Information Barriers are designed to help customers control user communication policies and meet regulatory requirements at scale. They can be used to prevent certain groups of users with sensitive information from communicating with others who are not supposed to know of this information.
This article covers:
Prerequisites for Information Barriers
Notes:
- When Information Barriers is enabled for your account, Join Before Host will be immediately disabled and locked at the account level. This setting can be re-enabled by the admins on the account, but this will break the Information Barriers feature when Hard Blocks are set up within Information Barriers. This will not affect meetings if only Soft Blocks are set up for Information Barriers in your account since the scope for soft blocks is limited to restricting in-meeting features.
Requirements for Information Barriers
- Users must be in a Zoom group management before the Information Barrier is enabled.
- For meetings:
- Users must be signed in to Zoom (the user cannot host a public meeting).
- Local recording files will not be inspected for sharing with users from groups with blocks. For example, if user X cannot meet with User Y but they can chat with one another, and user X decides to send a recording file to user Y, our system cannot prevent this.
- For chat: If a user is invited by email, Zoom will not block them. We will still send them a notification if the email is in the domain.
- For meetings and chat: The check policy timeout will fail if the following scenarios occur:
- The policy server is down.
- An exception is presented.
- Network issues occur.
- Outages are present.
- There are client-side issues.
- In these situations:
- Zoom will try to retrieve a copy of the last-synced policy for the meetings and chat conversations.
- Zoom will use that policy until the policy server can be reached again.
- When the policy server can be reached again if a new policy has been synced, Zoom will take that new value.
- If Zoom cannot retrieve the copy of the last-synced policy, Zoom will default to not allowing all users in the organization's domain to enter a meeting hosted by someone else in the domain or take part in a chat conversation.
Types of blocks between groups
- Hard Block: A meeting or chat communication that has users who belong to many groups. When two users have a block between them (as defined by the organization’s Information Barrier policy), Zoom will not allow them to meet or chat, even if they may be placed into separate breakout rooms.
- Soft Block: A meeting that has users who belong to many groups. Even though all the users can meet with each other, some users cannot engage with some meeting functionalities when another user is present in the meeting. If these users are in the same meeting or breakout room, then particular in-meeting features will be blocked. Soft Blocks are currently applied for the following features:
Scope for Information Barriers
Policy Sync
Policies for Information Barriers can be set up and managed through Zoom’s Web API as well as through Zoom’s web settings by account admins.
- Zoom Web UI
- Information Barrier policies and groups can be manually assigned from Zoom’s web portal by account admins.
- Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
- In the navigation menu, click Advanced.
- Click Information Barriers.
- Account administrators can manually assign users to groups from the web settings.
- The web settings allow admins to configure the policies for each user group.
- Zoom API
- Organizations can send Information Barrier policies from their third-party system to Zoom.
- The last known sync of policies will be shown in the Zoom web portal.
- Organizations can sync policies at least every 24 hours.
Zoom Meeting
- Policies will be applied at the time of users entering a Zoom meeting.
- Policies preventing group-level communication, per hard block, will be respected.
- Policies based on meeting functionalities, per soft block, will be respected.
- For meetings with participants belonging to multiple groups, the most restrictive policy will be applied from the soft block at a meeting level for all participants in the meeting.
- Cloud/Local Recording policies:
- Cloud Recording: A meeting has users who belong to many groups. Even though all the users can meet with each other, some users cannot initiate cloud recording when another user is present in the meeting. If these users are in the same meeting, then block cloud recording.
- Local Recording: A meeting has users who belong to many groups. Even though all the users can meet with each other, some users cannot initiate local recording when another user is present in the meeting. If these users are in the same meeting, then block local recording.
Zoom Chat
- Users blocked by information barriers cannot search or chat with one another.
- Group chats and channels are removed for users who have Information Barriers applied with other members of the group.
Zoom Phone and SMS
- Users blocked by information barriers cannot search, call, or text other members of that group. Trying to use these functions will return an error message stating they have restricted communication between certain groups and users.
- Blocked users cannot invite other members of that group into a meeting using Zoom Phone.
How to create a policy between two groups
To create policies between multiple existing user groups through the Zoom web portal:
- Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
- In the navigation menu, click Advanced.
- Click Information Barriers.
Notes:
- If a user is a part of multiple groups, then these policies are applied according to the primary group.
- Policies can only be created between existing groups.
Limitations for Information Barriers
- External meetings will not have Information Barriers applied.
- Cloud Recording links will still be generated if the meeting is being recorded.
- Custom streaming through RTMP will not be supported. If the host decides to stream the meeting, Information Barriers will not be applied to viewers of the stream.
- Join Before Host is not supported. This setting will be turned off and locked when Information Barriers is enabled. This prevents the scenario where the host is not allowed into their meeting if they have a block with another user, and the other user joins the meeting before the host.
- Webinars will also not be supported at this time, only Zoom meetings, Zoom Phone, SMS and chat are supported.
- When Information Barriers is enabled, the Only authenticated users can join meetings setting will be enabled and locked. If authentication profiles are enabled, admins can allow authentication exceptions to allow guests to bypass authentication to join meetings.
Information Barriers features
Information Barriers policies for Primary Groups
If a user is a part of multiple groups, then the Information Barrier policies for each of those users are applied according to the primary group they are present in. A pop-up message is shown in your Information Barriers portal to show that only primary groups will be affected.
If Information Barriers is enabled, you can create a group and assign or remove users through API and SAML. You can also enable manual group manipulation. When you enable Information Barriers, any type of group manipulation is disabled. The Group settings can be modified from the Zoom web portal.
Notes:
- Primary groups must be implemented for this feature.
- SAML and API methods are required to identify and map a user’s primary group.
How to view Primary Group information
To view Primary Group information:
- Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
- In the navigation menu, click User Management then Group Management.
- Click the applicable group name from the list.
- Click the Profile tab.
- Under Member, click the link for the number of Total Members.
The Primary Group column shows whether this group is the primary group for any particular user.
How to enable manual group manipulation
As an account owner or admin, you can enable group manipulation to modify user groups manually without the use of API or SAML. If your account has enabled API to sync groups, it will be replaced by the manual configuration.
Note: This setting is only available at the account level.
To enable and manually edit group policies for Information Barriers:
- Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
- In the navigation menu, click Account Management then Account Settings.
- Click the Meeting tab.
- Under Admin Options, click the Allow account admins to edit groups with information barriers toggle to enable it.
- If a verification dialog appears, click Enable to verify the change.
How to apply Information Barriers policies in Breakout Rooms
Breakout Rooms can be used when the Information Barrier feature is enabled, allowing use of breakout sessions while preventing unauthorized sensitive data from being shared. In addition, for accounts with the New Admin Experience enabled, Information Barriers from the user’s primary group will apply.
How to prevent deletion of groups that have an info-barrier policy applied to them
- Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
- In the navigation menu, click Account Management then Account Settings.
- Click the Meeting tab.
- Under Admin Options, click the Do not allow user groups to be deleted if they are part of an Information Barrier Policy toggle to enable it.
Note: This setting is disabled by default. Enabling this prevents the deletion of groups that have an info-barrier policy applied to them. - If a verification dialog appears, click Enable to verify the change.