<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:21:35 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2565] Misleading Permission Set Configuration</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2565</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Impact&quot;&gt;&lt;/a&gt;Impact&lt;/h2&gt;

&lt;p&gt;A user with seemingly basic privileges is able to obtain configuration information for various modules, notably credentials associated with the login-saml and smtp_server module. The user is able to send emails from the fse.hosting@ebsco.com email address using the credentials discovered.&lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;Description&quot;&gt;&lt;/a&gt;Description&lt;/h2&gt;

&lt;p&gt;The Okapi system implements permissions by either assigning them to users, or to modules. Any user assigned a permission is also assigned the &#8220;subPermissions&#8221; of that permission, if any exist. This leads to issues where permissions grant access to more than their name implies.&lt;br/&gt;
For example, the &#8220;configuration.entries.collection.get&#8221; permission is assigned as a &#8220;subPermission&#8221; to several permissions such as &#8220;ui-calendar.view&#8221; and &#8220;ui-inventory-instance.view&#8221;.&lt;br/&gt;
Thus, anyone granted one of those permissions is also granted the &#8220;configuration.entries.collection.get&#8221; permission. This permission gives access to the /configurations/entries endpoint. The endpoint reveals configuration details, including credentials for a SMTP relay server, as well as&lt;br/&gt;
the value of the keystore.privatekey.password and keystore.password variables used by the login-saml module. NCC Group was able to use these credentials and configurations to send an email from the fse.hosting@ebsco.com address. Thus, any user who has seemingly benign permissions such as ui-calendar.view, is also able to view these configuration details and send emails from that address.&lt;br/&gt;
Additionally, the &#8220;view_perms&#8221; permission set, which implies read-only permissions, includes permissions that allow for creating, editing, and deleting various resources as well. Permis- sions that are granted include permissions to edit and remove orders, create and delete notes, and view all permissions within the &#8220;Inventory&#8221; module.&lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;Reprosteps&quot;&gt;&lt;/a&gt;Repro steps&lt;/h2&gt;

&lt;p&gt;An example is provided below to demonstrate potentially problematic permissions. Note that any permission that has subPermissions may have this issue.&lt;br/&gt;
1. Issue the following HTTP request, replacing TOKEN with a valid JWT token for a user on the system.&lt;/p&gt;

&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;curl -i -s -k -X $&apos;GET&apos; \
-H $&apos;Host: okapi-bugfest.folio.ebsco.com&apos; \ -H $&apos;Accept: application/json&apos; \
-H $&apos;X-Okapi-Tenant: fs00001000&apos; \
-H $&apos;X-Okapi-Token: TOKEN &apos; \
$&apos;https://okapi-bugfest.folio.ebsco.com/perms/permissions?query=displayName==% 22view_perms%22&apos;
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;2. Note in the response that the &#8220;subPermissions&#8221;of this permission include permissions that allow users to edit, update, and create various resources.&lt;/p&gt;

&lt;p&gt;Permissions should be carefully audited to ensure admin-like permissions do not get assigned as &#8220;subPermissions&#8221; to permissions whose names do not imply admin-like rights. For example, the &#8220;view_perms&#8221; permission set should be renamed or modified to not include permissions which grant create, edit, or delete functionality.&lt;/p&gt;


