<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:07:25 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-660] Discussion: Controlling Login to FOLIO</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-660</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;b&gt;Problem:&lt;/b&gt; Any FOLIO user can log into FOLIO and only a small fraction of those users (library staff) currently have anything they can/should be doing in FOLIO.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Possible solutions:&lt;/b&gt;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;b&gt;Not an Option:&lt;/b&gt; Using the existing Status flag on the user record to control this isn&#8217;t an option.  The Status flag will be used for other things in FOLIO.  For example, when a user graduates, they would be switched to inactive which should mean they could no longer log into FOLIO and they can no longer check out books.  This is distinct from another flag we plan to implement on the user record called Patron block which would also disallow checking out books due to fees, fines and other FOLIO logic.  Patron block will likely be auto triggered by certain data in FOLIO while Status will be driven by data in the Student Information System.&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;Option 1:&lt;/b&gt; Allow any user to log in but just ensure that they can&#8217;t do anything at all in FOLIO (not even change their own username and password) without additional permissions assigned.  Taking this approach is potentially confusing to users who manage to accidentally log in, though.  If we are going to do this, SIG would want us to have a configurable landing page that says something like &#8220;Oops &#8211; you landed in our system.  Here are some links to where you might want to go from here&#8221; (with links to discovery etc).  One advantage to this is that, if someone does eventually build a patron-facing app in FOLIO, nothing additional needs to be done to allow them to log in.&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;Option 2:&lt;/b&gt; Have a logical permission for &#8220;Can log in&#8221;.  One downside to this approach is that you will have to remember to assign this permission set to every user that needs to log into FOLIO (or put into every permission set you create).  That&#8217;s probably not a deal-breaker.&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;Option 3:&lt;/b&gt; Add a data element to the user record for &#8220;Can log in&#8221; which, if set to N, disallows login.  If set to Y, allows login.  So, it would work like Status, but be distinct.  It would need to be manually set to Y for all people who need to log into FOLIO.  If we take this approach, we&#8217;d need to make sure the regular user import doesn&#8217;t reset this flag all the time.  We could handle this by saying that, as long as this field is left blank in the patron import, the system doesn&#8217;t alter the setting.&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;Other?&lt;/b&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="80205">FOLIO-660</key>
            <summary>Discussion: Controlling Login to FOLIO</summary>
                <type id="10006" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium">Umbrella</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5af5ed55244bc90a106063c7">Cate Boerema</reporter>
                                    <labels>
                    </labels>
                <created>Fri, 9 Jun 2017 08:35:15 +0000</created>
                <updated>Mon, 12 Nov 2018 14:23:35 +0000</updated>
                            <resolved>Thu, 6 Sep 2018 11:10:51 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>9</watches>
                                                    <timespent seconds="5400">1 hour, 30 minutes</timespent>
                                <comments>
                                                            <comment id="188358" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Fri, 9 Jun 2017 09:14:15 +0000"  >&lt;p&gt;I just want to mention that we have two login concepts here that should not be confused. One is logging in to the (current) administrative Folio interface, and another is logging in to the folio system. Regular patrons should probably not be allowed to do the former, but must be able to do the latter, or they can not do any operations on the system, for example check out books.&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Option 1 seems clumsy. Someone will have to build and maintain the Oops page, for each library. So we need to make a oops-page management system, etc.&lt;/li&gt;
	&lt;li&gt;Option 2 is possible. I don&apos;t like the permission name &quot;can log in&quot;, because even regular patrons need to log in, at some point. &quot;can administer Folio&quot; sounds like a better name. The logic could be done in the UI, or by adding a parameter to the login request specifying what permission (or permissions) the user must have before login can be accepted.&lt;/li&gt;
	&lt;li&gt;Option 3 is possible. Again, &quot;can log in&quot; is a misleading name, perhaps &quot;administrator&quot; would be better. Or some kind of &quot;security level&quot; that could start with values &quot;patron&quot; and &quot;staff&quot;, with possibility to add stuff like &quot;admin&quot; or &quot;superuser&quot;, if we need such. In any case, the login service needs an extra parameter to specify what level is required for this application.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Although option 2 needs some care in maintaining some permission sets, I think I have a slight preference towards it, as it allows all kind of applications to require different permissions in a nice flexible way. But option 3 would work too.&lt;/p&gt;
</comment>
                                                            <comment id="188360" author="5af5ed55244bc90a106063c7" created="Fri, 9 Jun 2017 10:04:34 +0000"  >&lt;blockquote&gt;&lt;p&gt;Regular patrons should probably not be allowed to do the former, but must be able to do the latter (logging into the FOLIO system), or they can not do any operations on the system, for example check out books.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I don&apos;t know that this is a correct assumption.  My understanding is that discovery services that offer the ability to do renewals etc. and self-checkout machines do not require patrons to log into the ILS system.  I will tag &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Af28d9e2e-c4bf-4283-a57d-136003c73648&quot; class=&quot;user-hover&quot; rel=&quot;557058:f28d9e2e-c4bf-4283-a57d-136003c73648&quot; data-account-id=&quot;557058:f28d9e2e-c4bf-4283-a57d-136003c73648&quot; accountid=&quot;557058:f28d9e2e-c4bf-4283-a57d-136003c73648&quot; rel=&quot;noreferrer&quot;&gt;Chris Manly&lt;/a&gt; here to see if he can help clarify for us.  &lt;/p&gt;</comment>
                                                            <comment id="188363" author="5bffed52a1b46046f530c8f7" created="Fri, 9 Jun 2017 13:08:07 +0000"  >&lt;p&gt;Heikki&apos;s comment beat me to it. We mustn&apos;t fall into the trap of thinking the present Stripes-based UI &lt;em&gt;is&lt;/em&gt; FOLIO. It&apos;s just one of many UIs that can be built on top of the FOLIO services; and indeed just one of many UIs that can be built on top of the Stripes toolkit. (That&apos;s why I dislike our overloading of the name &quot;Stripes&quot; to mean both the UI toolkit &lt;em&gt;and&lt;/em&gt; this particular application that&apos;s built on top of it.)&lt;/p&gt;

