A "kill switch" for General System Administrators to immediately disconnect individual Alma users
Use case: A library employee (student or staff) responds to a phishing text message by providing their Single Sign-On (SSO) credentials; SSO is used on our campus for Alma authentication. I want to (1) disable all the roles on the library employee's account except for Patron; (2) disconnect the employee if he/she/they/* has an active session in Alma; and (3) be notified with the IP address of the originating computer if he/she/they/* attempts to log in again. I would like to accomplish both #1 and #2 by checking a box ("Disable roles") and moving a slider ("Disconnect user"), WITHOUT having to save the user record. A notification email with the IP address would be useful for #3, because it could be passed on to campus IT and we wouldn't have to worry about taking screen shots.
If #1-#3 are too much together, I'd take #2 alone -- I can get the roles disabled myself, but I want to be able to disconnect a user immediately, much the way I occasionally needed to go onto the Voyager server and kill sessions by process number.
This is functionality that I never needed in seven years on Alma, until the use case happened to us yesterday, at which time I REALLY NEEDED IT!
-
Manu_Schwendener commented
+1
-
Patricia Farnan commented
I think this is a good idea - don't have any spare votes.
-
Deborah Fitchett commented
For #1 I think I'd disable Patron along with the other roles - if the account's compromised then the unauthorised person shouldn't get even that access either.
For #1 and #2 while I agree with skipping the need to save the user record (so easy to forget when in a panic!) it should have a pop up "are you sure you want to ..." confirmation in case of accidental clicking.
-
Janice Christopher commented
That would be seven years and one day on Alma, in the last sentence!