&lt;h2&gt;&lt;a name=&quot;Acceptancecriteria&quot;&gt;&lt;/a&gt;Acceptance criteria&lt;/h2&gt;
&lt;ul&gt;
	&lt;li&gt;Write a guidance document on  best practices constructing permission sets and using module permissions to avoid escalating direct end-user permissions&lt;/li&gt;
	&lt;li&gt;provide a couple examples of permission sets that include permissions direct permissions beyond what logically should be provided directly to the user (NCC example is one, we need a couple more)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;Split into continuation story:&lt;/b&gt;&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;walkthrough the proposal document with Tech Leads on the TL meeting&lt;/li&gt;
	&lt;li&gt;create Jira tickets for individual teams to perform verification of permission sets in the modules they are responsible for, according to the best practices&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="81663">FOLIO-2565</key>
            <summary>Misleading Permission Set Configuration</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</assignee>
                                                                <reporter accountid="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d">Jakub Skoczen</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                            <label>security</label>
                    </labels>
                <created>Thu, 16 Apr 2020 12:02:52 +0000</created>
                <updated>Tue, 13 Jul 2021 08:51:19 +0000</updated>
                            <resolved>Mon, 4 May 2020 18:31:48 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                                <comments>
                                                            <comment id="198265" author="5ee89462f7aa140abd82d11d" created="Tue, 21 Apr 2020 13:55:28 +0000"  >&lt;p&gt;mod-kb-ebsco-java has it&apos;s own configuration API endpoint. It stores the password to the EBSCO Knowledge Base but removes the password from the GET request: &lt;a href=&quot;https://github.com/folio-org/mod-kb-ebsco-java/blob/v3.4.0/src/main/java/org/folio/rest/impl/EholdingsConfigurationImpl.java#L59&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-kb-ebsco-java/blob/v3.4.0/src/main/java/org/folio/rest/impl/EholdingsConfigurationImpl.java#L59&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="198268" author="5cf6c546b87c300f36eb7b9a" created="Tue, 28 Apr 2020 14:36:46 +0000"  >&lt;p&gt;There are a few parts to this...&lt;/p&gt;

