Skip to content
Idea Exchange
← ILS - Polaris

How can we improve Polaris?

ILS - Polaris: Discovery & OPAC

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Recently Activity

Vega Discover Updated

Stop the inclusion or exclusion of apostrophes from directly effecting the search results

PLANNED

Vega WebBuilder Updated

Allow field types other than Images and Buttons to be linked to URLs / Documents within Repeaters

UNDER REVIEW

Vega WebBuilder Updated

Blog - Make Linking in Blog Consistent With Linking in Pages (Site Editor)

ALREADY SUPPORTED

ILS - Polaris Updated

Rephrase verbiage when not all items are unholdable

Circulation, Access Services & Fulfillment ALREADY SUPPORTED

ILS - Polaris Updated

Add "Clear" bulk change option in Leap to match staff client functionality

Circulation, Access Services & Fulfillment ALREADY SUPPORTED

Vega Mobile Worklists Updated

Renew Items for patrons

UNDER REVIEW

Vega Mobile Worklists Updated

Register Patrons and Edit Patron Records

PLANNED

Don't see your product?

Visit the ExLibris Idea Exchange

Including Alma, Primo, Summon and more

Visit the ProQuest Idea Exchange

Including Ebook Central, PQ Dissertations and Theses and more

Web Admin - PAPI Key Management Permissions

With 7.1, Polaris administrative settings can now be accessed on the web, which includes PAPI Key Management. However, the PAPI keys can be accessed and changed today by anyone with the permission 'Access Administration - Allow' (which gives basic access to system admin settings).

We give some of our staff access to admin settings, for activities like adding workstations and updating branch hours. As it stands these users can access and change the API settings through web-admin, but they should be secured so only systems administrators have access. This will be barrier for us sharing web-admin with our staff in the future, and moving admin activities from the client to the web.

There should be more granular, PAPI Key Management-specific permissions, so that only appropriate users can access or change these, not anyone with admin access.

Idea Value
For customers who use API keys, and also give some staff access to system administration functions, this is likely to be a security gap, and may prevent them from moving all staff functions off the client.

16 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Jason Tenter shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminEleanor Crumblehulme (Admin, Innovative) commented  ·   ·  Report

    This is vital. Without the separation of PAPI key access, we cannot allow library staff to have access to the other parts of the SA settings, which in turn delays the transition away from the desktop client.

  • Marie Martin commented  ·   ·  Report

    Jumping in here to add my 2 cents. We also agree that the lack of granularity and separation of permissions is definitely problematic for consortia.

  • Lynn Reynish commented  ·   ·  Report

    Aside from the very poor security this is in general, which has been noted well by others, this is also not useful from a consortium perspective. Managing an ILS in a consortium is a lot of work and it functions better when the member library systems can access appropriate areas of SA to do their work and take some of the load off of the consortium office. Web Administration needs to accommodate consortia!

  • Eric Young commented  ·   ·  Report

    It is sad to think the security related idea had been here for 3+ years and nothing...

    This is just more proof that Idea Exchange needs improvements!

  • Brad commented  ·   ·  Report

    Having just gotten access to the Web Admin with the changes in authentication, the lack of separate permissions for PAPI access will prevent me from having staff use the web interface for the reasons Jason outlined. In fact, I'll need to dial back some staff access in general due to this issue.

  • AdminWes Osborn (Admin, Innovative) commented  ·   ·  Report

    Also, the API key itself shouldn't be visible to ANYONE.

    Modern security practice is that you get ONE chance to see the actual key during the creation step and then after that all you can do is disable/delete it.