wishlist: Reports security improvements

Good morning -

The document https://yeti.equinoxoli.org/dev/public/techspecs/repsec.pdf
mentions
patron opt-in several times.
1. How will patrons opt-in? During the registration process? Will a field
be added to that page and to the My Account page on the OPAC?
2. Will staff not be able to override patron options when running reports?

Example - If a patron returns an expensive resource such as a Chromebook
after the device has been deleted from the catalog, we are currently able
to run a Circulation List report to find the patron who last had the item.
If the patron opts-in to blocking circ history, we won't be able to find
Last Circulation information.

Thank you.

Diane Disbro
Pronouns: she/her
Circulation Coordinator
Scenic Regional Library
251 Union Plaza Drive
Union, MO 63084
(636) 583-0652 ext 110
<email address hidden>

On Thu, Nov 9, 2023 at 3:50 PM Andrea Neiman <email address hidden>
wrote:

> Public bug reported:
>
> This work is funded by BC Libraries Cooperative.
>
> Equinox is making improvements to the Evergreen Reports interfaces to
> protect personally identifying information with more granular reports
> access permissions and support of opt-in restrictions.
>
> Improvements include:
> * SQL-level restrictions and/or redactions on specific sources and output
> columns
> * Scoping of VIEW_REPORT_OUTPUT permission based on folder ownership and
> sharing configuration
> * A fix for private security bug 1917821
>
> Full specifications are here:
> https://yeti.equinoxoli.org/dev/public/techspecs/repsec.pdf
>
> ** Affects: evergreen
> Importance: Wishlist
> Assignee: Mike Rylander (mrylander)
> Status: New
>
>
> ** Tags: reports
>
> --
> You received this bug notification because you are subscribed to
> Evergreen.
> Matching subscriptions: EV bug mail
> https://bugs.launchpad.net/bugs/2043142
>
> Title:
> wishlist: Reports security improvements
>
> Status in Evergreen:
> New
>
> Bug description:
> This work is funded by BC Libraries Cooperative.
>
> Equinox is making improvements to the Evergreen Reports interfaces to
> protect personally identifying information with more granular reports
> access permissions and support of opt-in restrictions.
>
> Improvements include:
> * SQL-level restrictions and/or redactions on specific sources and
> output columns
> * Scoping of VIEW_REPORT_OUTPUT permission based on folder ownership
> and sharing configuration
> * A fix for private security bug 1917821
>
> Full specifications are here:
> https://yeti.equinoxoli.org/dev/public/techspecs/repsec.pdf
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/evergreen/+bug/2043142/+subscriptions
>
>

Hi Diane,

Please see the "Patron opt-in boundary" and "Patron opt-in default" settings in the table at https://docs.evergreen-ils.org/docs/latest/admin/librarysettings.html#lse-security for details on what opt-in means in this context.

HTH!

I've pushed a branch to https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/miker/lp-2043142-reports-security that implements the report security improvements describe here.

From the main commit message (there are 3 commits):

The new Report Security functionality is primarily configured through the addition of XML attributes to elements in the Fieldmapper XML file, fm_IDL.xml. These new attributes fall into three categories:

 * Field value redaction - Database functions are used to optionally redact, with NULL or an administrator-supplied alternate literal value, the original value stored in the column (field) of each row.
 * Core class row restriction - In addition to any report-supplied criteria, rows from the core reporting source are evaluated by database functions in order to determine whether they can be included in report output.
 * Joined class row restriction - JOIN and WHERE clause conditions that make use of database functions are added to the generated query to restrict access to rows on non-core sources.

All restriction definitions can make use of the full set of fields on the restricted source (LEFT side for core source and link-element projected sources, RIGHT side for class-level projection-restricted sources), the staff user that scheduled the report run, and any aribtrary liternal value, though typically the last will be a set of one or more permissions to be tested.

Many of the existing, permission-related database functions can act as redaction and join/projection restriction functions. Additional functions are supplied as part of this development in order to faciliated restrictions based on Patron Opt-In values in effect at the time a report is run.

See the TechRef document Report_Security_IDL_Configuration.adoc for all the details.

---------

I'm attaching a PDF version of that TechRef document here for easier reading.

Of note: the branch above is built atop the Angular Reports branch. The commits that deal with report security will rebase easily on main once that is merged, but in order to test all the effects of /this/ branch we need to use it in that context.

Adding cross reference to Angular Reports: bug 1993823

This is available on public test server https://butternut.evergreencatalog.com/ (admin / demo123 ; Concerto data).