LEA Administrator FAQ

The resources and FAQs on this page are designed for NCEdCloud LEA Administrators.

Target Applications

See the complete list of Opt-in Target Applications currently being integrated (and more) on the Target Applications Request page.  

In the NCEdCloud RapidIdentity portal, LEA Administrators can find workflow requests to opt-in to approved Target Applications (e.g. CANVAS, DiscoveryEd, Destiny, Clever, etc.),  SUGGEST a Target Application to recommend NEW Target Applications, and REMOVE a Target Application you no longer want in NCEdCloud for your PSU (e.g. you decide not to renew a vendor's contract for an application you have been using).

Disabling Users in NCEdCloud

LEA Administrators may Disable a user account under the People view, so the user cannot log into the NCEdCloud.  This function should only be used only for "emergency" disables related to terminations or a security compromise. It's important to understand that all accounts are ultimately controlled (enabled and disabled) by the source data systems that "feed" the NCEdCloud IAM Service nightly.  Rarely, you might  need to override the nightly source data system updates. The document linked below explains all of this and more.

User Account Disables, Disabling Updates from Source Data, and Override Views In “People”

Account Claiming

PLEASE look at the Account Claiming Issues page (and FAQs) to familiarize yourself with what types of situations can prevent a user from successfully claiming their account.

The Student Account Claiming page has information on what the claiming process looks like for 6-12 graders if you choose to have them "claim" their accounts (also see the Teachers page). Older students (6-12 grade) must still answer security challenge questions the first time they login so they can reset their passwords.

Younger students (grades PK-5) also have the option of logging in with Badges.

Escalating Support (LEA Administrators)

Before logging a ticket with the Identity Automation Support Center, please check the NCEdCloud IAM Service status page at https://status.ncedcloud.org.  Depending on what you see there, you may find an answer to your support issue.  If that isn't what you're looking for, check out the FAQs at the bottom of this page for common issues. And for account claiming issues (for new users), check the Account Claiming Issues page.  For NCEdCloud IAM Service issues that cannot be handled within the LEA, tickets should be opened with Identity Automation Support.

NOTE: Only NCEdCloud users with the LEA Administrator role can open a ticket with Identity Automation.

Customer Support Community: https://rapididentity.my.site.com/helpcenter/s/case/Case/00Bj0000001eNkBEAU

Email: support@identityautomation.com

Phone: (+1) 919-747-4923

NCEdCloud Status Page

The NCEdCloud team is pleased to announce that the NCEdCloud Status Page is now live. The status page can always be accessed at https://status.ncedcloud.org.

The status page will display not only whether NCEdCloud is currently “up” or “down,” but also the status of source data processing. Any time there is a statewide source data processing delay, this page will provide the latest status and updates. This will be particularly useful at the beginning of the school year or semester when we typically see source data processing interruptions due to the number of changes.

FAQ

Who can see the "My Students" tab in the IAM Service Profiles view?

The ability to see the "My Students" tab in the Rapid Identity Portal under Profiles view, is based on whether the employee who logs into the IAM Service has one of the designated "Teacher Job Codes".  Job Codes are setup by the NCDPI and are assigned to an employee through their payroll system and stored in the UID system.  Below are the job codes (sometimes referred to as object codes), that allow an employee to see the My Students tab.  An employee with this tab would be able to use it to help reset passwords for any of their students that are assigned to them (typically as the primary teacher for a class) within PowerSchool.

Job Codes:

• 121 Teacher

• 122 Interim Teacher

• 123 JROTC Teacher

• 124 Foreign Exchange (VIF)

• 125 New Teacher Orientation

• 126 Extended Contracts

• 127 Master Teacher

• 128 Re-Employed Retired

• 131 Instructional Support I

• 132 Instructional Support II

• 134 Teacher Mentor

• 135 Instructional Facilitator

• 142 Teacher Assistant NCLB

• 162 Substitute Teacher Regular - Teacher Absence

• 164 Substitute Teacher - Full Time Certified

There is a “My Students for Non-teachers” exception role in the IAM Service that can optionally be requested by employees that don't have one of the above job codes but do have students assigned to them. When granted, this role allows employees who are teaching classes but do not fall within the previous job codes, to see their assigned students via the "My Students for Non-teachers" tab in the IAM service.  This role must be requested each school year, as it will expire on June 30th of the school year in which it is granted.

