2019-10-02 User Management Meeting notes

Meeting URL

https://zoom.us/j/488543197

Date

Attendees

Goals

Notetaker: Erin

  • Welcome to Catherine Smith, our new member from the University of Alabama.
  • Barcode management – do we want to keep a list of unique barcode numbers in FOLIO? Also, what should FOLIO do with a barcode   when a user loses their ID?  What if the user then finds their ID? (added by Maura Byrne)
  • Notes, especially regarding tickets for external ID and departments
    • Feature request for notes on records being displayed in pop-up or other contexts. (Steffi)
    • Because this involves the Check in and Check Out apps, this may end up needing to be a feature request for RA to manage.
  • Reviewing requirements that have been created and attached for Custom Fields ( UXPROD-33 - Getting issue details... STATUS ) (Erin)

If we have additional time:

  • Multiple Phone numbers UIU-254 - Getting issue details... STATUS (Erin)
  • multiple e-mail addresses - There is no JIRA for this? (Uschi)
  • More topics from the Open Topics list

Action items from last meetings

  • Patty will create a feature to add validation to the (required) e-mail field
    (see also LIBAPP-94 - Getting issue details... STATUS - but these proposals do not appear to have been implemented.)
  • Patty will file a bug or feature to have Expiration date and Status actually decoupled from each other. (also refering to UIU-1255 - Getting issue details... STATUS )
  • Patty creates a JIRA issue: The field Birth date is not validated, you can enter a date in the future.
  • Patty suggests that Theodor Tolstoy presents the Chalmers SSO solution to us at one of the next meetings. Patty will reach out to Theodor to see about scheduling a time.
  • Patty will file a feature to work on password rules. It's difficult to find out which character combinations are allowed → It's not userfriendly. Proposal: make the password strength configurable
  • UXPROD-242 - Getting issue details... STATUS Patty will ask the CAP plan group for feedback. Erin will work with Patty to write a user story for a "thin thread" v.1 of this - a flag or checkbox on record, that if checked, would cause a record to not be updated.
  • Patty will write a feature about Improving Search in the Users App so that it can be ranked. - It's UXPROD-2092
  • Patty will work on a story for preferred name/preferred pronouns UXPROD-1790 - Getting issue details... STATUS ("New feature")
  • Patty will write a Feature Request for the enhancement os User search (for exact match like "Li")
  • Patty will create a feature request for deleting user data.
  • Patty will ask Magda (the reporter on  UXPROD-1811 - Getting issue details... STATUS ) for a status.  It may not be a UM-SIG issue.


Notes

  • Welcome to Catherine Smithfrom University of Alabama
  • Barcodes
    • Do we want to keep a list of unique barcode numbers in FOLIO?
    • What should FOLIO do with a barcode  when a user loses their ID? 
    • What if the user then finds their ID? (added by Maura Byrne)
    • The user record has all the loans and fees - only the barcode would be changed on the record. You don't need to move any other loan records.
    • Catherine - in Voyager, it will save the barcodes that have been added.
    • Is there a need to retain old IDs, or discard old IDs, on the user record?
  • Notes- Steffi's discussion about patron notes and whether they should pop up.
    • Steffi was not able to join us.
    • Discussion about whether blocks would function - can we get an information block? Or something on the notes with a flag?
    • Patty will reach out to Holly to get a sense of what might be possible.
  • Custom Fields
    • Patty will ask Khalilah just to confirm what's being planned since the main UXPROD has no custom label.
  • Overly Strict Password Rules
    • MODLOGIN-38 - Getting issue details... STATUS
    • Were these rules actually discussed with UM SIG? No one knows.
    • References mentioned in the comments:
    • NIST prefers long passwords, with less strict password controls:
      "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. (...)
      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets." (NIST.SP.800-63b.pdf, Chapter 5.1.1.2 Memorized Secret Verifiers)
      Their recommendation to prevent repetitive or sequential characters does not refer to double characters like "ss" in the password "thisisaverylongpassword"
    • This article provides a good summary of the password topic: https://www.pluralsight.com/blog/security-professional/modern-password-guidelines
    • To-Dos:
      • Patty will talk to Khalilah
      • Can group decide on changes we would like to see?
      • Was password strength covered by the Security Audit - were there requirements there that they were trying to meet?
      • We need password strength checking through the New User process - right now, the new user creation allows any password, and the rules kick in with password change.
        • But, if you create a new user with an empty password, you can then send them a link to create a password and that does follow the rules
      • Do we know where the feature is for tenant level control / customization?
    • Simpler character requirements, the ability to use words / long phrases — perhaps with a trade off to have a longer minimum password
  • Statistical Categories
    • We had discussed as part of departmental field - ended up deciding for that as a default field with its own Jira
    • Sense that we would use custom fields for these needs? 

Open Topics

ItemWhoNotesDiscussed Today?Resolution / Next StepsCarry topic?

Searching by specific fields

Erin

Right now Users has general keyword searching; we will want to be able to search specific fields - IDs, emails, addresses, notes?

Perhaps one of these issues fits:

UXPROD-1015 - Getting issue details... STATUS

UXPROD-907 - Getting issue details... STATUS (New feature)

UXPROD-869 - Getting issue details... STATUS (Epic)

UXPROD-1941 - Getting issue details... STATUS (new feature)

UIU-1028 - Getting issue details... STATUS (Story)



  • Uschi did additional testing - see notes from 2019-09-11 Meeting notes
  • Erin to discuss with RA SIG requirements for fielded searching
  • Erin to investigate a searching 
  • Patty will create a Feature Request.
Yes; this is not yet resolved.
Pop-ups on user transactionsSteffinotes may be used for communication about users, and pop-ups on user transaction (or displaying of notes) is desired. Khalilah indicated this should be raised as a new feature request.
  • May need to be raised with RA SIG

Deleting User Records

Erin

Discussing the need for deleting patron records (no Jira currently; need for one discussed in comments of https://folio-org.atlassian.net/browse/UIU-1079)

UXPROD-291 - Getting issue details... STATUS


  • Patty will make a Feature Request
  • User Stories need to be writtten
  • Topic is also discussed by Reporting SIG

Password validationUschi

refering to Action Item "Create Feature for password rules"

This is the story for the validation of passwords: MODLOGIN-38 - Getting issue details... STATUS

Some of the rules seem to restrict too much. We would like to configure the password strength. See configuration options in the ILS the GBV libraries use now (at the bottom of this page)




Custom FieldsUschi

UXPROD-33 - Getting issue details... STATUS

the tag cap-mvp has been removed, but development goes on


The tag was removed, and this was dropped from the MVP due to capacity (discussed at RA SIG meeting)

We can and probably should review the requirements that Khalilah has generated; they are attached to the master Jira.


Password validation in the ILS of GBV libraries (called "LBS")

In our current ILS we can set these options:

# minimum length, default=0
# Maximum length, default=length of the newly entered password.
# Minimum number of lowercase letters, default=0
# Minimum number of capital letters, default=0
# Minimum number of digits, default=0
# Minimum number of special characters, default=0
# List of allowed special characters, e.g. /$%_-
# Unauthorized words separated by a comma. The user number is generally not allowed. Example: not,yet,or


Translated with www.DeepL.com/Translator