&lt;p&gt;1) Permission sets named inappropriately, e.g. &lt;tt&gt;something.view&lt;/tt&gt; suggests it provides the ability to &lt;ins&gt;view&lt;/ins&gt; something.  It shouldn&apos;t have subPermissions that allow for put/post/delete.  Here&apos;s an actual example:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-receiving.basic.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;displayName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;Receiving: Basic view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;id&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;5542bb26-9eff-4699-a7c5-6e6a049979d7&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;tags&quot;&lt;/span&gt;: [],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;subPermissions&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;module.receiving.enabled&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.pieces.item.post&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.pieces.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.po-lines.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.titles.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;orders.titles.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-receiving.third-party-services&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;childOf&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-receiving.view&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;grantedTo&quot;&lt;/span&gt;: [],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;mutable&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;visible&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;dummy&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The ERM modules use a naming convention that might be more appropriate for these types of permission set, e.g.&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-erm-usage.view-create-edit&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;displayName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;eUsage: Can view, create and edit usage data providers and COUNTER reports&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;id&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ade748af-66b5-4584-a319-3cac20899241&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;description&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;Can view, create and edit usage data providers and COUNTER reports&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;tags&quot;&lt;/span&gt;: [],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;subPermissions&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;module.erm-usage.enabled&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;usagedataproviders.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;usagedataproviders.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;usagedataproviders.item.post&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;usagedataproviders.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;counterreports.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;counterreports.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;counterreports.item.post&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;counterreports.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;aggregatorsettings.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;aggregatorsettings.item.get&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;childOf&quot;&lt;/span&gt;: [],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;grantedTo&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;fba0106d-e2ad-494e-8958-ce5b447ab2aa&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;mutable&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;visible&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;dummy&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;2) Permission sets provided by module A provide subPermissions for module B.  The most glaring example of this is the inclusion of mod-configuration properties in permission sets created by other modules...  &lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
$ curl $OKAPI/perms/permissions?length=99999 -H &lt;span class=&quot;code-quote&quot;&gt;&quot;X-Okapi-Token: $TOKEN&quot;&lt;/span&gt; -w&lt;span class=&quot;code-quote&quot;&gt;&apos;\n&apos;&lt;/span&gt; -s | jq &lt;span class=&quot;code-quote&quot;&gt;&apos;.permissions[] | select(.subPermissions[] | contains(&lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.entries&quot;&lt;/span&gt;))&apos;&lt;/span&gt; | grep permissionName 
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-inventory.settings.hrid-handling&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-oai-pmh.edit&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;module.licenses.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.loans.anonymize&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.override-renewal-by-barcode.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.renew-by-barcode.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.requests.item.move.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;module.agreements.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.renew-by-id.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-calendar.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.requests.item.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.override-check-out-by-barcode.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.requests.item.put&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.requests.instances.item.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.circulation.check-out-by-barcode.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;module.erm-usage.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;module.erm-usage.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-finance.third-party-services&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.orders.item.post&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;modperms.orders.item.put&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;settings.erm-usage.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;settings.erm-usage.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;settings.erm-usage.enabled&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-inventory.instance.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-invoice.third-party-services&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-oai-pmh.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-orders.third-party-services&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-organizations.third-party-services&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-receiving.third-party-services&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.all&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.all&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.all&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.all&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.all&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-users.settings.customfields.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-requests.view&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-users.settings.customfields.edit&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-users.settings.customfields.edit&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;permissionName&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;ui-users.view&quot;&lt;/span&gt;,
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;This one can be categorized further...&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;In the case of backend modules, it&apos;s the module that&apos;s making the API call to mod-configuration there&apos;s no need give the user the permission, just use a module permission for that.  I think this is generally what&apos;s happening.  I should note that often module descriptors define a permission set that contains all of the module permissions for a given endpoint and then just use that in the endpoint handler&apos;s modulePermissions field.  This might make it easier to read the module descriptor, but now we have a permission set that grants permissions to multiple modules, which could be assigned to a user, despite the apparent naming convention of &lt;tt&gt;modperms.*&lt;/tt&gt;.  I&apos;m not sure if this is a big deal or not.&lt;/li&gt;
	&lt;li&gt;In the case of ui modules, it&apos;s a little bit trickier since there&apos;s no notion of a ui-module-permission.  Calls from the ui are made solely with the user&apos;s permissions  I think the best we can do here is limit these to permission sets which are for viewing/managing settings, e.g. &quot;ui-users.settings.customfields.edit&quot; but probably not &quot;ui-users.view&quot;.  If needed, we should create additional permission sets with appropriate names.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;3) mod-configuration permissions are not very granular.  Granting a user to &quot;configuration.entries.collection.get&quot; so they can view a handful of relevant entries means that they can now also view ALL entries, regardless of their relevance and/or sensitivity.  For this reason:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Sensitive information should NEVER be stored in mod-configuration.  SMTP credentials, RMAPI credentials, etc. should be stored behind their own endpoints which are protected with distinct permissions.&lt;/li&gt;
	&lt;li&gt;We might want to take a look at ways to make the permissions of this module more granular, perhaps something could be done using desiredPermissions / X-Okapi-Permissions?  Though I&apos;m not sure this is really doable or even worth it.  I think I&apos;m in favor of just moving away from mod-configuration all together (see below)&lt;/li&gt;
	&lt;li&gt;We should consider moving away from using mod-configuration in general.  The cross-app nature of this module makes it difficult to deal with other things like sample/reference data... what if you want some reference data loaded into mod-configuration, but not all of it?&lt;/li&gt;
&lt;/ul&gt;
</comment>
                                                            <comment id="198271" author="5cf6c546b87c300f36eb7b9a" created="Tue, 28 Apr 2020 15:47:31 +0000"  >&lt;p&gt;I&apos;ve started a wiki page to capture the proposed guidelines:  &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/FOLIJET/Proposed+Permission+Set+Guidelines&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/FOLIJET/Proposed+Permission+Set+Guidelines&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="198273" author="615afd1cd9820f0070a09ef0" created="Tue, 28 Apr 2020 15:59:56 +0000"  >&lt;p&gt;The mod-configuration issue is especially sticky IMHO as we don&apos;t have a way to segregate permissions based on user or module even though the permissions themselves are split out that way. Huh? It&apos;s like this: you can&apos;t grant users permission to read or write &lt;em&gt;some&lt;/em&gt; configuration data without granting them permission to read or write &lt;em&gt;all&lt;/em&gt; configuration data, regardless of &lt;tt&gt;module&lt;/tt&gt; or &lt;tt&gt;userId&lt;/tt&gt;. That seems ... unfortunate. &lt;/p&gt;</comment>
                                                            <comment id="198275" author="5cf6c546b87c300f36eb7b9a" created="Mon, 4 May 2020 18:31:48 +0000"  >&lt;p&gt;Closing this per conversation with &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;.  See linked tickets for follow-on work&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="79617">FOLIO-2524</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79625">FOLIO-2583</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79633">FOLIO-2607</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81718">FOLIO-2578</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54202">OKAPI-839</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx6me:v1i</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1858">CP: sprint 87</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 21 Apr 2020 13:55:28 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>