the App Marketplace.
Learn how to identify your role in a Zoom Account.
Default Zoom Roles | Role Permissions | Role Permissions Related to the App Marketplace |
Owner | Has all privileges, including role management. | Manage and install apps from the App Marketplace for the Zoom Account. The account owner can approve apps for their account, allowing users to install the app if/when it's needed, as well as add apps on behalf of their users. |
Admin | Has similar privileges to the Owner role, excluding role management. Admins can add, remove, or edit users, as well as access account settings and advanced features such as API, SSO, Meeting Connector, and App Marketplace. | Manage and install apps from the App Marketplace for the Zoom Account, as they have Marketplace role access by default. Admins can approve apps for their account, allowing users to install the app if/when it's needed, as well as add apps on behalf of their users. |
Member (Users) | Has no administrative privileges. | Manage and install apps from the App Marketplace for their own individual use (pre-approval by an admin may be required). If pre-approval is enabled, may request app approval from the admin. Have no administrative privileges. Generally referred to as users. |
Note: Custom roles with varying levels of permissions are also possible, but none are created by default. Learn more about role management.
Developers must declare what Zoom data they need access to. The Zoom Marketplace Review Team will validate the reason for accessing this data before publishing the app to the App Marketplace. Both User-level apps and Account-level apps will prompt and ask for approval from the end user or admin who is enabling the App. Users are given an opportunity to review the data scopes the App will have access to. Here is a list of scopes developers are able to declare.
Because users are also able to delegate certain functionality to other users on the same account (i.e., schedule meetings on behalf of), apps can also be given this same privilege and access to similar data. For more information about allowing apps access to shared permissions, see this article.
Zoom admins and custom roles with Marketplace permissions have the ability to pre-approve which apps can be installed by individual users, groups of users, or all users on the account.
This allows admins to control which apps are immediately available for install by their users, while also fielding requests for other apps their users may want to use. After receiving a request from an end user, admins may begin reviewing the app, its functionality, scopes, permissions, and more to determine if they want to allow this app to be installed by the requesting User and others on the account.
Learn more about how to approve apps for an account.
In addition to the ability to approve apps for users to add themselves, admins can also add apps for users on their behalf, speeding up users’ access to apps. Admins can add any user-level app on behalf of all users on their account or just specific individual users. When an app is added by an admin, users will receive an in-client notification, indicating the app is ready for them to use. Additionally, admins can choose to have Zoom send them an email notification, or choose not to have Zoom send an email, if they would rather use their own internal communication method.
Admins can utilize both admin approval and adding apps on behalf of users, which can be useful in providing all users with a basic suite of Marketplace apps, while still allowing for other apps to be approved for users with specific needs.
Learn more about how to add apps as an admin.
Apps in the App Marketplace can be filtered, among other ways, by the User role required to install the app for use: Account admins and Any user. These correspond to Account-level apps and user-level apps, respectively.
A Zoom account admin can authorize and deauthorize Zoom Account-level apps for all users within the Zoom account.
Account-level apps can:
An example of an Account–level app on the App Marketplace is LTI Pro.
For this example, we will focus on the Requirements. The Requirements for LTI Pro list Account Admins as the necessary User role for installing the app, as this app can only be installed for the entire account by an admin.
Individual Zoom users (non-admins, members) can authorize and deauthorize User-level apps, as long as the app has been pre-approved by an admin.
User-level apps can:
An example of a User-level app on the App Marketplace is Virtual Backgrounds. The Requirements for Virtual Backgrounds list Any user as the necessary User role for installing the app, as this app can be installed by any individual user on the account, if pre-approved by an admin.
Every App Marketplace listing displays a list of permissions and OAuth (data) scopes requested by the app. These provide context on what the app can access on your Zoom Account and actions the app can take on your behalf.
Every App Marketplace listing displays a list of permissions requested by the respective app, which directly corresponds to the OAuth scopes being requested by the app.
When you authorize an app, you grant the app corresponding permissions to view and/or manage specific data on your behalf.
Permissions vary, and we will review the App Marketplace listing for the Workday app as an example. The example for the Workday app shows read-only permissions.
Every App Marketplace listing displays a list of data scopes—specifically OAuth scopes—requested by the respective app. OAuth 2.0 is the industry-standard authorization protocol that allows applications to obtain requested access to user accounts over HTTPS with the user’s approval. Zoom uses OAuth to allow apps to make API requests and subscribe to webhook events for the user that granted these permissions. OAuth scopes provide a way to limit the amount of end-user data an app and its developer can access and/or edit.
Refer to a complete list of OAuth scopes, their descriptions, and the associated API calls that the app with permitted OAuth scope has access to.
OAuth Scopes vary, and we will review two different App Marketplace listings for context.
First, let’s review the Workday app. This is an account-level app that must be configured by an admin. This is an app used within Zoom Team Chat, so it requires access to user details (so it can match your current account with your Workday account) and the Zoom Team Chat tab of the Zoom desktop client, where users interact with the app.
