9.2 - Staff Login Security

Introduction

Each Library Service is responsible for their own staff logins to the system, and should follow certain protocols to ensure the security of local logins.

9.2.1 - Staff Password Protocols

Local Systems Administrators are responsible for all Workflows logins assigned to staff at their Library Service. In order to ensure security of access to the system, the following protocols must be followed:

It is recommended that staff login passwords be changed at least once every 12 months. However, this is not enforced in the default PIN Policies - libraries may choose to enforce PIN expiry in their own PIN Policies.
Different passwords must be used for different classes of staff logins (eg. Circulation, Cataloguing, Supervisors, System Administrators, etc.).
Staff Workflows login passwords must be a minimum of 6 characters, with at least 1 uppercase, 1 lower case, and 1 numeric character.
Supervisor and Local Administrator accounts must be at least 10 characters and include at least 1 of each character type - uppercase, lowercase, numeric and special characters.
System Administrator passwords must have a minimum of 16 characters and include at least 1 of each character type - uppercase, lowercase, numeric and special character.

9.2.2 - Login Name Protocols

Staff logins must always be unique, and easily identifiable as belonging to a particular library service. To ensure this, all logins should be prefixed by the Library Service's two-letter code, whether for generic branch login accounts, or accounts for a specific named individual.

When creating a login ID for staff, avoid using hyphens/dashes in the ID, as this may cause issues with possible matching of existing IDs.

NOTE: Local Administrators can create staff logins, unless they are Supervisor level. Supervisor level can only be created by the System Administration team.

Example login IDs would look like this:

Individual login:

Staff member John Smith - XXJOHNSMITH - (where XX is the library's prefix code)
Generic Circ login - XXNIDCIRC (where XX is the library's prefix code)

Wherever possible, logins should be specific to an individual staff member. Generic accounts are best reserved for report ownership (until multi ownership of reports is created by Sirsi Dynix). If generic accounts are used, such as for a branch circulation account, they should be tied to a specific PC, so that if there are two circulation PCs at a branch each PC should be allocated a specific unique Symphony login.

9.2.3 - BLUECloud Central Staff Logins

Every Symphony login account needs to have a corresponding BLUECloud Central staff account. The BC Central account should have the same User ID as the Symphony account, and the Symphony account will need the corresponding BLUECloud ID added to it under the Privilege tab so that the two accounts are linked.

BLUECloud accounts can be created by Local Administrators, unless Supervisor level. These can only be created by the System Admin team.

Although they are linked, the Symphony and BLUECloud staff accounts are independent of one another, and can in theory have different passwords

9.2.4 - Operator Policies (block override passwords)

Operator policies are the passwords staff use to override certain blocks that occur in the Workflows and SymphonyWeb clients. Each library should designate at least two or three different Operator password policies for different levels of staff, each with different permissions to override different types of blocks. Operator policies should never be given the privilege to override Wizard access blocks, as access to wizards is to be configured in the User Access policy associated with the staff login.

It is recommended that Operator passwords be at least three characters long, and that higher level passwords be more complex combinations of letters, numbers and other characters.

Operator policies should be reviewed periodically, and changed as required.

9.2.4 - Deactivating Redundant Staff Logins

If a staff member leaves the Library it is the responsibility of the Library to either remove their logins to the system (if they have individual logins), or review and update any shared login passwords they may have had access to.

Redundant logins and passwords should not be retained on the system.

Local Administrator logins to be removed must be submitted as ticket to LV Support.

If the staff member also has a SirsiDynix Support Centre account, a ticket must be submitted to the LV Support to have that account disabled.