&lt;p&gt;I also agree with Heikki that option 1 is clumsy &amp;#8211; it&apos;s like letting people into the atrium of a building but having all the inner doors locked to them.&lt;/p&gt;

&lt;p&gt;Option 2 could work &amp;#8211; but we don&apos;t yet have the ability to search users by permission, and adding that ability is hard (
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;MODUSERBL-3&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODUSERBL-3&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Search users by permission&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium&quot; /&gt;
            MODUSERBL-3
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-current jira-macro-single-issue-export-pdf&quot;&gt;In Progress&lt;/span&gt;
            &lt;/span&gt;
). So we&apos;d need to make a manual check in the UI, which is a bit clumsy. But more importantly ...&lt;/p&gt;

&lt;p&gt;Option 3 feels more natural. I resist Heikki&apos;s idea of generalising &quot;can login to the admin application&quot; to different admin levels, because then we start reproducing concepts that we presently express using permissions.&lt;/p&gt;

&lt;p&gt;Meanwhile, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5ed55244bc90a106063c7&quot; class=&quot;user-hover&quot; rel=&quot;5af5ed55244bc90a106063c7&quot; data-account-id=&quot;5af5ed55244bc90a106063c7&quot; accountid=&quot;5af5ed55244bc90a106063c7&quot; rel=&quot;noreferrer&quot;&gt;Cate Boerema&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;My understanding is that discovery services that offer the ability to do renewals etc. and self-checkout machines do not require patrons to log into the ILS system.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Patrons definitely do need to login, otherwise the system won&apos;t know who is using it (e.g. which patron to place holds for). The operation may not &lt;em&gt;look&lt;/em&gt; like a standard login from a UX perspective &amp;#8211; it might be a card-swipe or something &amp;#8211; but in system terms, it&apos;s a login.&lt;/p&gt;</comment>
                                                            <comment id="188365" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Tue, 13 Jun 2017 09:44:47 +0000"  >&lt;p&gt;Since the login procedure is used to establish who the user is and we need that information for reporting e.g circulation events, patrons should be able to &quot;log in&quot;. I wouldn&apos;t necessarily equate this operation with accessing the FOLIO UI, which could be an additional privilege.&lt;/p&gt;

