LEA Administrators and Data Auditors

How do I fix employees that show up in the wrong (or two) LEAs/Charter Schools?

Frequently, employees that transfer from another LEA or Charter School are not updated in their former payroll system, and therefore the UID system, in a timely manner.  If you find that the Profile of an employee still lists information from a former LEA or Charter School (e.g. LEA Code and/or School Codes), you will need to contact that LEA/Charter School and have them update their Payroll System and push an upload to the UID System.

How can roles with elevated privileges be revoked for an employee?


The LEA Administrator, LEA Data Auditor, LEA Help Desk and/or the LEA Student Help Desk roles can be revoked in either of two ways:

1. The user with the elevated privilege can self-revoke a role by using the same workflow process they used to originally request the role.

For example, after logging into the IAM Service:

Workflow button - left side > Requests - top tab > Deselect the role to be revoked > Click Submit Request.

What is the linking field between IAM and PowerSchool?

Several Home Base User Group members have asked which PowerSchool field will be matched against the UID in the SAML Assertion when a user logs into PowerSchool. The UID number is the unique identifier for IAM, it is stored within PowerSchool as follows:

employee => SIF_StatePrid

student => State_studentnumber

Please note that on some screens SIF_StatePrid may show up as StatePrId. It is the same thing. So for employees,  (SIF_StatePrid = StatePrID = UID)

What roles with elevated privileges can an employee request through the workflow process?


Using the workflow process, employees are able to request the LEA Administrator, LEA Data Auditor, LEA Help Desk, and/or the LEA Student Help Desk roles. These requests would typically be granted or denied based on the discretion of the LEA Administrator(s) of the LEA or Charter School. Privileged roles are described briefly below. Further information on these roles is available in the training videos on my.ncedcloud.org.  

Is the IAM Service Opt-In?

As of July 2015 the IAM Service was integrated with all Home Base applications and is no longer an Opt-In Service. The Single Sign-On (SSO) feature of the IAM Service enables users to logon to one of the Home Base applications, or any other resource integrated with the IAM Service, one time and then access any other application without having to logon again.

Will a PowerSchool Admin still be able to set a timeout (e.g. 5, 10, or 15 minutes) after the integration with IAM?


PowerSchool administrators can continue to configure timeouts for PowerSchool (e.g. 5 minutes, 10 minutes, etc.). Other applications may have different timeout settings which may vary from application to application. See also..  https://ncedcloud.mcnc.org/content/what-are-default-timeouts-saml-identi...

Sometimes Single Sign-On (SSO) doesn't work and I'm asked to logon to each application. Why is that?


Browser tabs or windows opened in “private” or “incognito” mode will prevent session information from being shared between other tabs/windows. As a result there is no memory of logons done within other tabs, hence accessing NCEdCloud IAM applications in a different private tab or window would require an additional logon.  Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. Home Base applications, Google Apps, Discovery Education, Follett Destiny, etc).