FOLIO Security Subcommittee Charge:

This document defines the processes, membership, and duties of the Cornell Library FOLIO Security Subcommittee (hereafter “FSS”). 

 Helpful information about FOLIO permissions and permission sets can be found at Permission Documentation and Detailed Permission Sets .

Membership

The FSS comprises up to 6 CUL staff members from a variety of areas. Thomas Trutt, FOLIO Support Team Lead, is Chair. The Chair will be responsible for convening the group as needed and will make decisions on unclear security situations that require an independent decision. 

Responsibilities

The FSS is responsible for maintaining all FOLIO user permissions at Cornell. Among the specific duties of the FSS are:

• Assigning, updating, and removing staff and student employee permissions when user assignments change (new hire, change in duties, departure, etc.). Security requests will be initiated and sent by CUL HR or the user’s supervisor, as appropriate. Supervisors may request changes to their own permissions, or to their staff members’.
• Working as a team to promptly respond to incoming FOLIO access requests, which will come in via a FOLIO security queue in TeamDynamix (TDX).
• Applying the Principle of Least Privilege to all requests – for example, if a user just needs view-only rights, then that is all they will receive. Also, very sensitive and potentially destructive access will be carefully guarded (such as system settings and user management). The FSS is also empowered to question a request that seems to ask for broader access than a user really needs.
• Regularly reviewing FOLIO permissions assignments to make sure the above principle is consistently applied. Specific attention should be paid to who has folio_admin and similarly broad permission sets.
• The FSS will maintain and publicize documentation on FOLIO permission descriptions to help guide decisions on permission assignments.
• If new permissions sets are needed, the FSS will discuss them and create them as appropriate.
• Members of the FSS should also stay up to date on changes in FOLIO permissions and permission sets as hot fixes and new releases come out. They will regularly update the permissions documentation as appropriate.

The FSS members themselves have extremely broad administrative permissions, which they must use with caution.

FSS Request Flow Chart

• Requests must provide the employee’s name, NetID, employment status (staff or student), and if known, the appropriate permission group or set of permissions to apply. If unknown, identify a staff member with similar duties and consider applying their permission set, with input from other FSS members as appropriate.
• If the correct permissions cannot be easily determined, member(s) of the FSS should discuss details of the user’s assignment with the supervisor or HR and render a decision.
• Some modules should be highly restricted (especially Settings that can impact the whole system).
• User management rights should also be carefully controlled and monitored.
• The FSS standard response time will be within 24 hours of a request, Monday through Friday.
• Any unclear, questionable, or vague requests can be brought to the Chair for resolution.

Out of Scope

Location data management is proposed to be out of scope, unless it has obvious security ramifications.