Next, let’s review the App Marketplace listing for Virtual Backgrounds, with a focus on OAuth scopes. Because Virtual Backgrounds is an app that allows users in Zoom Meetings and Zoom Webinars to view and choose a new virtual background, this app requires access to the user’s in-meeting and in-webinar settings for the selected virtual background to be used.
All data referenced here is end-user data, which is:
Returning to our Virtual Backgrounds and Workday app examples, end-user data in the context of the following possible permissions may include:
This table is provided as an example to help you understand OAuth scope and permissions mapping. This is not an exhaustive mapping of every OAuth scope to every permission and end-user data field.
App Type | Requirement | OAuth Scope | Permission | End-user Data |
User-level app |
User role
Any user |
User
user:read, user:write, user_info:read | Profile & Contact Information | User’s PMI, phone number, user zak token |
User-level app |
User role
Any user |
Recording
recording:write, recording:read | Registration Information | Recording download URL, meeting UUID, play URL |
Account-level app |
User role
Account admins |
Meeting
meeting:write:admin, meeting:read:admin | Participant Profile & Contact Information | Join link, meeting ID, host email, participant email |
Account-level app |
User role
Account admins |
Account
account:write:admin | Account Settings | Account ID, owner email, vanity URL |
Refer to a complete list of OAuth scopes, their descriptions, and the associated API calls that the app with permitted OAuth scope has access to.
All apps listed on the App Marketplace undergo a dedicated review process before apps are published on the App Marketplace. The primary goals of the review process are to:
This two-part review process helps the Zoom Marketplace Review Team assess what user data is accessed and how the app handles the requested user data.
Every app on the App Marketplace must pass this review process before it is available on the App Marketplace, and any issue raised to 1st-party or 3rd-party app developers as part of the review process must be addressed prior to publishing on the App Marketplace. Additionally, follow-up reviews may be necessary when an app is updated and would like to request additional scopes, abnormal API usage is detected, or there are security concerns.
Note: While Zoom owns and manages the apps developed by Zoom, Zoom does not own or manage the apps developed by 3rd-party app developers. Please reference each individual App Marketplace listing page for more information specific to using the app, installation requirements and support.
The Zoom Marketplace Operations Team assesses all apps to help ensure only necessary OAuth scopes are being requested, and that the requests make functional, logical, and business sense for the apps. Each app listing includes resources provided by the developer, which are also evaluated to ensure end users can reference documentation and receive support from the developer should they need it.
App developers may be asked to remove unused OAuth scopes by the Zoom Marketplace Operations Team when performing a Functionality, Usability, and Compliance Review for the app.
Notes:
The security review follows the Functionality, Usability, and Compliance Review. The Zoom Marketplace Security Review Team corroborates that only the required OAuth scopes are selected by the app to perform the intended functions. In this review, the Marketplace Security Review Team also assesses what end-user data is accessed by the app and how data acquired as a result of the requested OAuth scopes is handled by the app.
App developers may be asked to remove unused and/or misused OAuth scopes by the Marketplace Security Review Team when performing a security review for the app.
Notes:
This Security Review encompasses a multi-part review intended to maintain customer security, integrity, and resilience of the ecosystem as a whole.
As a part of the app submission process, Zoom requires a Technical Design Document (TDD) from the app developer. This document, provided as part of the developer app buildflow, tells Zoom how the app was built, what security measures the developer has in place, and how the app will use data collected from Zoom via OAuth Scopes. Here is a checklist of items we ask all developers to follow.
Submission of the TDD to Zoom is mandatory for all developers, 1st party and 3rd party, and Zoom reviews the TDD for every app listed on the App Marketplace, as well as every app approved for beta sharing outside the developer’s account.
Every app also undergoes a focused security test where the app is tested against the OWASP Top 10, a standard awareness document which provides developers and security professionals insight into the most prevalent security risks so as to minimize the presence of known risks in their applications. The scope and extent of testing is limited to those parts of the app that interact with Zoom for the integration offering. Testing may include, but is not limited to:
Zoom does not conduct any load or DoS/DDoS testing.
Notes:
Applications are listed on the App Marketplace only after a successful functional and security reviews of the app. All concerns raised to the developers as a result of these reviews must be addressed for the application to be listed on the App Marketplace. All published apps are also in scope for continuous monitoring.
Our current continuous monitoring reviews are as follows:
Applications may be suspended or disabled for functional or security reasons described above. Zoom may suspend or disable access to any application on the App Marketplace at any time, for any reason, without prior notice, liability, or other obligation to users.
Zoom will notify the development team responsible for the app when suspending or disabling any app. For any issues or questions regarding a suspended or disabled app, reach out to the app developer directly.
If you are an existing user of the app, you will be able to continue using the app without interruption, but no new users will be able to install the app while it is suspended. This suspension will be noted when attempting to authorize the app. The app will be delisted from the App Marketplace while it is suspended.
Apps that are disabled will block current users from continuing to use the app, as well as prevent new users from installing the app. The app will be delisted from the App Marketplace while it is disabled.