On workstation- and/or location-based permissions


#1

How does FOLIO know where the workstation is located? Is this some sort of workstation location registry that would have to be maintained?


Permissions Models
#2

To the best of my knowledge, the precise mechanism has yet to be determined. Filip’s user interface prototype has a page as part of the login process that prompts the user for their location. There could be more sophisticated ways of handling this. I wonder if we need some sort of plug-in mechanism for determining this – perhaps as part of the pluggable authentication mechanism (e.g. LDAP vs. Shibboleth vs. built-in user database).


#3

Do we really need to handle this at the workstation level? Wouldn’t it be more fruitful to think about associating user logins with circulation desk locations by default? Some users (especially those working in multiple locations or responsible for multiple locations) would need the ability to change their circulation desk at times, so we would need a way for them to do that. Also, wouldn’t we want to enable remote logins that would allow staff to perform work from other locations when needed? I can’t think of examples within circulation where we would want to manage this literally at the workstation level. It is, however, important to specify permissions at the circulation desk level (as opposed to the shelving location level). Some items may only be permitted to circulate from specific circulation points and circulation desks are also important for triggering transits between circulation desks when materials are returned for checkin.


#4

I wasn’t part of the group that worked with @filipjakobsen to design the user interface prototype as it exists now, and the UI prototype does not go into the level of detail as to what would change when one selected a different login location. (Filip: Is there anything you can say about your research and conversation with the subject matter experts on this?) I do know that a special interest group for circulation subject matter experts is being formed right now, and that the SIG charter will be posted soon. (Can someone from the Product Council elaborate?)

Thanks for the pointer to Internet2’s Grouper. I dug down a little bit in the documenation and found Grouper Role and Permission Management page in the Wiki. At first glance it seems like there is conceptual overlap with the permission model being considered for FOLIO, specifically these two points:

  • Roles can be configured to imply other roles. For example a Senior Loan Administrator is a Loan Administrator, plus a few more security grants. Roles can be connected like a directed graph of role inheritance
  • Permissions can grouped into permissionSets. E.g. if an organization hierarchy was represented as permissions, then the higher level organizations can imply the lower level ones. Note this does not have to be a hierarchy

#5

Regarding which location the user is currently at: FOLIO being a web interface, a manual selection would be the most straight-forward solution without additional system setup. There might be a good way to allow the system to figure it out itself; In which case we just need to make sure it’s easy to set up without an in-house tech team – which not all organizations have.


#6

Hmmm – good point, Filip. We should add this as a question for the new User Management SIG. [Pinging @cam2, and I think it is worthwhile to split this off into a new topic, so I’ll set that up.]