2019-10-02 User Management Meeting notes

Meeting URL

https://zoom.us/j/488543197

Date

Oct 2, 2019

Attendees

• @(OLD ACCOUNT) Erin Nettifee

• @Maura Byrne

• @patty.wanninger

• @Uschi Klute Klute

• @Philip Robinson

• @Björn Muschall

• @Jana Freytag

• @Catherine Smith

• @jackie.gottlieb@duke.edu (Deactivated)

• @Michelle Suranofsky

• @Edd Merkel

• @Kelly Drake

• @Thomas Paige

Goals

Notetaker: Erin

• Welcome to Catherine Smith, our new member from the University of Alabama.

• Barcode management – do we want to keep a list of unique barcode numbers in FOLIO? Also, what should FOLIO do with a barcode   when a user loses their ID?  What if the user then finds their ID? (added by Maura Byrne)

• Notes, especially regarding tickets for external ID and departments

  • Feature request for notes on records being displayed in pop-up or other contexts. (Steffi)

  • Because this involves the Check in and Check Out apps, this may end up needing to be a feature request for RA to manage.

• Reviewing requirements that have been created and attached for Custom Fields (https://folio-org.atlassian.net/browse/UXPROD-33) (Erin)

If we have additional time:

• Multiple Phone numbers https://folio-org.atlassian.net/browse/UIU-254 (Erin)

• multiple e-mail addresses - There is no JIRA for this? (Uschi)

• More topics from the Open Topics list

Action items from last meetings

Notes

• Welcome to @Catherine Smithfrom University of Alabama

• Barcodes

  • Do we want to keep a list of unique barcode numbers in FOLIO?

  • What should FOLIO do with a barcode  when a user loses their ID? 

  • What if the user then finds their ID? (added by Maura Byrne)

  • The user record has all the loans and fees - only the barcode would be changed on the record. You don't need to move any other loan records.

  • Catherine - in Voyager, it will save the barcodes that have been added.

  • Is there a need to retain old IDs, or discard old IDs, on the user record?

• Notes- Steffi's discussion about patron notes and whether they should pop up.

  • Steffi was not able to join us.

  • Discussion about whether blocks would function - can we get an information block? Or something on the notes with a flag?

  • Patty will reach out to Holly to get a sense of what might be possible.

• Custom Fields

  • Patty will ask Khalilah just to confirm what's being planned since the main UXPROD has no custom label.

• Overly Strict Password Rules

  • https://folio-org.atlassian.net/browse/MODLOGIN-38

  • Were these rules actually discussed with UM SIG? No one knows.

  • References mentioned in the comments:

    • NIST - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

    • German Federal recommendations: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.html?nn=6604828 pages 1404-1405.

    • US government password standards? Same as NIST?

  • NIST prefers long passwords, with less strict password controls:
    "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. (...)
    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets." (NIST.SP.800-63b.pdf, Chapter 5.1.1.2 Memorized Secret Verifiers)
    Their recommendation to prevent repetitive or sequential characters does not refer to double characters like "ss" in the password "thisisaverylongpassword"

  • This article provides a good summary of the password topic: https://www.pluralsight.com/blog/security-professional/modern-password-guidelines

  • To-Dos:

    • Patty will talk to Khalilah

    • Can group decide on changes we would like to see?

    • Was password strength covered by the Security Audit - were there requirements there that they were trying to meet?

    • We need password strength checking through the New User process - right now, the new user creation allows any password, and the rules kick in with password change.

      • But, if you create a new user with an empty password, you can then send them a link to create a password and that does follow the rules

    • Do we know where the feature is for tenant level control / customization?

  • Simpler character requirements, the ability to use words / long phrases — perhaps with a trade off to have a longer minimum password

• Statistical Categories

  • We had discussed as part of departmental field - ended up deciding for that as a default field with its own Jira

  • Sense that we would use custom fields for these needs? 

Open Topics

Password validation in the ILS of GBV libraries (called "LBS")

In our current ILS we can set these options:

# minimum length, default=0
# Maximum length, default=length of the newly entered password.
# Minimum number of lowercase letters, default=0
# Minimum number of capital letters, default=0
# Minimum number of digits, default=0
# Minimum number of special characters, default=0
# List of allowed special characters, e.g. /$%_-
# Unauthorized words separated by a comma. The user number is generally not allowed. Example: not,yet,or

Translated with www.DeepL.com/Translator