There are 3 features in the People module of the NCEdCloud IAM Service that users with the LEA Administrator role can use. This document will explain how and when to use each
feature, and their relationships to each other.
The 3 Features are:
User Account Disable/Enable buttons
Disable Updates from Source Data checkbox with Override Flag Date
LEA Employee/Student/Parent Overrides views (left navigation)
User Account Disable/Enable button
Only users with the NCEdCloud LEA Administrator role have the ability to Disable a user account under the People module. This functionality in the NCEdCloud IAM Service is made available for "emergency" disables, usually related to a user termination or a compromised account. Otherwise, a staff member who leaves employment under normal circumstances would have their Staff UID system record changed to “inactive” by the PSU’s payroll department or the PSU Staff UID Administrator, and their NCEdCloud account would be disabled automatically overnight.
To “force” an account disable in the NCEdCloud IAM Service, simply search for the employee by name or UID (in People), select their record by clicking on the checkbox at the far left of the record, and then click on the “Disable” button along the bottom of the screen. This will prevent the user from logging into the NCEdCloud. It can be changed back by clicking on the Enable button.
.png)
It is important to note that all accounts are ultimately controlled by the data files that update the NCEdCloud IAM Service nightly. These files are generated with data from the authoritative NCDPI source systems, and for employees this is the Staff UID system (Infinite Campus is authoritative for Student accounts). If an employee account is disabled in NCEdCloud, but Staff UID still has them listed as an “active” employee, then the data sent to the NCEdCloud will re-enable the account overnight. Therefore, if there’s a chance the employee’s account has NOT been deactivated in the Staff UID system, and the account must remain disabled, the Disable Updates from Source Data checkbox must also be checked (see next section).
“Disable Updates from Source Data” checkbox & “Override Flag Date”
As mentioned above, the Disable Updates from Source Data checkbox controls whether or not any changes in the nightly source data file for a user, will update their NCEdCloud account. When the "Disable updates from source data" checkbox is enabled and an "Override Flag Date" is configured, all updates to the user's NCEdCloud account are blocked until the specified date. You can find the checkbox and set the date by first searching for the user you want to update, and clicking on the checkbox at the far left of the user’s record in “list view”. You will then see the “Details” button at the end of their record (see below)
.png)
Clicking on the Details button brings up the details screen (gray panel on the right of the screen, as shown below).
.png)
Click the red Edit Profile button at the bottom of the details screen, scroll down to the user checkboxes and select “Disable Updates from Source Data”, then locate the “Override Flag Date” field and click the calendar icon to select the date when updates should resume, and click Save.
.png)
This will now keep the user account disabled, even if the latest source data indicates they are “Active” in your PSU, until the account is re-enabled (Clicking on the Enable button as mentioned above).
The Override Flag Date has a maximum of 60 days. If an extension is needed, update the date before the current override expires.
While there are valid cases for using the “Disable Updates from Source Data” feature (the terminated employee or compromised account mentioned above, graduating students that still need access to a school issued email account through NCEdCloud, staff accounts that are being updated with invalid source data from another PSU, etc.), there are consequences for using this feature if the account remains in this state (not updating) for a maximum of 60 days. If the box is not “unchecked” once the source data issue has been resolved, then future valid changes to source data will not show up in NCEdCloud.
If you have concerns about a transferred employee accessing your PSU’s applications, work with your Payroll department or your Staff UID administrator to make sure the employee’s Staff UID record is updated to reflect an inactive status for YOUR PSU. Once an employee is no longer active in your PSU, access to your applications, and any privileged roles they were granted (for your PSU), will be revoked.
LEA Employee/Student/Parent Override views
The “Overrides” delegations (views) for Employees, Students, or Parents, listed in the left navigation in the People module, allow an LEA Administrator to see which accounts have the “Disable updates from source data” checkbox checked, and are currently NOT being updated with changes from source data. (All users listed in Overrides have the box checked.)
.png)
Admins can uncheck the box and adjust the date for users from this view (and they will no longer show up under Overrides), and any future changes to their user data will be updated in the NCEdCloud. However, remember to also put a ticket in with Identity Automation to force an update of the user’s record in NCEdCloud. This will ensure any changes made to source data while the account was not being updated, are synchronized with their account.
*NOTE: User source data, received nightly from NCDPI, is written to the Person Registry (a user database that’s part of the NCEdCloud IAM Service). Changes in the nightly user data files are updated in the Person Registry when processed, and then pushed to the NCEdCloud IAM Service RapidIdentity accounts. However, if there is no change in the data for a user between the new source data for that evening, and what was previously received and stored,no update occurs for that user in RapidIdentity. This prevents unnecessary writes to the RapidIdentity accounts.
If a change happens WHILE the disable updates checkbox is checked, the user account is NOT updated (although the Person Registry is). However, when the box is unchecked, the user’s account WILL NOT be updated automatically that evening, since there is no longer any difference between the “current” data and what’s in the nightly files. Opening a support ticket with Identity Automation will result in them FORCING an update to the NCEdCloud accounts with whatever data exists in the Person Registry, thus syncing the authoritative source data and the NCEdCloud account data.)