&lt;p&gt;So I guess there is yet another option: All users (staff and patrons alike) can &quot;log in&quot; (meaning request and authentication token, e.g to perform circulation operations) but to access FOLIO UI additional permission is required, eg. &quot;Can access FOLIO UI&quot;. This permission would need to be granted for all &quot;staff&quot; members, which less than granting the &quot;Can log in&quot; to all users. Additionally, patron users would need a permission set to &quot;Can place loans and holds&quot;.&lt;/p&gt;

&lt;p&gt;To make this less clumsy and error prone (having to remember to assign those permissions when creating importing users) we could have a place to auto-configure permission assignment at the point of user creation based on certain meta-data elements.&lt;/p&gt;</comment>
                                                            <comment id="188368" author="5e16e55ae3b48c0daa0f8727" created="Mon, 19 Jun 2017 12:01:18 +0000"  >&lt;p&gt;It&apos;s worth mentioning that self-checkout machines are usually working with non HTTP-based legacy protocols.&lt;/p&gt;

&lt;p&gt;With SIP2 the self-checkout machine uses a separate terminal password to authenticate itself to the ILS. This doesn&apos;t have anything to do with an actual patron.&lt;/p&gt;

&lt;p&gt;When a patron starts interacting with the machine, his/her patron ID is sent as an argument with SIP2 commands. Also by a self-checkout machine the user usually enters some kind of PIN code, which might not be the same as the password associated to his patron account in other systems (like on an OPAC). The same as an ATM requesting a PIN code for operation, even thought by a web-banking UI other credentials are used. The patron ID and PIN is sent with each command during the operation together with the machine&apos;s terminal password.&lt;/p&gt;

&lt;p&gt;SIP2 usually works with short burst connections consisting of the machine specific authentication and the actual SIP2 command/response. Then the connection is closed. So even though the patron might use the machine for minutes, each action is running in it&apos;s own short-lived connection.&lt;/p&gt;

&lt;p&gt;This possibly adds an interesting perspective to the collected thoughts above.&lt;/p&gt;</comment>
                                                            <comment id="188373" author="5e1750638dfdd40ec489bf08" created="Wed, 21 Jun 2017 15:38:13 +0000"  >&lt;p&gt;We had a discussion about this on today&apos;s SIG meeting. &lt;/p&gt;

&lt;p&gt;We have come to the conclusion that it is preferred not to use a flag in the user&apos;s data for &quot;Can access FOLIO UI&quot;. If a user has no permissions for any of the available plugins, none should be shown to them but a welcome page which can be configured. &lt;/p&gt;

&lt;p&gt;An option for changing password should be available for users without any other permission. Although it brings up another question: what about SSO-authenticated users? Should they have an option to create/change their password (obviously not their SSO password, just the one used in FOLIO-based login)? Do we plan on allowing SSO users to log in with a custom password also? If so when importing users do we have to generate a password for them or leave it empty so that they can change it later? Maybe we can use the &quot;empty password&quot; to indicate that the user can only login via SSO.&lt;/p&gt;</comment>
                                                            <comment id="188375" author="62a96ae7192edb006f9f1bf9" created="Wed, 5 Sep 2018 14:01:48 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5ed55244bc90a106063c7&quot; class=&quot;user-hover&quot; rel=&quot;5af5ed55244bc90a106063c7&quot; data-account-id=&quot;5af5ed55244bc90a106063c7&quot; accountid=&quot;5af5ed55244bc90a106063c7&quot; rel=&quot;noreferrer&quot;&gt;Cate Boerema&lt;/a&gt;, can we close this story?&lt;/p&gt;</comment>
                                                            <comment id="188377" author="5af5ed55244bc90a106063c7" created="Thu, 6 Sep 2018 11:10:39 +0000"  >&lt;p&gt;Yep.  Seems like folks agreed to option 1 which doesn&apos;t require any additional development.  I&apos;ll close it.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="44325">UIU-60</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="80208">FOLIO-664</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzxp2v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 9 Jun 2017 09:14:15 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>