2020-10-30 Meeting Notes - Security

Owned by Mike Gorrell
Last updated: Oct 30, 2020
1 min read

Date

30 Oct 2020

Attendees

Discussion items

TimeItemWhoNotes

 Review Security IssuesTeam Review Kanban board (no new issues that haven't been reviewed)

Safe harbor, policies

Mike Gorrell

Have sent Safe Harbor Statement/Acceptable Use Policy to Lawyer at Duke for review - after agreeing to review, they declined to comment due to possible conflict of interest (with Duke being a contributor, participant and user of FOLIO). Mike Gorrell  to reach out to OLF lawyer again for a quote.

Quote is for $450-$900. Asked for approval to move forward.

Have not heard back - will follow up next week.


RMB-743Julian Ladisch

A topic for tomorrow's meeting: There is a request (RMB-743) that we add a backdoor to FOLIO to avoid using proper Single-Sign-On: When RMB gets a request with the preserveMetadata parameter then any audit data (createdByUserId, changedByUserId) can be set. That way an external server-side web app that ships with some hard-coded admin credentials can write the id of any user X into the audit data without having user X' restrictions: This works even if user X has been disabled or if user X doesn't have the permissions for the request.
What is the opinion of the security group? Should we support the request, or should we require that the external server-side web app uses a proper login of the actual user similar to the existing mod-saml-login?


Craig will add a comment to the issue (potentially to split into 2 issues, adding the thoughts of the Security Group) and link a Tech roadmap item related to Service Accounts.