Managing Privileged Roles

  • Updated on Apr 23, 2026
  • Published on Apr 22, 2026
  • 2 minute(s) read
  • s
 Prev Next

Approving role requests from other users

Once the LEA Administrator role has been granted, Technology and School Leadership should identify which staff in their district or school need privileged roles and have them submit role requests.

Once at least one LEA Administrator exists in a PSU, new role requests from staff are sent to the LEA Administrators Group, which includes all employees in the PSU who hold the LEA Administrator role, for approval. Pending requests can be found under Tasks / Approvals on the left side of the Requests view.

A few things to keep in mind:

  • The LEA Administrator role includes all available privileges. Users with this role do not need any additional roles.

  • If a Data Manager with the LEA Data Auditor role also needs to reset passwords for other employees, for example in a small LEA or Charter School, they can additionally request the LEA Help Desk role.

Finding Users with Privileged Roles in NCEdCloud

Note: The commands require an LEA Administrator role to execute.  If you are from a Charter School without an LEA Administrator and are entitled to request this role.

Within NCEdCloud head over to the “People Module” → Select the “Manage LEA Employees” → Click the “ADVANCED SEARCH” checkbox → Enter the following filter in the search bar “(idautoPersonRoleExceptions=LEA Administrator)” → Press “ENTER”

This filter will display all users with the “LEA Administrator” role at your PSU.

To find additional roles, use any of the following filters:

  • LEA Data Auditor: (idautoPersonRoleExceptions=LEA LEA Data Auditor)

  • LEA Help Desk: (idautoPersonRoleExceptions=LEA Help Desk)

  • LEA Student Help Desk: (idautoPersonRoleExceptions=LEA Student Help Desk)

  • School Help Desk: (idautoPersonRoleExceptions=School Help Desk)

  • School Student Help Desk: (idautoPersonRoleExceptions=School Student Help Desk)

Revoking Privileged Roles

Self Revoke:

If a user no longer “wants” a privileged role they have been GRANTED, they can execute a REVOKE themselves by un-requesting the role. This requires that they go to the Requests view (Application drop down), and the Entitlements/My Entitlements menu item on the left, and click on the Revoke box for the role they want to REVOKE from the displayed list (see screenshot).

*You may need to hover over the role with the check in front of it, to see the Revoke button to

the right. After you click on the Revoke button, the role will automatically be REVOKED.

NOTE: If the user has more than one role and needs to keep one or more, DO NOT UNCHECK the box of the role(s) they want to keep!

Request to revoke another user’s role:

While LEA Administrators can GRANT a request for a privileged role, they do not have the ability to REVOKE a privileged role from a user. Aside from the user revoking their own role as described above, only the vendor support (Identity Automation) has the ability to execute a REVOKE of another user’s role. An LEA Administrator for the PSU should submit a support ticket with Identity Automation by using the support portal (How to submit support ticket) or by email to support@identityautomation.com