To request this role, the employee would do the following after logging into my.ncedcloud.org:

Workflow tab on left -> Requests tab across the top -> Check "My Students for non-Teachers" box -> click "Submit Request" button

The approval request would then go to an employee in your LEA/Charter School with the LEA Administrator role.

Why do I get an Error Message when I try to Logon?

If you see "The request is invalid" message (shown below), it's likely because you either used the "back button" to try to get to the login page, or you "bookmarked" the Login Screen (where you enter your Username) which won't work.

To get to the IAM Service (to access your applications or change/reset your password for example), go to my.ncedcloud.org.  Bookmark the page where you see your Applications. Then in the future, when you click on the bookmark you created for the Applications page, it will take you to the Logon page and then transfer you to NCEdCloud. If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where to send you after you login (e.g. the RapidIdentity Portal, PowerSchool, etc.).  That's why you get an error.

How do I get an IAM Service account for a Contract Employee?

Contract employees who are not in a PSU's payroll system (which is how most employees have records created or updated in the Staff UID System), can get an account in the NCEdCloud IAM Service by creating their records directly in the Staff UID System.  Information about the UID System can be found on the NCDPI Site.  The process for adding Non-PSU Employees to the UID System can be found under - Acquiring Staff IDs for Non‐Payroll Staff.

Is the IAM Service Opt-In?

No. As of July 2015 the NCEdCloud IAM Service was integrated with all Home Base applications and is no longer an Opt-In Service (you need to access Home Base / statewide applications through the NCEdCloud portal). The Single Sign-On (SSO) feature of the NCEdCloud IAM Service enables users to log into the portal one time, and then access any of the Home Base applications or any other applications/resources that have been integrated with the IAM Service for your PSU, without needing to login again.

Non- Home Base Target Applications will continue to be opt-in for PSUs, and if you wish to have these integrated with the NCEdCloud for your PSU you can find out what's available on the Target Applications page.

How are Account Disables and Disabling Accounts From Source Updates used?

There are 3 features in the People view of the NCEdCloud IAM Service that users with the LEA Administrator role can use:

• User Account Disable/Enable buttons

• Disable Updates from Source Data checkbox /

• LEA Employee/Student/Parent Overrides views (left navigation)

The first temporarily prevents a user from logging into the IAM Service, however, if the user data uploaded that evening still has the user status as "Active", the account will be reenabled the following morning.

The second prevents changes in the nightly updates from being applied to the IAM Service account, so if you disable the account AND check the Disable update from Source Data checkbox, the account will remain disabled.

The third feature show you whose account is currently disabled from nightly updates.  This is important to understand if transferring staff or students can't login.  Their previous PSU may have checked the disable from source updates box, and until that is unchecked they won't be able to login or see your applications (if their LEA Code is not updated with the new PSU's code). More information can be found here: User Account Disables, Disabling Updates from Source Data, and Override Views In “People”

What are the criteria for setting up Challenge Questions?

There are three main criteria for challenge questions:  

• 5 of the 10 questions listed must be answered

• The answers must be 3 or more characters

• Answers can not be repeated among questions

In addition, the answers are not case-sensitive.

If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.

How do I update a user that also shows up in another PSU?

Frequently, employees that transfer from another PSU are not updated in their former payroll system (and consequently in the Staff UID system), in a timely manner.  If you find the profile of one of your users still lists their former PSU, you will need to contact them (usually payroll, but a peer may be able to work with you) and have them update their data (to "inactive" for the former PSU).

Contacts for PSUs can be found in the NC EDDIE system on the NCDPI website at: https://www.dpi.nc.gov/districts-schools/district-operations/financial-and-business-services/eddie

Steps to be taken:

• The employee's payroll record at the former PSU needs to be marked "Inactive".

• The record needs to be uploaded to the Staff UID System, which will mark the UID record at the former district as "Inactive".

• The following business day the old data will no longer be pulled into the IAM Service and "old" information should disappear from the user's IAM Service Profile.

If you have trouble getting the issue resolved directly, you may submit a ticket with Identity Automation (Escalating Support on the LEA Administrators above), and they will work with NC DPI to get things resolved.

Can I opt out of using email to log in to NCEdCloud?

Yes. The default username for both staff and students is the numeric state UID (up to 10 digits), with email addresses also accepted as an Alias ID. Alias IDs are synced directly from Infinite Campus. If a PSU wishes to opt out of using email addresses as their login username, an LEA Administrator can submit the Alias ID Opt-Out workflow.

Can users change their email address in their NCEdCloud account?

