Skip to content
Idea Exchange
← ILS - Polaris

How can we improve Polaris?

ILS - Polaris: Discovery & OPAC

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Recently Activity

Vega Program Updated

Block room reservations too far in advance and same day reservations automatically

ALREADY SUPPORTED

Innovative Mobile Updated

ebooks and eaudiobooks have vendor information provided

UNDER REVIEW

Vega Discover Updated

Owning Libraries Not Showing B/C of Too Many Items on a Record

UNDER REVIEW

Vega Discover Updated

Checkouts: More Information, Please

UNDER REVIEW

ILS - Sierra Updated

Merge duplicate bib records

Cataloging & Metadata Management ALREADY SUPPORTED

ILS - Polaris Updated

Ability to remove spaces from call numbers in Leap

Cataloging & Metadata Management UNDER REVIEW

ILS - Polaris Updated

Add Library Level to Hold Pickup Limit

Circulation, Access Services & Fulfillment UNDER REVIEW

Don't see your product?

Visit the ExLibris Idea Exchange

Including Alma, Primo, Summon and more

Visit the ProQuest Idea Exchange

Including Ebook Central, PQ Dissertations and Theses and more

Web Admin - PAPI Key Management Permissions

With 7.1, Polaris administrative settings can now be accessed on the web, which includes PAPI Key Management. However, the PAPI keys can be accessed and changed today by anyone with the permission 'Access Administration - Allow' (which gives basic access to system admin settings).

We give some of our staff access to admin settings, for activities like adding workstations and updating branch hours. As it stands these users can access and change the API settings through web-admin, but they should be secured so only systems administrators have access. This will be barrier for us sharing web-admin with our staff in the future, and moving admin activities from the client to the web.

There should be more granular, PAPI Key Management-specific permissions, so that only appropriate users can access or change these, not anyone with admin access.

Idea Value
For customers who use API keys, and also give some staff access to system administration functions, this is likely to be a security gap, and may prevent them from moving all staff functions off the client.

10 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Jason Tenter shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminWes Osborn (Admin, Innovative) commented  ·   ·  Report

    Also, the API key itself shouldn't be visible to ANYONE.

    Modern security practice is that you get ONE chance to see the actual key during the creation step and then after that all you can do is disable/delete it.