Web Admin - PAPI Key Management Permissions
With 7.1, Polaris administrative settings can now be accessed on the web, which includes PAPI Key Management. However, the PAPI keys can be accessed and changed today by anyone with the permission 'Access Administration - Allow' (which gives basic access to system admin settings).
We give some of our staff access to admin settings, for activities like adding workstations and updating branch hours. As it stands these users can access and change the API settings through web-admin, but they should be secured so only systems administrators have access. This will be barrier for us sharing web-admin with our staff in the future, and moving admin activities from the client to the web.
There should be more granular, PAPI Key Management-specific permissions, so that only appropriate users can access or change these, not anyone with admin access.
Idea Value
For customers who use API keys, and also give some staff access to system administration functions, this is likely to be a security gap, and may prevent them from moving all staff functions off the client.
Jason Tenter
shared this idea
-
Wes Osborn
commented
In addition to hampering our ability to move away from the staff client and making us less secure, we also have to find another way to actively prevent people with client admin access from getting to the PolarisSA on the web. There is no separate permission for the web interface. So, if you have access to desktop SA in any form, you have access to Web SA which means you have access to and can manipulate PAPI keys. Which means that even if we don't want people to use it, we can't really prevent them without using another tool/method and still give them access to the desktop client. Those without more sophisticated tooling will then have to forgo the Polaris web SA altogether or risk exposing their API keys to anyone with any level of SA access (even if you preferred they stayed on the desktop).
-
Alison Hoffman
commented
This is vital, especially in a consortium setting.
-
This is vital. Without the separation of PAPI key access, we cannot allow library staff to have access to the other parts of the SA settings, which in turn delays the transition away from the desktop client.
-
Marie Martin
commented
Jumping in here to add my 2 cents. We also agree that the lack of granularity and separation of permissions is definitely problematic for consortia.
-
Lynn Reynish
commented
Aside from the very poor security this is in general, which has been noted well by others, this is also not useful from a consortium perspective. Managing an ILS in a consortium is a lot of work and it functions better when the member library systems can access appropriate areas of SA to do their work and take some of the load off of the consortium office. Web Administration needs to accommodate consortia!
-
Eric Young
commented
It is sad to think the security related idea had been here for 3+ years and nothing...
This is just more proof that Idea Exchange needs improvements!
-
Brad
commented
Having just gotten access to the Web Admin with the changes in authentication, the lack of separate permissions for PAPI access will prevent me from having staff use the web interface for the reasons Jason outlined. In fact, I'll need to dial back some staff access in general due to this issue.
-
AdminWes Osborn
(Admin, Innovative)
commented
Also, the API key itself shouldn't be visible to ANYONE.
Modern security practice is that you get ONE chance to see the actual key during the creation step and then after that all you can do is disable/delete it.
-
Eric Young
commented
Yes please!