End users cannot edit their own profiles to add or change their email address in the IAM Service. However, an LEA Administrator can update the email address in Infinite Campus, and the change will be reflected in NCEdCloud within 24–48 hours. In urgent situations, LEA Administrators can update a user's email address directly through the Manage LEA Employees or Manage LEA Students delegation in the People Module. Keep in mind that this change will be reverted the following day if the update has not also been made in Infinite Campus.

How do I see a list of employees or students in my PSU?

The Manage LEA Employees tab or the Manage LEA Students tab (on the left) under the People View in the IAM Service relies on a "Search" function. You need to enter some criteria to select the users you want to lookup. The easiest search is to enter an asterisk wildcard in the search window and click the Search button. This will only return the first 1000 matching records, however, which is the limit of any query.  You can also look for all users beginning with the letter P by entering P + asterisk (P) in the search window, and clicking Search.

To apply filter(s) your search, click on the box for Advanced Search Mode and then "Open LDAP Builder", and enter more specific criteria there. Start with the first filter, then click on the operator (e.g. =), and lastly enter the value or combination of letters and wildcards (e.g. ms*@* ). Click the mouse in an area "outside" of the filter box, and click on Update at the bottom. When you return to the list view, the filter string should show in the search box (with the magnifying glass symbol).  Click on the magnifying glass to execute the search and you should see a list of users that match your search string.

When searching on Last Name it is always helpful to enter a trailing asterisk * wildcard to make sure you retrieve users whose last name may be followed by a generational qualifier such as Jr., III, etc.

There are two general cases in which you may want to query your user data. The first is to obtain answers to questions about your data. The second is to perform actions on the results of a data query. An example is resetting students' passwords to their IAM "default passwords".

How are privileged roles requested?

The Tech Director/CTO for a PSU should be the first person to claim their account (e.g. for new Charter Schools) and request the LEA Administrator Role.  

The first request from a PSU for the LEA Administrator role will be vetted by NCDPI support staff prior to granting the role.  Once granted, an LEA Administrator may approve future Requests, as well as have access to administrative functions in the IAM Service for their PSU's employees and students.  They will also be granted access to the LEA Administrator website where more protected content is available.

Other employees who request a privileged role will cause an email to be sent to all LEA Administrators for their PSU, notifying them that a request is waiting for their approval.  An LEA Administrator (the first one to act on the approval), can then go to Requests and check under Tasks -> Approvals for any outstanding requests and either Approve or Deny the request.

Why did some of my employees disappear from the NCEdCloud IAM Service?

If your PSU has employees who were using accounts in the IAM Service, but the accounts are no longer there, the first place to check is typically the payroll system (Charter Schools may need to check with your management company). This occasionally happens with 10 and 11 month employees when their work/job Start Dates are not present or not in the upcoming school year in the payroll system.

The payroll system is the authoritative data source for the Staff UID system, and identifies which staff members to make active in your PSU.  Active user accounts in the Staff UID system have their data sent to the IAM Service nightly (as an active record).

If your payroll system does not show employees as “active” at the time the CEDARS UID extract is sent to the Staff UID system, they will be marked inactive in the Staff UID system. Inactive UID staff data is not sent to the NCEdCloud IAM Service in the nightly updates, and if a user record does not show up, their existing IAM Service account will be marked as inactive and disabled.  At that point, it will not be visible in the NCEdCloud IAM Service and the user will not be able to login. The account is still there, but until the user record is marked as Active in the UID system and picked up in the nightly feed from DPI, the account will remain “missing”.

For LINQ customers, if your current payroll practice is to end jobs for your 10, 10.5, or 11 month staff, you must either create them a new job with a future start date or update their existing job record with a new Start and End date in order to keep them active within the IAM Service. Any employee that has no Active or Future job start date within payroll, will be sent as Inactive in the CEDARS UID Export.

Additional information of Staff source data can be found here: Source Data Requirements

Sometimes Single Sign-On (SSO) doesn't work, and I'm asked to logon to each application. Why is that?

Web browser tabs or windows (in Chrome, Edge, Safari, Firefox, etc.) opened in “private” or “incognito” mode, will prevent session information from being shared between other tabs/windows. As a result there is no "memory" of logins done within other tabs, therefore, accessing NCEdCloud IAM applications in a new private tab or window would require another login.

Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. NCSIS, Amplify, Schoolnet, etc), to take advantage of Single Sign-0n.

