Privileged Roles

LEA Administrator

The FIRST request for an LEA Administrator role in a PSU will be vetted by NC DPI, prior to granting the role.  (This is not common other than for new Charter Schools.) Once granted, this role will allow the new LEA Administrator to approve future Requests from staff in their PSU, as well as provide access to administrative and management functions within the NCEdCloud IAM Service for their employees and students. It will also allow them to submit webform requests to Opt-In to Target Applications and other Opt-In features.

Additional roles that can be granted to employees include the LEA Data Auditor Role (primarily for Data Coordinators/Managers to allow them to view user profiles and access data files for all students and employees in their LEA or Charter School), LEA Help Desk, and LEA Student Help Desk roles. The Help Desk role allows a user to lookup an employee or student and reset their password. The LEA Student Help Desk role is the same as the LEA Help Desk role, but only allows access to student accounts.  School Help Desk and School Student Help Desk roles are also available, to provide support to users within a specific school.

"School Only" Roles

PSUs can also have school personnel (e.g. Instructional Technology Facilitators (ITFs), guidance counselors, etc.), request a help desk role just for the school(s) they support.

School Help Desk and School Student Help Desk roles are limited to a single school. However, if a staff member supports more than one school, they can request a role for each.  School roles are requested the same as all other roles, however, requesters must enter the 6-digit Campus Code (3-digit LEA Code + 3-digit School code) for the school they're requesting the role for.  This is shown in the center section of this page.

Requesting Privileged Roles

NOTE: All employees with a Privileged Role are required to use Multi-Factored Authentication (MFA).

If your position requires one of the Privileged Roles for your PSU, you can request it under Requests. After logging into the IAM Service:

   

  1. Click the dropdown arrow to the right of Applications
  2. Select "Requests" 
  3. In the Requests view, click on Entitlements/Catalog down the left side and
  4. Select the role you're requesting (e.g. LEA Administrator, School Help Desk, etc.)
  5. Then you can click on the "Request" button at the bottom of the screen (shows once you click on a role)

Once you click on the Request button, you will be asked to enter:

  1. Your 3-digit LEA code (Charter School codes end with a Letter) for PSU-wide roles
  2. Your 6-digit Campus Code for School-level roles (e.g. School Student Help Desk)

     

 

* Any requested roles will need to be approved by your district's/school's NCEdCloud LEA Administrator. 

 

FAQs

Why is MFA being required for NCEdCloud?

 

As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA AdministratorLEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.

How are privileged roles requested?

The Tech Director/CTO for a PSU should be the first person to claim their account (e.g. for new Charter Schools) and request the LEA Administrator Role.  

The first request from a PSU for the LEA Administrator role will be vetted by NCDPI support staff prior to granting the role.  Once granted, an LEA Administrator may approve future Requests, as well as have access to administrative functions in the IAM Service for their PSU's employees and students.  They will also be granted access to the LEA Administrator website where more protected content is available.

Other employees who request a privileged role will cause an email to be sent to all LEA Administrators for their PSU, notifying them that a request is waiting for their approval.  An LEA Administrator (the first one to act on the approval), can then go to Requests and check under Tasks -> Approvals for any outstanding requests and either Approve or Deny the request.

What roles with elevated privileges can an employee Request?

Using the Request process, employees are able to request the LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, or School Student Help Desk roles. Employees needing one of these roles should choose the Request view from the dropdown at the top of the page (where "Applications" is usually displayed), and request the appropriate role.

The LEA Administrator for the PSU determines whether of not to Grant or Deny the request, and may follow up with the employee to determine their need.

Note: Anyone with the LEA Administrator role automatically has all the privileges that an LEA Data Auditor, LEA Help Desk and LEA Student Help Desk, etc., therefore, it is not necessary for an LEA Administrator to also have other roles.

More information on Privileged Roles can be found on the Privileged Roles page on ncedcloud.mcnc.org (also under the Resources dropdown).

How can "Privileged Roles" in the IAM Service be revoked for an employee?

 

Privileged Roles (e.g. LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and/or School Student Help Desk) can be revoked in either of two ways:

1. The user with the elevated privilege can self-revoke a role by using the same workflow process they used to originally request the role.

For example, after logging into the IAM Service:

  • Click Requests (from the Applications drop down)
  • My Entitlements (along the left side)
  • Uncheck the role to be revoked
  • Click the Request button at the bottom of the screen

The privileged role would be revoked immediately.

 

2. LEA Administrators at the PSU may request role removal by opening a Sales Force ticket with Identity Automation by: 

 

NOTE:  While an LEA Administrator doesn't have the ability to *directly* remove another employee's elevated privileges, an LEA Administrator *does* have the ability to immediately disable an account if needed.  That process is described in the Training Videos (see the Applications tab -> Training ->  LEA Administrator Training -> "How do I disable someone's account?")

Managing Roles

Approving Role Requests from Other Users

After being granted the LEA Administrator Role for your PSU, the Technology/School Leadership will need to identify who else in their district or school needs the privileged roles mentioned here, and have them submit role Requests. Once there is at least one LEA Administrator in a PSU, new requests from staff will be sent to the LEA Administrators Group (all employees in a PSU with the LEA Administrator role) for approval. Pending Requests can be seen under the Tasks / Approvals on the left side of the Requests View. Note that the LEA Administrator Role has ALL available privileges and does not need any other role. If a Data Manager with the LEA Data Auditor role needs to reset passwords for other employees (possibly in a small LEA or Charter School), they may additionally request the LEA Help Desk Role which gives them that ability.

Managing Users With Privileged Roles

[Note: The commands require an LEA Administrator role to execute.  If you are from a Charter School without an LEA Administrator and are entitled to request this role, please follow the instructions on this page.]

If you are not familiar with how to check who has privileged roles in your PSU, the process will require an “advanced search” in your "People view" in NCEdCloud. An instruction sheet is provided below, as well as documentation on Revoking privileges and Resetting the OTP.

Revoking LEA Privileged Roles