The next time you're about to add a McGill ID field in your webform —ÌýSTOP!
Ask yourself, "Do I really need to ask for the ID number?"
If you can look it up on a system such as Banner — then the answer should be "No."
WMS webforms generally shouldn't be used to directly solicit confidential information from users such as the McGill ID number.
The McGill ID number links a person with the University as a student or an employee. This might seem harmless on the surface, but in sensitive situations, or if used maliciously, this identification can have serious security consequences for the person affected.
To minimize any risk to the community, the best practice is to avoid collecting the McGill ID whenever possible. The University already makes this information available to authorized personnel through official secure applications such as Banner.
Authenticate and hide the ID field
If it's absolutely necessary to collect the McGill ID number in order to verify the identity of the person submitting the form, make login mandatory and make the field invisible. Capture the person's ID seamlessly when they log in so that it's included in the submission but only visible to those authorized to access the results such as a Site Manager or Reviewer.
Ìý
Practise safe information security
Follow these instructions:
- Ensure that the form is authenticated, i.e., require users to login
- Go to the Form Settings
- Under the Submission Access section, ensure that "anonymous user" is unchecked
- select "authenticated user" or only the role(s) that should be allowed to submit the form
-
Make the McGill ID field invisible to the person submitting the form.
Either:- use a Hidden component, or
- use a Private Textfield or Number component.
Then:
Add a token default value in the component to capture the logged-in user's McGill ID number.
Textfield or Number component:
- Under Default value, enter the following token:
[current-user:field_mcgill_user_id] - Under VALIDATION, make sure that Required is unchecked
- Under DISPLAY:
- set Label display to None
- ensure that Disabled is checked
- ensure that Private is checked
- Click Save component
Ìý
Hidden component:
- Under Default value, enter the following token:
[current-user:field_mcgill_user_id] - Under DISPLAY, ensure that Secure value is checked
- Click Save component
Ìý
For more detailed instructions and information about webforms in the WMS, consult the IT Knowledge Base articles:
Ìý
This article was updated on August 17, 2021