How does my PSU add Grades 5/6 to the Amplify icon

If your PSU has purchased ADDITIONAL Amplify coverage for students in grades 5-6, you can Submit the Amplify Addition Grades Opt-in to add the icon to your PSU for Grades 5 and/or 6.  Once enabled, the icon will be presented to ALL students in the grades selected, as we cannot currently manage school-level icons for the entire state.  Note: This form must be filled out and submitted by a PSU staff member with the "LEA Administrator role" in the NCEdCloud.

What roles with elevated privileges can an employee Request?

Using the Request process, employees are able to request the LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, or School Student Help Desk roles. Employees needing one of these roles should choose the Request view from the dropdown at the top of the page (where "Applications" is usually displayed), and request the appropriate role. More information on privileged roles can be found here: Privileged Roles

The LEA Administrator for the PSU determines whether of not to Grant or Deny the request, and may follow up with the employee to determine their need.

Note: Anyone with the LEA Administrator role automatically has all the privileges that an LEA Data Auditor, LEA Help Desk and LEA Student Help Desk, etc., therefore, it is not necessary for an LEA Administrator to also have other roles.

More information on privileged roles can be found here: Privileged Roles

How can we get New Teachers into the IAM Service within a day or two?

Any user, including new teachers, must have a UID in order to appear in the IAM Service. UIDs are obtained through the UID process.  Please see the summary and detailed explanations below...

UID Summary:

As soon as an employee is hired with a future start date, they are eligible to receive a UID and subsequently receive access to systems for professional development and other tasks.Some payroll systems (e.g. LINQ) have taken this into consideration and include new hires with a future start date in the UID export for the current fiscal year. However, if your payroll system does not include new employees with a future start date in the UID export file, we recommend that you reach out to your vendor and request that they address this issue as soon as possible. In the meantime, you can add these new employees to the Staff UID system manually using the “Add Staff” feature available to authorized users.

The “Add Staff” feature in the Staff UID System provides a staff member with a UID, makes them active at the correct location(s), and provisions the new staff member’s account to applicable downstream systems, outside of the payroll file export process. Documentation for the steps to add a staff member to the Staff UID System using this feature can be found at https://www.dpi.nc.gov/data-reports/common-education-data-analysis-and-reporting-system-cedars/staff-uid-system#training-materials.

Once their start date occurs, they will be included in the UID export file and uploaded to the Staff UID System. Because they are already in the system, the employee record in the UID export will be identified as an exact match.

Please see the following resources for more details on the UID System:

• Source Data Requirements

• UID Support & Training

What are the default timeouts for the NCEdCloud IAM Service & target applications?

Individual applications manage their own session timeouts and the values below apply specifically to the NCEdCloud RapidIdentity Portal.

Login screen inactivity If you open the login screen but don't complete sign-in, the session expires after 5 minutes. If this happens, close the tab and open a fresh one to start over. Do not use the browser's Back button.

Portal session inactivity Once logged in to the NCEdCloud portal, your session will time out after 8 hours of inactivity.

SAML assertion The SAML token used to establish your session is valid for 5 minutes.

Integrated applications Each connected application manages its own session independently. If an app's timeout exceeds 5 minutes and that timeout is reached, the app will check the SAML assertion and handle re-authentication based on its own configuration.

Best practice Fully close your browser (Chrome, Safari, Firefox, etc.) when you're done for the day, rather than just closing individual tabs. Some applications will keep you logged in as long as the browser remains open. For example, if Google Apps is integrated with NCEdCloud, you may remain logged in to Google for days or weeks until the browser is fully closed.

What's different in Primary vs. Secondary student account setup?

For primary student accounts (grades PK-5), PSUs will always need to directly distribute the student account usernames (student number or Alias ID) and passwords - either default passwords or reset/changed passwords (see the Teachers page). There is no claim account process (or challenge questions) for primary students.  PSUs also have the option to use NCEdCloud Badges (QR Codes) or pictographs for primary students.

For secondary student accounts (grade 6 and higher),  PSUs may optionally choose to have those students claim their own accounts, or may directly distribute the student usernames and default passwords the same as primary students. To claim their  account, a secondary student will need their pupil number, grade, birthday in YYYYMMDD format, and PSU (LEA) code.  To complete the account claiming process (or at the first login if usernames and passwords are provided to the students), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming ).  Note: Student Badges and pictographs are not an option for secondary students.

Also note that RapidIdentity Portal "operations" (e.g. change passwords), cannot be performed on a mix of Primary and Secondary students, as different password policies apply to each set of accounts.

Can a teacher's ability to change their students’ passwords be disabled?

