Limit access to sensitive information in Lists (consortium)
Description
Purpose: Queries across multiple tenants should be hardened against unnecessary disclosure of sensitive information, including patron user PII and member libraries' financial information. Certain types of statistical information are acceptable and should be included.
User story statement(s):
As an administrator of a consortium I want to access statistical information but not sensitive information So that risk to the consortium of unauthorized data breaches is minimal
As a librarian at an affiliated member library within an ECS-enabled consortium I want to prevent sensitive information from being divulged outside authorized staff within my local library So that I can protect patron and financial information
Scenarios:
Valid primary record types
Given authorized staff user is in Lists (consortium)
When user creates a new list
Then Users and Organizations are NOT displayed as valid (primary) record types
AND Invoices will NOT be a valid record type when complete
Invalid entity type fields (user)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes the user entity
Then the following fields are NOT queryable, returnable or otherwise included in ANY output:
User barcode
User date of birth
User email
User external system ID
User first name
User full name
User last name
User middle name
User mobile phone
User phone
User preferred first name
User primary address
Username
Invalid entity type fields (PO/PO Line)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes the PO Line entity
Then the following fields are NOT queryable, returnable or otherwise included in ANY output:
PO assigned to (including ID)
PO created by (including ID)
POL created by (including ID)
POL currency
POL estimated price
POL exchange rate
POL payment status
Invalid entity type fields (other)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes any entity not described above
Then the following types of fields are NOT queryable, returnable or otherwise included in ANY output:
Any field identifying a specific user or their PII
Any field containing specific financial information, including price/cost, fund balances or fund activity
Any organization information containing account numbers, banking information, library-specific access information or access credentials
Any library-specific license or contract information
Purpose: Queries across multiple tenants should be hardened against unnecessary disclosure of sensitive information, including patron user PII and member libraries' financial information. Certain types of statistical information are acceptable and should be included.
User story statement(s):
As an administrator of a consortium
I want to access statistical information but not sensitive information
So that risk to the consortium of unauthorized data breaches is minimal
As a librarian at an affiliated member library within an ECS-enabled consortium
I want to prevent sensitive information from being divulged outside authorized staff within my local library
So that I can protect patron and financial information
Scenarios:
Valid primary record types
Given authorized staff user is in Lists (consortium)
When user creates a new list
Then Users and Organizations are NOT displayed as valid (primary) record types
AND Invoices will NOT be a valid record type when complete
Invalid entity type fields (user)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes the user entity
Then the following fields are NOT queryable, returnable or otherwise included in ANY output:
User barcode
User date of birth
User email
User external system ID
User first name
User full name
User last name
User middle name
User mobile phone
User phone
User preferred first name
User primary address
Username
Invalid entity type fields (PO/PO Line)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes the PO Line entity
Then the following fields are NOT queryable, returnable or otherwise included in ANY output:
PO assigned to (including ID)
PO created by (including ID)
POL created by (including ID)
POL currency
POL estimated price
POL exchange rate
POL payment status
Invalid entity type fields (other)
Given authorized user is creating or editing a list in Lists (consortium)
When record type accesses or invokes any entity not described above
Then the following types of fields are NOT queryable, returnable or otherwise included in ANY output:
Any field identifying a specific user or their PII
Any field containing specific financial information, including price/cost, fund balances or fund activity
Any organization information containing account numbers, banking information, library-specific access information or access credentials
Any library-specific license or contract information