2020-07-17 Meeting notes

Owned by Mike Gorrell
Last updated: Jul 17, 2020
2 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
10 minHousekeeping - email, JIRA, etc

Mike Gorrell

Email alias/address security@folio.org still not working. Coordinating through Peter Murray  who is working with EBSCO on other address(es).

Jira configuration actions:

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group? 
    • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
    • Expect to complete week of July 27 (MDG OOO next week).
  • Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
    • Still investigating. It won't show unless it's set. The field has to be configured to appear on the screen that the project uses (not so for UXPROD)
    • Able to set for task, bug and epic.
  • Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
    • Need to define who is part of the list. Currently an "external core contributors" group that has 178 members. The current Security Role of "Core FOLIO Team" points to this group.
    • Use the "Core FOLIO Team"
    • May not ever need a more restrictive group.

Spike for SSO flowAxel and Craig

Had previously create a Spike to investigate leveraging NGINX/Apache etc. Core team discussed, and we may not move off current path, but we will discuss/continue with spike. Axel to add thoughts on what we might investigate on this page: Authentication and Authorization 

Tod Olson posted something to Discuss - He is also going to be the champion for a Tech Council potential issue (ABI-016).

Axel has documented a few suggestions on the Wiki.

There are security issues that are currently being worked/resolved. So, at this point there isn't anything further for the Security Team to do - the course of discussions in the project will determine if there are more actions.


Review open security issuesTeam

Review current list of security items