For us this is not a new problem. Even when using the telnet interface, once a workstation is logged on, anyone who walks up to it can checkin, checkout and view a patron record. Those functions have never required individual authorizations, just a login. (We use departmental logins and individual userids and passwords for staff requiring advanced functions).
We have not advertised this to our staff as this means that Acquisitions, Cataloging, Collection Development and Reference staff can circulate and check patron records. We hope they have not figured this out.
I expect to have more control when we implement Millennium Circ, as that will run only on the Circulation Workstations and not be available to other departments.
Fred McIlvain
Support Systems Analyst, Senior
Library Instruction, Systems and Technology (LIST)
ASU Libraries, Tempe, AZ 85287-1006
fred.mcilvain@xxxxxxxxxx
Voice (480) 965-9427 Fax (480) 965-7595
-----Original Message-----
From: Jonathan Jiras [mailto:jjjwml@xxxxxxxxxx]
Sent: Tuesday, July 10, 2001 9:47 AM
To: innopac@xxxxxxxxxx
Subject: More on Millennium Circulation passwords
Helga, Said, Dan, and others,
Thanks for taking the time to respond. Unfortunately I still have not figured out
a a way around what I think is a serious problem.
Here it is again stated more succinctly:
Once MillCirc loads, or even after the keyboard time out has cleared the
initials, the ability to see a patron's brief record is available without
requiring initials and passwords. All they have to do is type "nSmith" in the
search box and hit "search." A list of all "Smiths" will appear, they can scroll
though and view the brief records at their leisure without being prompted for
initials and password.
--prompting users for initials upon logging in doesn't work because a user can
hit the cancel button and get in anyway.
--associating the login with a specific set of initials that has no authority
to do anything won't work. -- they can still search for a patron and see the
brief record.
--not associating the login with a specific set of initials won't work either.
They too can still search for a patron and see the brief record
I've read the help files, seen the login manager tutorial, read the notes to the
authentication session that was presented at the IUG, and read the several public
and private replies to my original message. It still seems that there is no way
to replicate the telnet experience:
--automatic login (which is good because there is no username and password for
the students to remember, and no security hole)
--require a username and password for users to see the patron record or do
*anything* at all on the system.
Does anyone know a way to require initials and passwords for users to see the
patron data in MillCirc?
P.S. For another example of how "...there are issues regarding MilCirc
passwording... that may require some difficult local decisions... especially
...[for libraries that move] from the text-based system to MilCirc..." see:
http://innopacusers.org/list/archives/1999/msg03049.html
Thanks,
-Jon Jiras, RIT