2020-10-30 Meeting Notes - Security

Date

30 Oct 2020

Attendees

Discussion items

TimeItemWhoNotes

 Review Security IssuesTeam Review Kanban board (no new issues that haven't been reviewed)

Safe harbor, policies

Have sent Safe Harbor Statement/Acceptable Use Policy to Lawyer at Duke for review - after agreeing to review, they declined to comment due to possible conflict of interest (with Duke being a contributor, participant and user of FOLIO). Mike Gorrell  to reach out to OLF lawyer again for a quote.

Quote is for $450-$900. Asked for approval to move forward.

Have not heard back - will follow up next week.


RMB-743Julian Ladisch

A topic for tomorrow's meeting: There is a request (RMB-743) that we add a backdoor to FOLIO to avoid using proper Single-Sign-On: When RMB gets a request with the preserveMetadata parameter then any audit data (createdByUserId, changedByUserId) can be set. That way an external server-side web app that ships with some hard-coded admin credentials can write the id of any user X into the audit data without having user X' restrictions: This works even if user X has been disabled or if user X doesn't have the permissions for the request.
What is the opinion of the security group? Should we support the request, or should we require that the external server-side web app uses a proper login of the actual user similar to the existing mod-saml-login?


Craig will add a comment to the issue (potentially to split into 2 issues, adding the thoughts of the Security Group) and link a Tech roadmap item related to Service Accounts.