We understand that some PSUs may have concerns about teachers being able to set their students' passwords, however, due to the fact that the IAM Service is a solution for the entire state, it was not feasible to make the feature an option for those PSUs that wanted to implement it. However, please keep in mind that ALL password changes are audited within the service, so a record of any password transaction is captured along with who made the change.

How do I search for NCEdCloud accounts with missing or invalid (malformed) email addresses?

The easiest way to search for accounts that have a missing or invalid email address is to:

• Select the Manage LEA Employees or Manage LEA Students tab (under People)

• Check the Advanced Search box and "Open LDAP Builder" box

• Select "email" for the field, !* for the operator (does not equal), and enter *@*.* for the value

Then make sure to click "outside" of the filter box and check that the search string shows up at the top. Click on the Update button at the bottom, and when you're back at the search window, click on the magnifying glass at the end of the search box (the "search" symbol).

The equation: email  !=  *@*.*  translates as email NOT EQUAL to wildcard@wildcard.wildcard (where "wildcard" represented by an asterisk, can be ANY value)

This search will turn up all users with invalid email addresses, such as those missing: the principal name, the @, or the school domain (e.g. emailname@lea.nc.gov), or user accounts with NO EMAIL address.

You can also enter other filter values to narrow down your search, such as Campus Code = xxxxxx, or Last Name = Gre*

How can "Privileged Roles" in the IAM Service be revoked for an employee?

Privileged Roles (e.g. LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and/or School Student Help Desk) can be revoked in either of two ways:

1. The user with the elevated privilege can self-revoke a role by using the same workflow process they used to originally request the role.
   

   For example, after logging into the IAM Service:

• Click Requests (from the Applications drop down)

• My Entitlements (along the left side)

• Uncheck the role to be revoked

• Click the Request button at the bottom of the screen

• The privileged role would be revoked immediately.

2. LEA Administrators at the PSU may request role removal by contacting Identity Automation through any of the following methods:

• Click the “Support Community for Identity Automation” icon in Applications

• Visit the Customer Support Portal: https://help.rapididentity.com/docs/submitting-a-support-case

• Email: support@identityautomation.com

NOTE:  While an LEA Administrator doesn't have the ability to directly remove another employee's elevated privileges, an LEA Administrator does have the ability to immediately disable an account if needed. For additional information: User Account Disables, Disabling Accounts From Source Updates, and the Override Views In “People”

How do I reset an account so it can be claimed again?

This process is NOT needed if an employee (or secondary student) has been using their account and simply transfers to another PSU.  They just log into their account as usual and if their records have been updated, they'll see applications for the new PSU.

If, however, a "new" user has trouble claiming their account (or doesn't remember their challenge questions and password), the account can be reset by following the steps below.

The complete process for restoring an account to unclaimed status is:

• Under "People" > Manage LEA Employees (or Students), enter the user's UID number and hit Return to retrieve the account

• Hover over the end of the record shown (or click the checkbox), and click on Details

• Click on "Edit Profile"

• Uncheck the "Disable Account Claiming" box

• "Save" the changes

• Click on the box at the left, to select the user record

• At the bottom of the page click on "Reset Challenge Responses" and confirm with "Yes"

The account should now be ready to "Claim".  Note: the user sets the password during the claim process, so there's no need to change or reset the password.  They will need your PSU's 3-digit LEA Code, their UID (which you can provide), and their birthdate.

This entire process must be followed to assure a complete reset to unclaimed status.

How do Teachers change their students' passwords?

If a teacher needs to change a student's password, they will follow the same steps as above and then click on the "Change Password" button at the bottom of the screen.

In the Change Password box you will enter the New Password and then in the box below it, verify the new password. At this point you can either click Save and tell them the password to use going forward, or if you want to require that they change their password to something only they know, check the box for "User must change password at next login".  This will force them to enter a new password once they login. Then click on Save and note any confirmation messages.

Additional information on what Teachers can do in NCEdCloud can be found here: Teacher Overview

Can the Default Password for students be changed?

Students' default passwords can be reset using one of the following workflows in the Request Module:

• Regenerate Student Default Password (Single user) - For a single Student

• Regenerate Student Default Password (File Upload) - For a list of Students

• Regenerate Student Default Passwords - By Campus Codes or Grade Levels

Who can I contact if I need more help?

If you have questions or need assistance with MFA, you can submit a request through our support portal (see “How to submit a support ticket”) or by email to support@identityautomation.com.