Staff's ability to make item bulk changes should follow permissions for item record change
Currently item bulk change functionality allows staff to bulk change fields that they can't change in individual item records. This allows staff to modify item records using bulk change when they're blocked from modifying directly in the item record. The same permissions should apply to bulk change:
• Item records: Modify cataloging view
• Item records: Modify source and acquisitions view
• Item records: Modify reserves view
• Item records: Modify history view
The library feels this is a data security risk. Fundamentally, here is the question: what is the purpose of the permission Item records: Modify cataloging view?
If the purpose is data security, to protect certain data from accidental or purposeful editing by individuals whose job does not require write permissions to the data protected by that permission, then why are these individuals allowed to do that editing in a bulk interface?
Amy Emery
shared this idea
-
Joyce Peter
commented
One of our former circ staff members used bulk change to erase the collection code on around 1,500 item records and that was not an easy thing to clean up as it involved dozens of collections. One of the reference staff has changed the ownership field when using bulk change-- and done it more than once even after receiving an admonition from me. I have more examples of unfortunate batch changes, but the bottom line is that if the catalogers or sys admin doesn't want staff to have the ability the modify a single item record-- they certainly shouldn't be allowed to modify thousands through a backdoor.
-
Mary Kruse
commented
Would love to have this change!
-
David Pimentel
commented
I was unaware of this permission loophole; now it's likely to give me nightmares.
-
Erin Shield
commented
I didn't realize that bulk change was set up differently. This feels more like a bug than an enhancement. Are there other areas where permissions for individual functionality are overwritten by permissions for bulk functionality??
-
Emma Olmstead-Rumsey
commented
Yes, please make this change! The very fact that the same action has different permissions depending on the access point or workform used to potentially make the change is already bizarre. The fact that there's a permission allowing someone to take action X on 1,000 records but not on one record just makes it worse.
-
Carmi Parker
commented
My library discovered this issue because circulation staff mistakenly bulk edited several cataloging fields, that, per our permissions schema, only catalogers can edit. In further testing, I found that bulk edit allows circ staff to edit or delete any field, including mission critical ones that only our catalogers should touch, like call number, loan period, etc. The proposed workaround is to not let circ staff use bulk edit, a feature they currently use on hundreds of items per day when they are weeding, shifting books by branch location, shifting books to different shelf locations, and other tasks. So, the workaround doesn't work for us.
-
Amy Mihelich
commented
We run into this when having to correct mistaken bulk changes. A staff member is bulk changing item records and accidentally changes a field that they didn't mean to (such as assigned branch) and then is unable to correct the item records and has to request support. It would be a work and time-saver if there were a failsafe to prevent this.