2019-10-02 User Management Meeting notes

Meeting URL

https://zoom.us/j/488543197

Date

02 Oct 2019

Attendees

• (OLD ACCOUNT) Erin Nettifee

• Maura Byrne

• patty.wanninger

• Uschi Klute Klute
• Philip Robinson
• Björn Muschall
• Jana Freytag
• Catherine Smith
• jackie.gottlieb@duke.edu (Deactivated)
• Michelle Suranofsky
• Edd Merkel
• Kelly Drake
• Thomas Paige

Goals

Notetaker: Erin

• Welcome to Catherine Smith, our new member from the University of Alabama.
• Barcode management – do we want to keep a list of unique barcode numbers in FOLIO? Also, what should FOLIO do with a barcode   when a user loses their ID?  What if the user then finds their ID? (added by Maura Byrne)
• Notes, especially regarding tickets for external ID and departments
  • Feature request for notes on records being displayed in pop-up or other contexts. (Steffi)
  • Because this involves the Check in and Check Out apps, this may end up needing to be a feature request for RA to manage.
• Reviewing requirements that have been created and attached for Custom Fields ( UXPROD-33 - Getting issue details... STATUS ) (Erin)

If we have additional time:

• Multiple Phone numbers UIU-254 - Getting issue details... STATUS (Erin)
• multiple e-mail addresses - There is no JIRA for this? (Uschi)
• More topics from the Open Topics list

Action items from last meetings

• Patty will create a feature to add validation to the (required) e-mail field
  (see also LIBAPP-94 - Getting issue details... STATUS - but these proposals do not appear to have been implemented.)
• Patty will file a bug or feature to have Expiration date and Status actually decoupled from each other. (also refering to UIU-1255 - Getting issue details... STATUS )
• Patty creates a JIRA issue: The field Birth date is not validated, you can enter a date in the future.
• Patty suggests that Theodor Tolstoy presents the Chalmers SSO solution to us at one of the next meetings. Patty will reach out to Theodor to see about scheduling a time.
• Patty will file a feature to work on password rules. It's difficult to find out which character combinations are allowed → It's not userfriendly. Proposal: make the password strength configurable
• UXPROD-242 - Getting issue details... STATUS Patty will ask the CAP plan group for feedback. Erin will work with Patty to write a user story for a "thin thread" v.1 of this - a flag or checkbox on record, that if checked, would cause a record to not be updated.
• Patty will write a feature about Improving Search in the Users App so that it can be ranked. - It's UXPROD-2092
• Patty will work on a story for preferred name/preferred pronouns UXPROD-1790 - Getting issue details... STATUS ("New feature")
• Patty will write a Feature Request for the enhancement os User search (for exact match like "Li")
• Patty will create a feature request for deleting user data.
• Patty will ask Magda (the reporter on  UXPROD-1811 - Getting issue details... STATUS ) for a status.  It may not be a UM-SIG issue.

Notes

• Welcome to Catherine Smithfrom University of Alabama
• Barcodes
  • Do we want to keep a list of unique barcode numbers in FOLIO?
  • What should FOLIO do with a barcode  when a user loses their ID? 
  • What if the user then finds their ID? (added by Maura Byrne)
  • The user record has all the loans and fees - only the barcode would be changed on the record. You don't need to move any other loan records.
  • Catherine - in Voyager, it will save the barcodes that have been added.
  • Is there a need to retain old IDs, or discard old IDs, on the user record?
• Notes- Steffi's discussion about patron notes and whether they should pop up.
  • Steffi was not able to join us.
  • Discussion about whether blocks would function - can we get an information block? Or something on the notes with a flag?
  • Patty will reach out to Holly to get a sense of what might be possible.
• Custom Fields
  • Patty will ask Khalilah just to confirm what's being planned since the main UXPROD has no custom label.
• Overly Strict Password Rules
  • MODLOGIN-38 - Getting issue details... STATUS
  • Were these rules actually discussed with UM SIG? No one knows.
  • References mentioned in the comments:
    • NIST - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

    • German Federal recommendations: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.html?nn=6604828 pages 1404-1405.

    • US government password standards? Same as NIST?
  • NIST prefers long passwords, with less strict password controls:
    "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. (...)
    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets." (NIST.SP.800-63b.pdf, Chapter 5.1.1.2 Memorized Secret Verifiers)
    Their recommendation to prevent repetitive or sequential characters does not refer to double characters like "ss" in the password "thisisaverylongpassword"
  • This article provides a good summary of the password topic: https://www.pluralsight.com/blog/security-professional/modern-password-guidelines
  • To-Dos:
    • Patty will talk to Khalilah
    • Can group decide on changes we would like to see?
    • Was password strength covered by the Security Audit - were there requirements there that they were trying to meet?
    • We need password strength checking through the New User process - right now, the new user creation allows any password, and the rules kick in with password change.
      • But, if you create a new user with an empty password, you can then send them a link to create a password and that does follow the rules
    • Do we know where the feature is for tenant level control / customization?
  • Simpler character requirements, the ability to use words / long phrases — perhaps with a trade off to have a longer minimum password
• Statistical Categories
  • We had discussed as part of departmental field - ended up deciding for that as a default field with its own Jira
  • Sense that we would use custom fields for these needs? 

Open Topics

Password validation in the ILS of GBV libraries (called "LBS")

In our current ILS we can set these options:

# minimum length, default=0
# Maximum length, default=length of the newly entered password.
# Minimum number of lowercase letters, default=0
# Minimum number of capital letters, default=0
# Minimum number of digits, default=0
# Minimum number of special characters, default=0
# List of allowed special characters, e.g. /$%_-
# Unauthorized words separated by a comma. The user number is generally not allowed. Example: not,yet,or

Translated with www.DeepL.com/Translator