User Account Disables, Disabling Accounts From Source Updates, and the "Override" Views In People

What is the purpose of the "Disable account from Source Updates" checkbox in user account list view (under Profiles?

User Account Disables, Disabling Accounts From Source Updates, and the Override Views In “People”

 

There are 3 features in the People module of the NCEdCloud IAM Service that users with the LEA Administrator role can use.  This document will explain how and when to use each feature, and their relationships to each other.

 

The 3 Features are:

  1. User Account Disable/Enable buttons
  2. Disable Updates from Source Data checkbox
  3. LEA Employee/Student/Parent Overrides views (left navigation)

 

User Account Disable/Enable button

Only users with the NCEdCloud LEA Administrator role have the ability to Disable a user account under the People module.  This functionality in the NCEdCloud IAM Service is made available for "emergency" disables, usually related to a user termination or a compromised account.  Otherwise, a staff member who leaves employment under normal circumstances would have their Staff UID system record changed to “inactive” by the PSU’s payroll department or the PSU Staff UID Administrator, and their NCEdCloud account would be disabled automatically overnight.  

To “force” an account disable in the NCEdCloud IAM Service, simply search for the employee by name or UID (in People), select their record by clicking on the checkbox at the far left of the record, and then click on the “Disable” button along the bottom of the screen.  This will prevent the user from logging into the NCEdCloud.  It can be changed back by clicking on the Enable button.

It is important to note that all accounts are ultimately controlled by the data files that update the NCEdCloud IAM Service nightly.  These files are generated with data from the authoritative NCDPI source systems, and for employees this is the Staff UID system (PowerSchool is authoritative for Student accounts).  If an employee account is disabled in NCEdCloud, but Staff UID still has them listed as an “active” employee, then the data sent to the NCEdCloud will re-enable the account overnight.  Therefore, if there’s a chance the employee’s account has NOT been deactivated in the Staff UID system, and the account must remain disabled, the Disable Updates from Source Data checkbox must also be checked (see next section).

 

Disable Updates from Source Data checkbox

As mentioned above, the Disable Updates from Source Data checkbox controls whether or not any changes in the nightly source data file for a user, will update their NCEdCloud account.  Checking the “Disable updates from source data” checkbox, prevents any changes from being applied to the user’s NCEdCloud account.  You can find the checkbox by first searching for the user you want to update, and clicking on the checkbox at the far left of the user’s record in “list view”.  You will then see the “Details” button at the end of their record (see below)

Clicking on the Details button brings up the details screen (gray panel on the right of the screen, as shown below).  

 

Click the red “Edit Profile” button at the bottom of the details screen, and you can scroll to the user checkboxes, one of which is: “DISABLE UPDATES FROM SOURCE DATA”.

 

 Click on the checkbox to activate it and then click “Save”.

 

This will now keep the user account disabled, even if the latest source data indicates they are “Active” in your PSU, until the account is re-enabled (Clicking on the Enable button as mentioned above).  

While there are valid cases for using the “Disable Updates from Source Data” feature (the terminated employee or compromised account mentioned above, graduating students that still need access to a school issued email account through NCEdCloud, staff accounts that are being updated with invalid source data from another PSU, etc.), there are consequences for using this feature if the account remains in this state (not updating) for very long.  If the box is not “unchecked” once the source data issue has been resolved, then future valid changes to source data will not show up in NCEdCloud.

For example if a staff member transfers to a new PSU (yours or somewhere else), until the box is unchecked and their record updated with the new LEA code, they won’t have any access to applications at the new PSU.  Even changes like moving to a different school campus within the PSU won’t be reflected.  If you notice a new employee’s data in Staff UID is correct, but it’s not showing up in the NCEdCloud IAM Service, then you may need to open a ticket with Identity Automation.  Once the disable updates from source data checkbox is unchecked, they will be able to force an update to the account, and the user will then show up as an employee in your PSU.

 

In addition to what has already been covered, there are a couple of situations you should also be aware of: 

  1. If an employee is transferring to another PSU, DO NOT disable their account or check the Disable Updates from Source Data checkbox.  The employee will need to use their account to access applications at their new PSU.

 

  1. If you have concerns about a transferred employee accessing your PSU’s applications, work with your Payroll department or your Staff UID administrator to make sure the employee’s Staff UID record is updated to reflect an inactive status for YOUR PSU.

 

Once an employee is no longer active in your PSU, access to your applications, and any privileged roles they were granted (for your PSU), will be revoked.

 

LEA Employee/Student/Parent Override views

The “Overrides” delegations (views) for Employees, Students, or Parents, listed in the left navigation in the People module, allow an LEA Administrator to see which accounts have the “Disable updates from source data” checkbox checked, and are currently NOT being updated with changes from source data.  (All users listed in Overrides have the box checked.)

Admins can uncheck the box for users from this view (and they will no longer show up under Overrides), and any future changes to their user data will be updated in the NCEdCloud.  However, remember to also put a ticket in with Identity Automation to force an update of the user’s record in NCEdCloud.  This will ensure any changes made to source data while the account was not being updated, are synchronized with their account.  

 

*NOTE: User source data, received nightly  from NCDPI, is written to the Person Registry (a user database that’s part of the NCEdCloud IAM Service).  Changes in the nightly user data files are updated in the Person Registry when processed, and then pushed to the NCEdCloud IAM Service RapidIdentity accounts.  However, if there is no change in the data for a user between the new source data for that evening, and what was previously received and stored, no update occurs for that user in RapidIdentity. This prevents unnecessary writes to the RapidIdentity accounts.

If a change happens WHILE the disable updates checkbox is checked, the user account is NOT updated (although the Person Registry is).  However, when the box is unchecked, the user’s account WILL NOT be updated automatically that evening, since there is no longer any difference between the “current” data and what’s in the nightly files.  

Opening a support ticket with Identity Automation will result in them FORCING an update to the NCEdCloud accounts with whatever data exists in the Person Registry, thus syncing the authoritative source data and the NCEdCloud account data.)

 

Mark Scheible

Updated: July 2022