Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    CIRC:ops w/o authorization can view patron data from d/c screen

    • Article Type: General
    • Product: Voyager
    • Product Version: 7.2.1

    Description:
    Bug Report Form for Issue 16384-12434 / VYG-4489

    Module(s): Circulation/SysAdmin
    Server platform(s) affected: Solaris/all
    PC OS (if applicable): n/a
    Browser & version (if applicable): n/a
    Release(s) reported in: 7.2.1; replicated in: 7.2.3

    Expected results:
    If an operator is in a Circ Security Profile that has neither Add/Update Patron Records or View Only Patron Records checked, that operator should not be able to access patron records.

    Actual results:
    If an operator w/o Add/Update or View Only Patron Records discharges an item and on the discharge screen right-clicks and selects Go To Borrowing Patron, that patron’s full record displays (including address info as well as SSN/IID info).

    Workflow implications: Operators who shouldn’t have access to patron data do.

    Replication steps:
    1) In SA>Security>Circ Security Profiles, create a new profile and make sure that both Add/Update Patron Records and View Only Patron Records are unchecked.
    2) Create a new operator and move that operator into the security profile you created in step 1.
    3) Log into Circ as your new operator – you’ll note that, correctly, you have no access to the Patron icon
    4) Go to the Discharge screen and type in the barcode of an item currently charged to a patron
    5) In the Discharge screen, right-click and select the Go To Borrowing Patron option – immediately the Patron window appears, with all details viewable to this operator.

    Workaround: You can go to the Patron Groups tab of this operator’s security profile and use the Restrict Record View option.

    Resolution:


    • Article last edited: 3/20/2015