User Account Disables, Disabling Accounts From Source Updates, and the "Override" Tabs In Profiles

What is the purpose of the "Disable account from Source Updates" checkbox in user account list view (under Profiles?

There are 3 features in the Profiles view of the NCEdCloud IAM Service that users with the LEA Administrator role can use.  This document will explain how and when to use each feature, and their relationships to each other.

 

The 3 Features are:

  1. User Account Disable/Enable buttons
  2. Disable Updates from Source Data checkbox
  3. LEA Employee/Student/Parent Overrides tabs

 

User Account Disable/Enable button

NCEdCloud LEA Administrators alone have the ability to Disable a user account under the Profiles tab.  This functionality in the NCEdCloud IAM Service is made available for "emergency" disables, usually related to a user termination or a compromised account.  Otherwise, a staff member who leaves employment under normal circumstances would have their Staff UID system record changed to “inactive” by the PSU’s payroll department or the PSU Staff UID Administrator, and their NCEdCloud account would be disabled automatically overnight.  

To “force” an account disable in the NCEdCloud IAM Service, simply search for the employee by name or UID (in Profiles), select their record by clicking on the checkbox at the far left of the record, and then clicking on the “Disable” button above the list of records.  This will prevent the user from logging into the NCEdCloud.  It can be changed back by clicking on the Enable button.

 

You also have the option under Profiles to Search for Disabled accounts.  You can enter an asterisk * in the search field and select the “Filter By” dropdown for Disabled accounts.

 

 

 

When you click on the search button, all disabled accounts for your PSU will be shown, and you can follow up on any outstanding issues.

It is important to note that all accounts are ultimately controlled by the data files that update the NCEdCloud IAM Service nightly.  These files are generated with data from the authoritative NCDPI source systems, and for employees this is the Staff UID system (PowerSchool is authoritative for Student accounts).  If an employee account is disabled in NCEdCloud, but Staff UID still has them listed as an “active” employee, then the data sent to the NCEdCloud will re-enable the account overnight.  Therefore, if there’s a chance the employee’s account has NOT been deactivated in the Staff UID system, and the account must remain disabled, the Disable Updates from Source Data checkbox must also be checked (see next section).

 

Disable Updates from Source Data checkbox

As mentioned above, the Disable Updates from Source Data checkbox controls whether or not “updates” to a user’s record in the source data will be reflected in their NCEdCloud account.  Checking the “Disable updates from source data” checkbox, prevents any changes from being applied to the user’s NCEdCloud account.  You can find the checkbox by clicking on the “edit” button at the end of the user’s record in “list view”, once you’ve successfully searched for the user (by name or UID).

Clicking on the edit button brings up the following screen with the Disable updates from source data checkbox.  Click on the box and then “Save”.

 

While there are valid uses for this feature (the terminated employee or compromised account mentioned above, graduating students that still need access to a school issued email account through NCEdCloud, staff accounts that are being updated with invalid source data from another PSU, etc.), there are consequences for using this feature if the account remains in this state (not updating) for very long.  If the box is not “unchecked” once the source data issue has been corrected, then future valid changes to source data will not show up in NCEdCloud.

For example if a staff member transfers to a new PSU (yours or somewhere else), until the box is unchecked and their record updated with the new LEA code, they won’t have any access to applications at the new PSU.  Even changes like moving to a different school campus within the PSU won’t be reflected.  If you notice a new employee’s data in Staff UID is correct, but it’s not showing up in the NCEdCloud IAM Service, then you may need to open a ticket with Identity Automation.  Once the disable updates from source data checkbox is unchecked, they will be able to force an update to the account.

In addition to what has already been mentioned, there are a couple of situations you should be aware of: 

  1. If an employee is transferring to another PSU, DO NOT disable their account or check the Disable Updates from Source Data checkbox.  The employee will need to use their account to access applications at their new PSU.
  2. If you have concerns about a transferred employee accessing your PSU’s applications, work with your Payroll department or your Staff UID administrator to make sure the employee’s Staff UID record is updated to reflect an inactive status for YOUR PSU.

 

Once an employee is no longer active in your PSU, access to your applications, and any privileged roles they were granted (for your PSU), will be revoked.

 

LEA Employee/Student/Parent Overrides tabs

The Employee, Student, or Parent Overrides tab under Profiles, allows an LEA Administrator to see which accounts have the “Disable updates from source data” checkbox checked, and are currently NOT being updated with changes from source data.

Admins can uncheck the box for users from this view (and they will no longer show up under the Overrides tab), but remember to put a ticket in with Identity Automation to update the user’s record to ensure any changes made to source data while the account was not being updated, are synchronized with their account.  

 

(NOTE: User source data from NCDPI is stored in the Person Registry, a user database that’s part of the NCEdCloud IAM Service.  Changes in the nightly user data files are updated in the Person Registry when processed, but ONLY pushed to the NCEdCloud IAM Service RapidIdentity accounts if there is a difference between the new source data for that evening, and what was previously received and stored.  This prevents unnecessary writes to the RapidIdentity accounts if nothing changes.

If a change happens WHILE the disable updates checkbox is checked, the user account is NOT updated (although the Person Registry is).  However, when the box is unchecked, the user’s account WILL NOT be updated automatically that evening, since there is no longer any difference between the “current” data and what’s in the nightly files.  

Opening a support ticket with Identity Automation will result in them FORCING an update to the NCEdCloud accounts with whatever data exists in the Person Registry, thus syncing the authoritative source data and the NCEdCloud account data.)

 

Mark Scheible

May 2022