Guidance for User Administrators
- Erin Nettifee
- 1 Requirements for adding permissions to users
- 1.1 Permissions should be assigned following a “least privilege” model
- 1.2 Permissions should be assigned to staff using role profiles.
- 1.3 Permission requests should come from a staff member’s manager/supervisor.
- 1.4 Permission requests must be sent as a ticket through support.lib.duke.edu
- 1.5 Documentation of permission requests should be retained.
- 1.6 Permission assignments should be reviewed annually
- 2 When someone needs a specific role profile, plus additional permissions
- 3 When an employee changes roles
- 4 When an employee leaves a position
- 5 When a role profile needs to be changed or a new profile needs to be added
- 6 Subject Matter Experts for Consultation
- 7 Change log
Requirements for adding permissions to users
Permissions should be assigned following a “least privilege” model
“Least privilege” is a term used by IT security staff that means that we only assign the minimum necessary Alma roles for a library staff member to do their job.
In some cases, Alma’s roles do not allow us to do this because they are structured differently than we would prefer. In those cases, we may grant the broader role while establishing reporting and audit procedures to ensure that we are following university policy.
Permissions should be assigned to staff using role profiles.
The bulk of managing adding and removing users should be done with role profiles that have been defined in Alma. Role profiles are groups of roles that correspond to the permissions needed to carry out specific kinds of library tasks. Many employees have cross-functional roles and may have assigned to them one or more role profiles.
Permission requests should come from a staff member’s manager/supervisor.
Permission requests should always come from a staff member’s manager or supervisor.
Permission requests must be sent as a ticket through support.lib.duke.edu
Permission requests may be discussed informally in person or over chat, but should not be acted on in Alma until the request is received in writing through https://support.lib.duke.edu, which generates a support ticket in Service Now. Be sure to assign the ticket to the Alma support group.
Documentation of permission requests should be retained.
Documentation of requests for Alma permissions should be retained, including tickets and/or emails.
Permission assignments should be reviewed annually
Permissions assignments should be reviewed annually by library managers to ensure that permissions that aren’t needed are removed.
Library staff should expect this process will begin in Spring 2025 - procedure TBD.
When someone needs a specific role profile, plus additional permissions
You may have staff who fill a specific role but need one or two additional permissions that are not covered in an existing role profile.
When evaluating these requests, LSIS:
defers to managers as the best source of understanding what is needed for a staff member’s Alma responsibilities;
reviews the request in line with university best practices for IT security, including assigning the least amount of permissions necessary;
consults with subject matter experts to ensure that they have an opportunity to raise concerns with any expanded access or workflow changes.
Alma Analytics
See Permissions and Roles For Alma Analytics for guidance on granting Analytics roles.
Administrative Roles
Several Alma administrative roles have a “read-only” mode, that allows access to see settings without changing them. Those read-only roles can be granted to staff at a manager’s request, when needed to learn more about Alma or assist with troubleshooting.
Student staff should never be granted an administrator role.
Some non-systems administrators may receive administrative roles only if the manager requests it and the administrative role is required to fulfill a part of their Alma duties. E.g., managing part of a discovery workflow requires “Fulfillment Administrator” to be granted to non-administrators. In these cases, LSIS may establish reporting to periodically review activity to be in compliance with university IT policy.
Expiration dates
If a role is needed for a staff project that has a known end date, an expiration date should be put on the role when it is assigned.
Expiration dates should used for any role granted to a student staff member.
They should be included in the role profile used for the student, and set to the end of the current academic year, or the end of the student’s employment if sooner.
At the end of each academic year, LSIS will ask library staff to review student employee roles and indicate which students are continuing employment and should have continued access to Alma. LSIS will extend the roles for those continuing at the Library, and remove the roles for those who are not continuing.
When an employee changes roles
The staff member’s new manager or supervisor must submit a service ticket at https://support.lib.duke.edu. Assign it to the Alma group.
The following information is required. Please provide a spreadsheet if you need to add more than three new users.
Staff member name
Staff member unique ID or staff member netid;
Whether the new staff member is a student employee, intern, volunteer, or full-time employee;
First day of employment;
Last day of employment (if known);
Requested role(s) or role profile(s) (see Alma role profile to roles reference )
When an employee leaves a position
When a staff member has left their position, or when you know the final date that a staff member is going to work, the staff member’s manager or supervisor must submit a service ticket at https://support.lib.duke.edu
The following information is required. Please use a spreadsheet if you are notifying about more than three departing staff members.
Staff member name
Staff member unique ID or staff member netid;
Departure date;
User administrators: Note that if the employee is leaving Duke entirely, their Alma account will expire the day that their departure is recorded in the identity management system. Even so, we still remove the role in case the employee later returns to Duke.
When a role profile needs to be changed or a new profile needs to be added
You may run into Alma usage questions or problems that lead you to believe that a role profile should be changed or a new one should be added.
The general process for proposing a role profile change:
Identify the profile and issue;
Submit a ticket to the Alma queue (https://support.lib.duke.edu) explaining what changes are needed;
LSIS will ensure that the appropriate DUL subject matter expert is consulted to ensure that the proposed change makes sense to them, and evaluate the request according to IT security policy.
Assuming no concerns are raised, the profile can be changed or the new profile can be created.
If concerns cannot be resolved in discussion, the issue can be escalated to the appropriate members of the DUL executive group and the independent library directors.
After the profile is changed, additional work is needed to ensure that the change propagates to other staff who need the role. Analytics can be used to identify those staff members, and the change can be done one-by-one, or if needed, in bulk.
Subject Matter Experts for Consultation
User Management
Andrea Loigman
Fulfillment
Andrea Loigman
Acquisitions
Bill Verner, Virginia Martin
Catalog
Jacquie Samples, Natalie Sommerville
Inventory
Jacquie Samples, Natalie Sommerville
Discovery
Jacquie Samples
Miscellaneous
LSIS
Change log
Date | Description of changes | Updated by |
|---|---|---|
Jun 25, 2024 | Removed draft label. Improved text about read-only administrator roles. | @Erin Nettifee |
|
|
|